Re: Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)
Using embedded Tomcat, therefore no catalina.bat Markus Am Fr., 1. Dez. 2023 um 15:42 Uhr schrieb Mark Thomas : > On 01/12/2023 14:29, Markus Schlegel wrote: > > Hi Peter, > > Thank you for your hint about "-Djdk.tls.ephemeralDHKeySize=2048". > > I indeed did not knew that this option exists. > > When I enable it, I get Grad "A" from SSLLabs while it still lists 8 weak > > ciphers out of 12. > > > > Because I get to grade "A" with this setting, I can indeed use the > default > > ciphers settings from Tomcat again and as a consequence, the Warning will > > not anymore appear in the log. > > > > Maybe Mark had that setting active too while doing his ssllab tests. This > > would explain the difference in the results. > > Tomcat sets that by default in catalina.[sh|bat] > > > @Mark: You suggested that I shall check the OpenSSL version I use, but I > do > > not use OpenSSL at all. Just plain Java8 JSSE. > > Ack. My point re OpenSSL was to help get the ciphers strong to do what > you wanted it to do. > > Mark > > > > > Kind regards and thanks a lot for your valuable help, > > Markus Schlegel > > > > > > Am Fr., 1. Dez. 2023 um 14:09 Uhr schrieb : > > > >> Hi > >> > >>> Am 29.11.2023 um 11:46 schrieb Markus Schlegel : > >>> > >>> Hi, > >>> This is a continuation of the discussion taken below > >>> https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 where I asked > about > >>> the following warning which appears in our log: > >>> > >>> (29.11.2023 09:53:14 org.apache.tomcat.util.net.SSLUtilBase getEnabled > >>> WARNING T-19): Tomcat interprets the [ciphers] attribute in a manner > >>> consistent with the latest OpenSSL development branch. Some of the > >>> specified [ciphers] are not supported by the configured SSL engine for > >> this > >>> connector (which may use JSSE or an older OpenSSL version) and have > been > >>> skipped: [[TLS_DHE_PSK_WITH_AES_256_CCM, (... I am excluding 60 entries > >>> here...), TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256]] > >>> > >>> After some discussion in the ASF bugzilla, Mark asked to move the > >>> discussion about the default ciphers configuration into this users > >>> mailing list. > >>> > >>> We explicitly set the ciphers configuration since the default config > >>> which comes with Tomcat still includes the (normal) Diffie-Helman key > >>> exchange algorithm which are considered to be insecure (but not the > >>> ECDH's!). See https://weakdh.org/ for information about this. > >>> > >>> We can't turn off that warning without getting other drawbacks as long > >>> as we use our custom ciphers configuration, which led "warnOnSkip" > >>> being set to true in the respective code section. > >>> Those skipped ciphers are of no interest for us or our customers since > >>> they appear only because Tomcat - as of my understanding - uses the > >>> ciphers-set from OpenSSL to build the complete list of theoretically > >>> available ciphers. > >>> > >>> There is nothing wrong with our configuration, but having that warning > >>> in the log will cause each and every customer asking us why this > >>> warning ist there - since they will fear a configuration problem. > >>> > >>> One question now is, if the default configuration of the ciphers in > >>> Tomcat 8.5.96 is still save or not. > >>> > >>> I have re-run https://www.ssllabs.com/ssltest against our server > setup. > >>> With the Tomcat default ciphers configuration > >>> "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA" I get grade "B" > >>> because of the weak key exchange algorithm using DH. It lists 10 weak > >>> ciphers out of 12. > >>> > >> Why are you saying that you get a weak Keyexchange with DH? That is not > >> per se the case. DH is still valid. > >> > >> Did you set -Djdk.tls.ephemeralDHKeySize=2048 as CATALINA_OPTS ? > >> > >>> If I run it with our configuration, which adds ":-DH:+ECDH", I get > >>> Grade "A" with 4 weak ciphers out of 6. > >>> > >>> Changing the config to add ":-CBC" to the default config as suggested > >>> by Mark in bugzilla does not have any effect. Still Grade B, 10 weak >
Re: Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)
Hi Peter, Thank you for your hint about "-Djdk.tls.ephemeralDHKeySize=2048". I indeed did not knew that this option exists. When I enable it, I get Grad "A" from SSLLabs while it still lists 8 weak ciphers out of 12. Because I get to grade "A" with this setting, I can indeed use the default ciphers settings from Tomcat again and as a consequence, the Warning will not anymore appear in the log. Maybe Mark had that setting active too while doing his ssllab tests. This would explain the difference in the results. @Mark: You suggested that I shall check the OpenSSL version I use, but I do not use OpenSSL at all. Just plain Java8 JSSE. Kind regards and thanks a lot for your valuable help, Markus Schlegel Am Fr., 1. Dez. 2023 um 14:09 Uhr schrieb : > Hi > > > Am 29.11.2023 um 11:46 schrieb Markus Schlegel : > > > > Hi, > > This is a continuation of the discussion taken below > > https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 where I asked about > > the following warning which appears in our log: > > > > (29.11.2023 09:53:14 org.apache.tomcat.util.net.SSLUtilBase getEnabled > > WARNING T-19): Tomcat interprets the [ciphers] attribute in a manner > > consistent with the latest OpenSSL development branch. Some of the > > specified [ciphers] are not supported by the configured SSL engine for > this > > connector (which may use JSSE or an older OpenSSL version) and have been > > skipped: [[TLS_DHE_PSK_WITH_AES_256_CCM, (... I am excluding 60 entries > > here...), TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256]] > > > > After some discussion in the ASF bugzilla, Mark asked to move the > > discussion about the default ciphers configuration into this users > > mailing list. > > > > We explicitly set the ciphers configuration since the default config > > which comes with Tomcat still includes the (normal) Diffie-Helman key > > exchange algorithm which are considered to be insecure (but not the > > ECDH's!). See https://weakdh.org/ for information about this. > > > > We can't turn off that warning without getting other drawbacks as long > > as we use our custom ciphers configuration, which led "warnOnSkip" > > being set to true in the respective code section. > > Those skipped ciphers are of no interest for us or our customers since > > they appear only because Tomcat - as of my understanding - uses the > > ciphers-set from OpenSSL to build the complete list of theoretically > > available ciphers. > > > > There is nothing wrong with our configuration, but having that warning > > in the log will cause each and every customer asking us why this > > warning ist there - since they will fear a configuration problem. > > > > One question now is, if the default configuration of the ciphers in > > Tomcat 8.5.96 is still save or not. > > > > I have re-run https://www.ssllabs.com/ssltest against our server setup. > > With the Tomcat default ciphers configuration > > "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA" I get grade "B" > > because of the weak key exchange algorithm using DH. It lists 10 weak > > ciphers out of 12. > > > Why are you saying that you get a weak Keyexchange with DH? That is not > per se the case. DH is still valid. > > Did you set -Djdk.tls.ephemeralDHKeySize=2048 as CATALINA_OPTS ? > > > If I run it with our configuration, which adds ":-DH:+ECDH", I get > > Grade "A" with 4 weak ciphers out of 6. > > > > Changing the config to add ":-CBC" to the default config as suggested > > by Mark in bugzilla does not have any effect. Still Grade B, 10 weak > > out of 12. It seems to me that -CBC might not be a valid option at > > all? > > > > Mark got different results when he run the ssllabs tests. That might > > be caused by different TLS certificates used? I am using a certificate > > created with a RSA-2048bits Key and SHA256withRSA signature algorithm. > > No clue if this causes any difference to Mark's setup. > > > > Anyone which knows if and how the certificate influences the selection of > > possible ciphers? > > > > Anyone having similar problems? > > Anyone successful in excluding all ciphers with "CBC" ? > > > > In my case I was only successful to get the ciphers right by setting them > manually: > > > ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM
Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)
Hi, This is a continuation of the discussion taken below https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 where I asked about the following warning which appears in our log: (29.11.2023 09:53:14 org.apache.tomcat.util.net.SSLUtilBase getEnabled WARNING T-19): Tomcat interprets the [ciphers] attribute in a manner consistent with the latest OpenSSL development branch. Some of the specified [ciphers] are not supported by the configured SSL engine for this connector (which may use JSSE or an older OpenSSL version) and have been skipped: [[TLS_DHE_PSK_WITH_AES_256_CCM, (... I am excluding 60 entries here...), TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256]] After some discussion in the ASF bugzilla, Mark asked to move the discussion about the default ciphers configuration into this users mailing list. We explicitly set the ciphers configuration since the default config which comes with Tomcat still includes the (normal) Diffie-Helman key exchange algorithm which are considered to be insecure (but not the ECDH's!). See https://weakdh.org/ for information about this. We can't turn off that warning without getting other drawbacks as long as we use our custom ciphers configuration, which led "warnOnSkip" being set to true in the respective code section. Those skipped ciphers are of no interest for us or our customers since they appear only because Tomcat - as of my understanding - uses the ciphers-set from OpenSSL to build the complete list of theoretically available ciphers. There is nothing wrong with our configuration, but having that warning in the log will cause each and every customer asking us why this warning ist there - since they will fear a configuration problem. One question now is, if the default configuration of the ciphers in Tomcat 8.5.96 is still save or not. I have re-run https://www.ssllabs.com/ssltest against our server setup. With the Tomcat default ciphers configuration "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA" I get grade "B" because of the weak key exchange algorithm using DH. It lists 10 weak ciphers out of 12. If I run it with our configuration, which adds ":-DH:+ECDH", I get Grade "A" with 4 weak ciphers out of 6. Changing the config to add ":-CBC" to the default config as suggested by Mark in bugzilla does not have any effect. Still Grade B, 10 weak out of 12. It seems to me that -CBC might not be a valid option at all? Mark got different results when he run the ssllabs tests. That might be caused by different TLS certificates used? I am using a certificate created with a RSA-2048bits Key and SHA256withRSA signature algorithm. No clue if this causes any difference to Mark's setup. Anyone which knows if and how the certificate influences the selection of possible ciphers? Anyone having similar problems? Anyone successful in excluding all ciphers with "CBC" ? Thanks, Markus Schlegel
AW: TLS configuration TLS for JMX port
On 04/11/2022 08:06, Bärtschi, Markus-MGB wrote: >> How can I configure TSL for my JMX port without the keystore information >> showing up on the command line ? > Don't use passwords. Rely on operating system file permissions to limit > access to the file to the Tomcat process (and root). So you recommend to use a passwordless keystore and chmod 600 it to protect it ? > Keep in mind that JMX has various security issues you can do very little > about including: > - extremely coarse grained security (read-only or read/write) > - no protection against brute force attacks > - no logging to identify brute force attacks > Note that Tomcat is implemented from the point of view that *any* JMX access > is equivalent to full administrative access. I'm aware the JMX is not great from a security perspective. But we need a way to monitor what is going on. > Mark Thanks ! Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TLS configuration TLS for JMX port
I configured TLS for my JMX post, this is working alright. But the keystore information, especially the passwords end up on the java/tomcat command line. I did attempt to move the configuration items into catalina.properties, but this did not work. How can I configure TSL for my JMX port without the keystore information showing up on the command line ? Markus Baertschi, Migros, Switzerland
Re: Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)
thx, switching to v9 solves the problems :-) Am Do., 23. Juni 2022 um 09:12 Uhr schrieb Rob Sargent < rsarg...@xmission.com>: > > > > On Jun 23, 2022, at 12:53 AM, Markus Reich > wrote: > > > > yes, it seems that in the pom tomcat 10 is specified, does this make any > > difference? > > 10.0.18 > > > >> Am Do., 23. Juni 2022 um 08:30 Uhr schrieb Rob Sargent < > >> rsarg...@xmission.com>: > >> > >> > > Yes. Quite big difference between v9 and v10. > You must read the release notes. And your initial post mentions a v9 doc > page. Stick with a single tomcat release > >> > >>> On Jun 22, 2022, at 11:36 PM, Markus Reich > >> wrote: > >>> > >>> Hi, > >>> > >>> I'm trying to precompile a JSF application, I follow the instructions > on > >>> https://tomcat.apache.org/tomcat-9.0-doc/graal.html. > >>> > >>> I got a lot of errors like > >>> Caused by: java.lang.ClassCastException: class > >>> com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class > >>> jakarta.servlet.jsp.tagext.TagLibraryValidator > >>> (com.sun.faces.taglib.jsf_core.CoreValidator and > >>> jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module of > >>> loader org.apache.tools.ant.AntClassLoader > >>> > >>> The header in JSP is > >>> <%@page contentType="text/html"%> > >>> <%@page pageEncoding="UTF-8"%> > >>> > >>> <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> > >>> <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> > >>> > >>> <%@taglib prefix="t" uri="/WEB-INF/eclnt"%> > >>> > >>> regards > >>> Meex > >> > >> Are you sure you haven’t included something from Tomcat v10? > >> > >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > -- > > *Markus Reich* > > Waldweg 62 > > 6393 St. Ulrich am Pillersee > > reich.mar...@gmail.com > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *Markus Reich* Waldweg 62 6393 St. Ulrich am Pillersee reich.mar...@gmail.com
Re: Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)
yes, it seems that in the pom tomcat 10 is specified, does this make any difference? 10.0.18 Am Do., 23. Juni 2022 um 08:30 Uhr schrieb Rob Sargent < rsarg...@xmission.com>: > > > > On Jun 22, 2022, at 11:36 PM, Markus Reich > wrote: > > > > Hi, > > > > I'm trying to precompile a JSF application, I follow the instructions on > > https://tomcat.apache.org/tomcat-9.0-doc/graal.html. > > > > I got a lot of errors like > > Caused by: java.lang.ClassCastException: class > > com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class > > jakarta.servlet.jsp.tagext.TagLibraryValidator > > (com.sun.faces.taglib.jsf_core.CoreValidator and > > jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module of > > loader org.apache.tools.ant.AntClassLoader > > > > The header in JSP is > > <%@page contentType="text/html"%> > > <%@page pageEncoding="UTF-8"%> > > > > <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> > > <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> > > > > <%@taglib prefix="t" uri="/WEB-INF/eclnt"%> > > > > regards > > Meex > > Are you sure you haven’t included something from Tomcat v10? > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *Markus Reich* Waldweg 62 6393 St. Ulrich am Pillersee reich.mar...@gmail.com
Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)
Hi, I'm trying to precompile a JSF application, I follow the instructions on https://tomcat.apache.org/tomcat-9.0-doc/graal.html. I got a lot of errors like Caused by: java.lang.ClassCastException: class com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class jakarta.servlet.jsp.tagext.TagLibraryValidator (com.sun.faces.taglib.jsf_core.CoreValidator and jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module of loader org.apache.tools.ant.AntClassLoader The header in JSP is <%@page contentType="text/html"%> <%@page pageEncoding="UTF-8"%> <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> <%@taglib prefix="t" uri="/WEB-INF/eclnt"%> regards Meex
Re: Tomcat 9.0.34 / JDT 4.15 jsp compile error
On 28.04.20, 17:49, "Mark Thomas" wrote: > This has been fixed in: > - master for 10.0.0-M5 onwards > - 9.0.x for 9.0.35 onwards > - 8.5.x for 8.5.55 onwards > - 7.0.x for 7.0.104 onwards > > The private isPackage(String) method needed to be updated to correctly > identify that "org.apache.jsp.test_jsp$1InnerClass" is a class and not a > package. Awesome, thank you very much for the quick fix! - Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0.34 / JDT 4.15 jsp compile error
On 28.04.20, 10:06, "Mark Thomas" wrote: [...] > >> This is root cause: >> >> java.lang.ClassCastException: class >> org.eclipse.jdt.internal.compiler.lookup.PlainPackageBinding cannot be cast >> to class org.eclipse.jdt.internal.compiler.lookup.TypeBinding >> (org.eclipse.jdt.internal.compiler.lookup.PlainPackageBinding and >> org.eclipse.jdt.internal.compiler.lookup.TypeBinding are in unnamed module >> of loader java.net.URLClassLoader @20398b7c) > > Which Java version are you using here? > Java 11 Corretto. To be more specific I tested now with the following vendor/versions: - AWS Corretto 11.0.7+10-LTS - AdoptOpenJDK 11.0.7+10 - Oracle OpenJDK 14.0.1+7 [...] > >> I use the docker image tomcat:9.0.34. > > Just to note that the ASF doesn't provide Docker images. It seems > unlikely but if we can't reproduce this with a clean install of Apache > Tomcat as provided by the ASF, you might need to take this up with the > provider of that image. > Ok, I mentioned the Docker image because I thought it might make the reconstruction a bit easier. I have also tried it with my local Tomcat installed via homebrew, which downloads Tomcat directly from ASF, and found the same error. - Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 9.0.34 / JDT 4.15 jsp compile error
Hi,
With Tomcat 9.0.34 the JDT compiler was updated to 4.15.
Since then, there is an error when Tomcat compiles the JSP at runtime when this
construct is used in a JSP:
<%@ page import="java.util.List"%>
<%@ page import="java.util.ArrayList"%>
<%
class InnerClass {
// some class members
}
List list = new ArrayList<>();
for(InnerClass elements : list) {
// do sth
}
%>
This is root cause:
java.lang.ClassCastException: class
org.eclipse.jdt.internal.compiler.lookup.PlainPackageBinding cannot be cast to
class org.eclipse.jdt.internal.compiler.lookup.TypeBinding
(org.eclipse.jdt.internal.compiler.lookup.PlainPackageBinding and
org.eclipse.jdt.internal.compiler.lookup.TypeBinding are in unnamed module of
loader java.net.URLClassLoader @20398b7c)
org.eclipse.jdt.internal.compiler.ClassFile.getTypeBinding(ClassFile.java:5941)
org.eclipse.jdt.internal.compiler.ClassFile.traverse(ClassFile.java:7011)
org.eclipse.jdt.internal.compiler.ClassFile.generateStackMapTableAttribute(ClassFile.java:4826)
org.eclipse.jdt.internal.compiler.ClassFile.completeCodeAttribute(ClassFile.java:1519)
org.eclipse.jdt.internal.compiler.ast.AbstractMethodDeclaration.generateCode(AbstractMethodDeclaration.java:357)
org.eclipse.jdt.internal.compiler.ast.AbstractMethodDeclaration.generateCode(AbstractMethodDeclaration.java:281)
org.eclipse.jdt.internal.compiler.ast.TypeDeclaration.generateCode(TypeDeclaration.java:579)
org.eclipse.jdt.internal.compiler.ast.TypeDeclaration.generateCode(TypeDeclaration.java:649)
org.eclipse.jdt.internal.compiler.ast.CompilationUnitDeclaration.generateCode(CompilationUnitDeclaration.java:412)
org.eclipse.jdt.internal.compiler.Compiler.process(Compiler.java:912)
org.eclipse.jdt.internal.compiler.Compiler.processCompiledUnits(Compiler.java:575)
org.eclipse.jdt.internal.compiler.Compiler.compile(Compiler.java:475)
org.eclipse.jdt.internal.compiler.Compiler.compile(Compiler.java:426)
org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:528)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:392)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:362)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:346)
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:605)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:400)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
If the JSP is precompiled using an ant task and the JDT compiler, the error
doesn’t occur:
I know that the error is within the JDT Stacktrace, but because this error
doesn’t occur when using the JDT for compiling the generated Java file, I
assume that this problem is related to a Tomcat configuration. I use the docker
image tomcat:9.0.34.
If required I can also provide the Java source generated from the JSP.
Best regards,
Markus
Test for tomcat native
Hello, I'm not sure if I'm on the right user mailing list or if my question belongs more on the dev mailing list. If I am wrong here, please let me know. Yesterday I got a notification that there is a new version of Tomcat Native available. I work with macOS and install programs with homebrew. For the last updates of Tomcat 9 I updated the Homebrew Formula and wanted to do the same for Tomcat Native [1]. During the update of the formula I stumbled over the requirement that now a test for the formula is necessary [2]. Unfortunately, I have no idea how such a test could look like for the Tomcat Native library. Is there someone on the mailing list who could give me a hint? Best regards, Markus [1] https://github.com/mystygage/homebrew-core/commit/e28e93e3e90c3fa2273990a91c8643ca9c97d296 [2] https://docs.brew.sh/Formula-Cookbook#add-a-test-to-the-formula
CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow
Hello, the recent security announcement for Apache Tomcat JK (CVE-2016-6808) mentions that only IIS/ISAPI specific code is vulnerable. This issue was apparently fixed in [1]. The vulnerable code is in the map_uri_to_worker_ext function which is used by the IIS, Apache 1.3 and Apache 2.0 implementations. Could someone clarify why the official security announcement only mentions IIS and not all three servers? Are users who use Apache Tomcat JK with Apache 2.x affected by CVE-2016-6808? Regards, Markus [1] https://svn.apache.org/viewvc?view=revision=1762057 signature.asc Description: OpenPGP digital signature
Webapp with underscore in it's name leads to failed session-cookies
Hi, I'm working on a JSF (myfaces) project that runs on Tomcat. First I thought it was a myfaces issue, but they told me that the container is responsible for the session cookie, so now I'm here :-) I've created a minimal JSF test project and I called it jsf_test. When I open the tomcat manager (web) and the webapp's welcome page in the browser, I can see that every reload of the webapp page increases the session count. In the web console of firefox, I could see that the session cookie was set with the path /jsf%5ftest, while other cookies (set by myfaces) were correctly set with the path /jsf_test. It looks like firefox treats /jsf_test and /jsf%5ftest as different pathes and therefore does not send the session cookie with the next request, while chromium ignores the difference. I also noticed that the issue does not occur on every deployment / tomcat restart. It looks like the webapp name is stored internally during initialization, and depending on little timing variations (race condition ?), it is either initialized to the escaped or the unescaped value. Tomcat manager always displays the unescaped name. Among my teammates, some are always affected, some occasionally, and some never. After renaming the webapp to "jsftest", the session count increments were gone. The issue also occurs with a minus in the name, like "jsf-test". Unfortunately, my real-world productive project has an underscore in it's name too, but as many users have bookmarked it, I can't just rename it. Is this a bug in tomcat ? Environment: OS: Linux / Windows Tomcat version: 8.0.36 JDK: Oracle JDK 1.8.0_92 Within the team, we're using different minor verions, but I've tested with the newest ones. Regards, Markus Näher - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with Transfer-Encoding: chunked (and AJP?)
Hi Björn,
I think, the problem is the content-type, you're using. It is set to
text/xml, but you don't send correct XML. The error messages seems
also to be sent by some SOAP framework.
Try sending some correct XML data.
Best regards,
Markus
Am 20.06.2014 12:58, schrieb Björn Höfling:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
summary of my Problem:
When a client POSTs with Tranfer-Encoding:chunked,
my server is not processing the request.
Full details:
I have an Apache 2.2.10 connected via AJP to a Tomcat 8.0.3 (Java
1.7.x) or Tomcat 6.0.18 (Java 1.6.x) (I change the AJP worker port to
switch between the two Tomcats).
Then I send the following request:
telnet myapache 80
Trying a.b.c.d ...
Connected to myapache
Escape character is '^]'.
POST /my/webservice HTTP/1.1
Authorization: Basic xyz=
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
User-Agent: telnet/abc
Host: myapache
Accept: text/html, image/gif, image/jpeg, */*; q=.2
4
0
With the Tomcat 6, I see the follwing response, which is quite
correct, because I did sent garbage and no valid xml to the Server:
HTTP/1.1 500 Internal Server Error
Date: Fri, 20 Jun 2014 09:22:37 GMT
Server: Apache
Content-Length: 472
Connection: close
Content-Type: text/xml;charset=utf-8
?xml version='1.0' encoding='UTF-8'?S:Envelope
xmlns:S=http://schemas.xmlsoap.org/soap/envelope/;S:BodyS:Fault
xmlns:ns4=http://www.w3.org/2003/05/soap-envelope;faultcodeS:Client/faultcodefaultstringCouldn't
create SOAP message due to exception: XML reader error:
com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character 'x'
(code 120) in prolog; expected 'lt;'
at [row,col {unknown-source}]:
[1,1]/faultstring/S:Fault/S:Body/S:EnvelopeConnection to
myapache closed by foreign host.
AJP is in both instances configured via
Connector port=xxx redirectPort=yyy enableLookups=false
protocol=AJP/1.3
...
/Connector
changing Protocol to org.apache.coyote.ajp.AjpProtocol did not
change anything.
When I try the same with Tomcat 8 connected, I don't get anything back
from the Server. Instead, it waits indefinitely (expecting me to send
something?).
When I sent the request with a Conten-Length: header instead of
Transfer-Encoding:chunked, I get a proper server-response.
As I use the same Apache frontend and just change the Tomcat backend,
I suspect the problem there. Though I'm not sure if this is a Tomcat
error or a configuration problem, or a Java-version problem.
I have little experience with the HTTP protocol, until now, it just
worked and I didn't care :-)
I searched the Internet for similar problems but could only find
either ones where fixed had been introduced into Tomcat 7.x and/or
where the problem was with server _response_.
Do you have any ideas what's wrong here, where the error might be or
how I can better understand it?
Thanks for your help,
Björn
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlOkE9EACgkQvyhstlk+X/1ZiQCbB/mCxoL3Ypo+Ter1ZJF951da
EmYAn1V4KoC7/EEZ08M4xUjIOJj2/Lkc
=u92T
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
Mit freundlichen Grüßen
Markus Dörschmidt
Software-Entwickler
Markus Dörschmidt, m...@agnitas.de
Fon: 089/552908-49, Fax: -69,
http://www.agnitas.de *AGNITAS AG - e-mail marketing automation*
Werner-Eckert-Straße 6, 81829 München
*www.agnitas.de* http://www.agnitas.de
Vorstand: Martin Aschoff, Helmut Kunkel, Robert Pietsch
Vorsitzender des Aufsichtsrats: Dr. Reinhard Gaertner
Registergericht München, HRB-Nummer 126 104, USt-IdNr. DE 201 88 33 28
http://www.agnitas.de/email
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Catalina.out
04.03.2013 12:33, vicky007aggar...@yahoo.co.in: I am using tomcat 7.0.30(os: redhat linux) referring below link for implementing log4j at the container level http://tomcat.apache.org/tomcat-6.0-doc/logging.html#Using_Log4j Using this link i am still not able to rotate the Catalina.out , is it feasible to do that,if yes then can someone please share the steps/guide me on this http://wiki.apache.org/tomcat/FAQ/Logging#Q10 -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] list server issues ?
04.03.2013 14:31, André Warnier: I don't know if it is the case for everyone, but I seem to be receiving messages from the list in some random order, totally out of timely sequence. Anyone notice the same, or is it just me ? I didn't notice anything like that. You could take a look at the Received-header fields of a mail you consider out of timely sequence. You might get an idea where the delay (if any) has happened. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Directory contents listing of Aliases Directory
23.11.2011 12:53, Asha K S: Currently when I set Aliases attribute for Context ,Tomcat serves resources from Aliases directory but I am unable to get the directory listing for the Aliases Directory.Can you please let me know if anyone has tried this or if there is any other way to do it. I have set my aliases=/mytest=C:\mytest and if I access http://localhost:8080/mytest/test.jsp but if i just give http://localhost:8080/mytest i am unable to get the directory listing for mytest directory. http://tomcat.apache.org/tomcat-7.0-doc/default-servlet.html -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Best practices for creating a Windows installer with bundled webapp
Hi list, I am not totally sure if this is the right place to ask this question, so please excuse and point me to the right list if this is not the case. I want to create a Windows installer for Tomcat 7.0 along with deegree webservices [1]. These are LGPL-licensed implementations of OGC standards (webservices that deal with geospatial stuff, such as delivering maps). Technically, deegree is just a WAR. My current idea looks like this: 1. Modify the Tomcat ant script to include the deegree webapp 2. Modify res/tomcat.nsi to my needs 3. Use ant installer to build the Windows installer In a later step I would like to get the installer build running using Maven, as the deegree build process is based in it. My questions: - Is the Tomcat license/project o.k. with deriving such a modified installer? I would like to make it deegree-branded, i.e. it would be named deegree installer, I would like to use the deegree logo, etc. Of course, we will credit Tomcat, but we want to avoid confusion for users who just want to install deegree and don't care about the details of a web container. - Has anybody insights or best practices to share? - Are there any open-source projects that use build scripts which I may re-use? Thanks for your comments, Markus [1] http://wiki.deegree.org/deegreeWiki/DownloadPage -- Markus Schneider Occam Labs UG (haftungsbeschränkt) Godesberger Allee 139 53175 Bonn, Germany +49 228 93798874 http://www.occamlabs.de signature.asc Description: OpenPGP digital signature
Re: Best practices for creating a Windows installer with bundled webapp
Mark, thanks for the quick reply. I will have a look at the license and especially review the sections you pointed out. Best regards, Markus Am 22.10.2011 18:13, schrieb Mark Thomas: On 22/10/2011 15:49, Markus Schneider wrote: Hi list, I am not totally sure if this is the right place to ask this question, so please excuse and point me to the right list if this is not the case. You are in the right place, but keep in mind we can't give you legal advice. If you want that, you'll need to pay for your own lawyer. - Is the Tomcat license/project o.k. with deriving such a modified installer? You may do whatever you like as long as it is within the terms of the Apache License. Providing a modified installer should be OK. I would suggest you pay particular attention to sections 4 and 6 of the ALv2. I would like to make it deegree-branded, i.e. it would be named deegree installer, I would like to use the deegree logo, etc. Of course, we will credit Tomcat, but we want to avoid confusion for users who just want to install deegree and don't care about the details of a web container. Making it degree branded should ensure you meet the requirements of section 6. As long as you provide credit in the form required by section 4, again you should be fine. - Has anybody insights or best practices to share? When speaking to folks that are new to the ALv2 I usually use the following example. If I download Apache Tomcat, re-brand it as Mark's Servlet container, add a notice on the package that says based on software from the Apache Software Foundation and stick the result on a web site and start selling it for $1,000 / copy the ASF would be absolutely fine with that. BTW, if any one wants a copy, let me know ;). The key things are: - don't abuse ASF trademarks - include the NOTICE LICENSE file - credit the ASF Note: You should read the ALv2 for the full details. - Are there any open-source projects that use build scripts which I may re-use? Some work is starting on a Maven build for Tomcat trunk / 7. That might help. HTH, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Markus Schneider Occam Labs UG (haftungsbeschränkt) Godesberger Allee 139 53175 Bonn, Germany +49 228 93798874 http://www.occamlabs.de signature.asc Description: OpenPGP digital signature
Re: Overriding web.xml parameters
27.09.2011 11:00, Romaric: context.xml : Context Parameter name=name value=value override=false / ---^ /Context The problem is that the values in web.xml override those in context.xml when it should be the other way around. Do you have any idea what the problem might be ? The above is not valid XML. The attribute name isn't properly quoted. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: URL for Tomcat forums
08.09.2011 10:28, Sonwabo Jordan: What is the URL for the Tomcat forums so that I can go and have a look at questions already asked before I submit my own? http://tomcat.apache.org/lists.html provides links to archives of the various Tomcat mailing lists. Although only the MARC archives are tagged searchable on the above page, those from MarkMail, Nabble and Mail Archive can be searched too. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom URL configuration in Tomcat
28.07.2011 05:57, Dhana kumar: instead of http://localhost:8080/meobizWeb/index.html, could we make url accessible across the intranet, something like this,. http://www.mydomain.com/meobizWeb/index.html Yes. Configure Tomcat to listen on port 80 and configure your internal DNS to resolve the desired host name to your Tomcat server's IP. BTW: don't use domain names you don't own for examples. That's what example.com etc. are for. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7: Why is JDK needed ?
21.07.2011 21:58, Bobi St: why is Why is JDK needed also for Tomcat 7 ? Does it use a compiler, or why not simply using for example jre6 ?!? I have to install always extra JDK because of it ... Who says Tomcat needs a JDK? From http://apache.mirror.digionline.de/tomcat/tomcat-7/v7.0.19/RELEASE-NOTES | In addition, Tomcat 7.0 uses the Eclipse JDT Java compiler for | compiling JSP pages. This means you no longer need to have the | complete Java Development Kit (JDK) to run Tomcat, but a Java Runtime | Environment (JRE) is sufficient. The Eclipse JDT Java compiler is | bundled with the binary Tomcat distributions. Tomcat can also be | configured to use the compiler from the JDK to compile JSPs, or any | other Java compiler supported by Apache Ant. Ancient versions of Tomcat did, by default, use the JDK's compiler to compile JSPs. Therefore, if you wanted Tomcat to compile JSPs on the fly, a JRE, by default, wasn't enough. But that was long, long ago and has never been the case for Tomcat 7. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7, isapi_redirect, IIS 7 - blank page
20.07.2011 23:02, Falzone.Matthew: Didn't mean to, I sent it too soon so I started a new thread. Was there an issue with starting a new one? Yes. The issue was: you didn't start a new thread. If you push the reply button of your mail client when viewing some message, it will create a reply to this message. Changing the subject line doesn't change the fact that it's still a reply. To start a new thread/topic, create a *new* message to users@tomcat.apache.org. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Document of Tomcat 6.0.32.
09.06.2011 10:13, Nash: I want to know how I can get the API Document of Tomcat 6.0.32 so I can refer it regardless of Internet connection. Thank you a lot! Download the fulldocs package, which, as it seems, is not linked to from the download page of 6.0. The name of the package is apache-tomcat-6.0.32-fulldocs.tar.gz. You can get it from the download mirrors, for example http://ftp.fernuni-hagen.de/ftp-dir/pub/mirrors/www.apache.org/tomcat/tomcat-6/v6.0.32/bin/apache-tomcat-6.0.32-fulldocs.tar.gz -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] facepalm (was: Re: Trouble configuring the manager :()
06.01.2011 22:12, Christopher Schultz: Is there an emoticon for smacking yourself in the forehead? There doesn't seem to be a standard one, though googling for facepalm smiley or facepalm emoticon lists quite a few. Nevertheless, I *really* like that non-emoticon one http://www.thefacepalm.org/2010/10/baby/ -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't access tomcat manager
02.12.2010 15:43, Lava Saleem: Thanks for the replies yeah I have checked the tomcat user xml file and there are no missing comments brackets or anything so is there any other reason for this to happen ? do I need to modify anything else ? What *missing* comment brackets? What André tried to explain, is that you have to make sure to not add your role and user definitions *inside* the comment that, by default, spans everything between tomcat-users and /tomcat-users. Did you correct your typo? Maybe you should repost the contents of your tomcat-users.xml - this time *entirely*. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: automatic deployment without server.xml - bad request
02.12.2010 20:44, Pid: On 12/2/10 12:34 PM, Justin Case wrote: From: Pid p...@pidster.com If the request isn't being routed to your application, then without a ROOT application the host hasn't got a mechanism to serve any response other than an error. Error is fine, as long it's a 404 (and not this enigmatic 400)... 400 isn't enigmatic and /is/ an error. ;) Yes, it is an error. But in this case, I, too, consider the error erroneous. A status code of 400 basically means that the request was syntactically b0rked. But, as I understand it, that's not the problem here: the request is syntactically fine - it fails because the server is misconfigured. Therefore a status code of 500 seems more appropriate to me. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't access tomcat manager
01.12.2010 23:05, Lava Saleem: I have installed apache tomcat 7.0.4 on a centos linux box, I have modified the tomcat-users.xml file as shown below and restarted it, my tomcat still can't get an access to the manager, I deleted the other users and just put mine in the xml file but this didn't really helped. I'm new to this system can anybody send me a feedback? Thank you inadvance tomcat-users role rolename=tomcat/ role rolename=role1/ role rolenmae=manager-gui/ -^^ -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
18.08.2010 16:55, André Warnier: Pid wrote: On 18/08/2010 14:56, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat The conf/web.xml is the web.xml for the default servlet. It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable. N.B. It's well commented and worth reading. Would you gurus mind pointing out where exactly ? I am looking at the online documentation of Tomcat 7, at http://tomcat.apache.org/tomcat-7.0-doc/index.html, and not finding it. From http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Introduction | Context elements may be explicitly defined: | | * In the $CATALINA_BASE/conf/context.xml file: the Context element information will be loaded by all webapps. | [...] I am also having trouble finding it in the Servlet Specifications v 3.0 AFAIK that's Tomcat-specific and has nothing to do with the spec. (I mean specifically where it says that the default web.xml is being merged with the application-specific web.xml.) If you refer to the content itself of the conf/web.xml file, here is all it has to say : !-- Introduction == -- !-- This document defines default values for *all* web applications -- !-- loaded into this instance of Tomcat. As each application is -- !-- deployed, this file is processed, followed by the -- !-- /WEB-INF/web.xml deployment descriptor from your own -- !-- applications. -- !-- -- For example, it does not clearly speak of merging, Well, Chuck simply used the term merge to explain how things are. Of course, since it's Chuck, it could be seen as a specification ;-) nor in case of merge which possibly overlapping or conflicting directive has precedence (one wopuld presume the webapp, but then presumptions are sometimes misleading). I didn't find that explicitly stated in the docs either. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running PHP?
03.08.2010 13:20, michel: sorry, another empty email with just attachments ... No. It's not Pid's fault if your mail program doesn't understand PGP/MIME. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] broken mail clients (was: Re: Running PHP?)
03.08.2010 18:14, michel: From: Markus Schönhaber tomcat-us...@list-post.mks-mail.de 03.08.2010 13:20, michel: sorry, another empty email with just attachments ... No. It's not Pid's fault if your mail program doesn't understand PGP/MIME. OK, I checked online and found Handling of PGP/MIME signed messages Outlook Express does not correctly handle MIME,[9] and will not display the body of signed messages inline. Users get a blank e-mail and two attachments (one of the message text and one of the signature) and therefore need to open an attachment to see the e-mail. ... This bug has still not been rectified. http://en.wikipedia.org/wiki/Outlook_Express#Handling_of_PGP.2FMIME_signed_messages On one hand it's an MS bug, but then so many people (most?) use it, it rather leaves a large number of us not being able to read Pid's posting. 1. I don't see why anyone should not use a perfectly reasonable and standards compliant way of signing his mails just to please buggy mail clients. If you choose to use one of those, then live with it's deficiencies but don't blame Pid because he uses a 14-year old standard which the vendor of your mail client has still failed to implement. 2. A quick scan through the 37596 posts to this list in my current archive (going back till mid-March 2008) shows 957 of them which seem to be sent with OE. That's roughly 2.5%. At least on this mailing list, it's not most (not even many people) that use OE. I doubt that it's much different on other lists with IT subjects. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error: Invalid or unreadable WAR file : error in opening zip file
09.07.2010 15:38, Caldarale, Charles R: From: Fernando Morgenstern [mailto:ferna...@consultorpc.com] Subject: Error: Invalid or unreadable WAR file : error in opening zip file I'm running the following version of tomcat: Server version: Apache Tomcat/6.0-snapshot Server built: Nov 15 2009 11:02:53 Server number: 6.0.0.0 That is not a good version number for Tomcat, being many, many years old. Not necessarily that old - the Server built seems to indicate that it's roughly 9 month. To me, this looks like a Tomcat built from source. IIRC the build.properties.default does set the various version.foo properties like that (version.suffix is -dev not -snapshot nowadays, though). That makes the rest of the report extremely suspect. Seconded. At least it should be tested if a recent official Tomcat binary shows the same behaviour. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on IE zones with Mod_jk
08.06.2010 09:16, Robin Diederen: The problem: - I surf to http://portal - IE recognizes the site as trusted / in the intranet zone - I click the sign in link and get redirected to http://portal/c/portal/login; IE now thinks I'm in the _internet_zone_ (thus NTLM auth doesn't work) - From the Apache logs, I find that a 401 error occurred My guess would be that IE detects the redirect and concludes the wrong zone. Is there any way to configure this from the server side? Can't help you with that. But just as a thought: being able to manipulate IE's trust settings from the server side would be a feature a certain group of people would be *very* interested in, I think. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk file not found
I did not find the actual problem but I can live with this script not delivered by apache. Maybe this is because the js is inside a jar file? Another strange thing is the JkAutoAlias. It realy only works with the appended ROOT directory. Otherwise the JkUnMount rule matches but apache cannot find the according file. As long as I do only have one application this is also OK for me. Now a third problem occured. I moved the JkMount/JkUnMount part out of the virtual host into the global config. The mod_jk.conf is loaded before any other file in conf.d (where ssl.conf resides). As far as I know every virtual host should now uses this configuration but the one for port 443 does not!? I have to put the same lines of the global config into the virtual host for port 443. I am not sure but this also might be a configuration problem of apache instead of mod_jk. I did not check the SetHandler part yet but shouldn't it also work with the JkMount's? Markus Am 13.05.2010 14:05, schrieb André Warnier: Markus Mehrwald wrote: Hi, I installed mod_jk and it works perfect except of a little strange problem. I let handle tomcat everything except of static files which the following lines in the virtual host for port 80 and the same for port 443: # Send servlet for context / jsp-examples to worker named worker1 JkMount /* worker1 # Static files in Tomcat webapp context directory are served by apache JkAutoAlias /opt/tomcat/webapps/ROOT JkUnMount /*.jpg worker1 JkUnMount /*.gif worker1 JkUnMount /*.png worker1 JkUnMount /*.js worker1 JkUnMount /*.css worker1 This works great for port 80 but for port 443 the javascript for the myfaces popup component gets a http 404 (/faces/myFacesExtensionResource/org.apache.myfaces.renderkit.html.util.MyFacesResourceLoader/12737082/popup.HtmlPopupRenderer/JSPopup.js). Every other javascript can be retrieved on port 80 as well as on port 443. Can anyone explain how this can happen? Maybe. First, about tracing the error : - if you bump up the JkLogLevel to debug, you will get a lot of information about how mod_jk really tries to match the URL with one of the URLs it /should/ forward to Tomcat. That may already give you a clue. - if you use a plugin in the web browser such as HttpFox or LiveHttpHeaders (for Firefox) or Fiddler2 (for IE), you will get more information, from the browser point of view, about what happens. In this case, is the 404 error returned one from Apache, or from Tomcat ? (they have a quite different style, so you should be able to tell). If it is from Apache, it means that the JkUnMount works, but that Apache then does not find that file at the indicated path, relative to Apache's DocumentRoot. It it is from Tomcat, then it means that mod_jk did not think that it matched the JkUnMount, and forwarded it to Tomcat (and Tomcat did not find the .js file). Considering the above, I have to guess that for some reason, the URL /faces/myFacesExtensionResource/org.apache.myfaces.renderkit.html.util.MyFacesResourceLoader/12737082/popup.HtmlPopupRenderer/JSPopup.js does not match the JkUnMount /*.js worker1 which causes Apache to try to serve it, and fail. The JkMount/JkUnMount syntax is one possible way to do this kind of thing. But there is another way in Apache, which personally I prefer, because it fits better with the normal Apache configuration style. Technically, it is equivalent. For your case above it would go as follows : - remove or comment out all JkMount/JkUnMount directives - add this : Location / SetHandler jakarta-servlet SetEnvIf REQUEST_URI \.(js|jpg|gif|png|css)$ no-jk ... /Location The way it works : SetHandler jakarta-servlet : tells Apache that for all these URLs (matching the Location), mod_jk is the handler which should return the response. SetEnvIf : matches the request URI with the given regexp, and if it matches, sets the internal Apache variable no-jk to a non-null value. Then, when mod_jk gets the request to examine, but it sees that that the no-jk variable is set, and returns to Apache declined, which essentially tells Apache no, this was not for me, do it yourself. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk file not found
There are a few things why we use apache with mod_jk. First of all it would not be possible to run Tomcat as user because it should listen on port 80/443. Additionally we can use mod_security to precheck requests delivered to tomcat to remove use- and sensless requests and minimise the risk of attacks. The second thing is that apache is faster with delivering static files (maybe we will use Tux as well). Third thing is if something happens to tomcat we are still able to display a please-come-back-later-site with apache. If some things mentioned above are not correct I would appreciate to here about it, of course with useful arguments. Markus Am 16.05.2010 18:44, schrieb Caldarale, Charles R: From: Markus Mehrwald [mailto:mmehrw...@gmx.at] Subject: Re: mod_jk file not found I did not find the actual problem but I can live with this script not delivered by apache. Maybe this is because the js is inside a jar file? Since you don't seem to be using httpd for anything useful, why not just eliminate it, and serve everything with Tomcat? If you enable the APR connector, Tomcat will even handle SSL just as fast as httpd, and you use the same SSL setup that you had with httpd. http://tomcat.apache.org/tomcat-6.0-doc/apr.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk file not found
Am 2010-05-16 21:11, schrieb André Warnier: Markus Mehrwald wrote: I did not find the actual problem but I can live with this script not delivered by apache. Maybe this is because the js is inside a jar file? I have to admit that in my previous analysis, this is a case which I did not envision. One learns every day. What makes you think that Apache httpd is smart enough to know that the js file is hidden inside of a jar file, and unpack it to get the file ? (Thank you for reminding me of some good pages of Evil Geniuses). That is the point. It is clear for me that the file could not be found because it is in the jar but why do I get it in a different VirtualHost? Another strange thing is the JkAutoAlias. It realy only works with the appended ROOT directory. Otherwise the JkUnMount rule matches but apache cannot find the according file. As long as I do only have one application this is also OK for me. http://tomcat.apache.org/connectors-doc/reference/apache.html See: JkAutoAlias But don't miss this : Care should be taken to ensure that only static content is served via httpd as a result of using this directive. Any static content served by httpd will bypass any security constraints defined in the application's web.xml. Also, refer to the red warning on top of these directives. Apart from that, I think you should not use JkAutoAlias together with JkMount directives. Use one or the other. As far as I understand, JkAutoAlias is just a kind of wildcard JkMount anyway, with all the risks linked to that. I never use JkAutoAlias, so I am not sure that I really understand the details of what it does, but what I do not really understand in your configuration, is why you do JkMount /* worker1 AND JkAutoAlias /opt/tomcat/webapps/ROOT JkMount and JkAutoAlias are completely different. JkMount tells apache to redirect all requests to Tomcat with /*. JkAutoAlias just maps the given directory to apaches document space. The same thing should be possible by using apaches Alias but JkAutoAlias takes care about the META-INF and WEB-INF folder. To me, basically, they do the same thing. Except that the second one is dangerous, because it might allow Apache to serve, for example, the contents of your /ROOT/WEB-INF/ directory. What happens if you try the URL http://yourserver/WEB-INF/web.xml See anything ? And what happens when you just take out that JkAutoAlias directive ? It causes a 404. I think as long as I do not JkUnMount /*.xml the request will be passed to tomcat which will not deliver the content of WEB-INF but you are right and I have to have a closer look at this. Now a third problem occured. I moved the JkMount/JkUnMount part out of the virtual host into the global config. The mod_jk.conf is loaded before any other file in conf.d (where ssl.conf resides). As far as I know every virtual host should now uses this configuration but the one for port 443 does not!? I have to put the same lines of the global config into the virtual host for port 443. I am not sure but this also might be a configuration problem of apache instead of mod_jk. That is how it is supposed to work. See: http://tomcat.apache.org/connectors-doc/reference/apache.html See JkMount : ... By default JkMount entries are not inherited from the global server to other VirtualHosts or between VirtualHosts. For the complete inheritance rules, see: JkMountCopy. But why does it work with the VirtualHost for port 80? I did not check the SetHandler part yet but shouldn't it also work with the JkMount's? It should, provided you read the JkMountCopy explanation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk file not found
Am 13.05.2010 10:26, schrieb Pid: On 13/05/2010 01:15, Markus Mehrwald wrote: Hi, I installed mod_jk and it works perfect except of a little strange problem. I let handle tomcat everything except of static files which the following lines in the virtual host for port 80 and the same for port 443: Exact OS, JVM, Tomcat, mod_jk versions? CentOS 5.4 x86_64, Sun Java 1.6.0_17-b04, Tomcat 6.0.20, mod_jk 1.2.30 # Send servlet for context / jsp-examples to worker named worker1 JkMount /* worker1 # Static files in Tomcat webapp context directory are served by apache JkAutoAlias /opt/tomcat/webapps/ROOT This directive should point to the webapps directory, rather than the ROOT application. JkAutoAlias /opt/tomcat/webapps Without ROOT it does not work at all but I do not know why. p JkUnMount /*.jpg worker1 JkUnMount /*.gif worker1 JkUnMount /*.png worker1 JkUnMount /*.js worker1 JkUnMount /*.css worker1 This works great for port 80 but for port 443 the javascript for the myfaces popup component gets a http 404 (/faces/myFacesExtensionResource/org.apache.myfaces.renderkit.html.util.MyFacesResourceLoader/12737082/popup.HtmlPopupRenderer/JSPopup.js). Every other javascript can be retrieved on port 80 as well as on port 443. Can anyone explain how this can happen? Thanks, Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_jk file not found
Hi, I installed mod_jk and it works perfect except of a little strange problem. I let handle tomcat everything except of static files which the following lines in the virtual host for port 80 and the same for port 443: # Send servlet for context / jsp-examples to worker named worker1 JkMount /* worker1 # Static files in Tomcat webapp context directory are served by apache JkAutoAlias /opt/tomcat/webapps/ROOT JkUnMount /*.jpg worker1 JkUnMount /*.gif worker1 JkUnMount /*.png worker1 JkUnMount /*.js worker1 JkUnMount /*.css worker1 This works great for port 80 but for port 443 the javascript for the myfaces popup component gets a http 404 (/faces/myFacesExtensionResource/org.apache.myfaces.renderkit.html.util.MyFacesResourceLoader/12737082/popup.HtmlPopupRenderer/JSPopup.js). Every other javascript can be retrieved on port 80 as well as on port 443. Can anyone explain how this can happen? Thanks, Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat scalability settings
08.04.2010 09:42, cinl...@gmail.com: I am newbie here. I don't understand what you meant by hi-jacking this thread. I simply asking tomcat user mailing lis of any solution to my issue. Did I do something wrong? If so, please let me know what I did wrong. When you want to talk about a new topic, create a new thread, i. e. create a *new* mail and address it at us...@tomcat.apache.org. What you did instead is create a reply to Florian's message which is about an entirely different topic. That you changed the subject line in your reply doesn't change the fact that you mail client did what you told it to: create a reply. That is called thread hi-jacking. It's pure accident that I read your post, since I tend to ignore hi-jacked threads. And I may not be the only one doing so. Therefore, it's in your own very interest to not hide your messages in an completely unrelated discussion thread. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: No gain after pre-compilation
09.03.2010 10:25, Alexander Skwar: I didn't look at your build script, just a general remark below. Or is it just, that this shows, that our web app doesn't have a bottleneck in the JSP land (which would be a true statement - it communicates with some background databases and apps, which might not be the fastest...)? One thing which confuses me a bit though, is that when I call the web app for the first time (after deployment or after having re-started Tomcat), the web app is slow. Ie. I go to http://server:8080/webapp and wait for like 10 seconds until the login screen of the web app is shown. This wait only happens for the very first time after deployment. When I do this again a few minutes/hours later, http://server:8080/webapp is shown right away. Shouldn't pre-compilation also make this first time wait go away? Not also - the *only* gain that can be expected by pre-compilation of JSPs is the elimination of the first time wait, since Tomcat doesn't need to do the compilation on-the-fly when the JSP is accessed for the first time. For all following accesses of the JSP it shouldn't matter whether or not it was pre-compiled. But: a noticeable difference can only be expected if it really is the compilation that slows things down on first access. If, OTOH, the vast amount of time is taken by, say, creation of DB connections, pre-compiling the JSPs won't make much of a difference. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: No gain after pre-compilation
09.03.2010 12:43, Alexander Skwar: Do you happen to have any idea, why I did not notice any impovements in the 1st time load delay? Ie. why do I still have to wait 10s after having deployed, before the login screen is shown for the first time? At this point in time, the web app does not require the background daemons at all. The login page is even shown, when those daemons are down. No idea. What you could check (besides taking a look at your application to see if it really is doing nothing that consumes time) is whether the pre-compilation did work. In the deployed web-app you should notice a change in web.xml, since the deployer creates additional servlet and servlet-mapping entries. I. e. if your web-app contains a hello.jsp you should see something like [...] servlet servlet-nameorg.apache.jsp.hello_jsp/servlet-name servlet-classorg.apache.jsp.hello_jsp/servlet-class /servlet [...] servlet-mapping servlet-nameorg.apache.jsp.hello_jsp/servlet-name url-pattern/hello.jsp/url-pattern /servlet-mapping [..] in the web.xml generated by the deployer. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: No gain after pre-compilation
09.03.2010 13:25, Markus Schönhaber: What you could check [...] Forgot to mention: it might be useful to increase the log-level of Jasper's Compiler class, i. e. add org.apache.jasper.compiler.Compiler.level=FINE to conf/logging.properties You should then see in Tomcat's logs whether compilation of the accessed JSP really takes place, if so, how long it took etc. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Startin tomcat5 instead of jsvc with java
04.03.2010 13:50, Petr Hracek: from the documention I have read that tomcat5.5 ( http://tomcat.apache.org/tomcat-5.5-doc/setup.html) can be started with the help of command jsvc. Is there any other possibility how to start up tomcat with java? I wouldn't start tomcat 5.5 over rcScript stored in /etc/init.d/ Take a look at the scripts in $CATALINA_HOME/bin. startup.sh and shutdown.sh do what their name suggests. If you'd like to see Tomcat's status messages in the console instead of the log file (useful, if something goes wrong), use catalina.sh run. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can not start tomcat and the jre_home var error
04.03.2010 14:00, maven apache: I am using Ubuntu9.10. I have install jdk1.6 in /home/kk/ProgramFiles/jdk1.6 , also I have set up a permanent environment variable JAVA_HOME which link to the jdk directory. I just downloaded apache-tomcat-6.0.24.tar.gz and extact it to /home/kk/ProgramFiles/apache-tomcat-6.0.24, since the JAVA_HOME env var existed, so I run the startup.sh directly,however I can not enter the http://localhost:8080; and I got the following message: Using CATALINA_BASE: /home/kk/ProgramFiles/apache-tomcat-6.0.24 Using CATALINA_HOME: /home/kk/ProgramFiles/apache-tomcat-6.0.24 Using CATALINA_TMPDIR: /home/kk/ProgramFiles/apache-tomcat-6.0.24/temp Using JRE_HOME:/usr Using CLASSPATH: /home/kk/ProgramFiles/apache-tomcat-6.0.24/bin/bootstrap.jar It seems that tomcat did not identify the JAVA_HOME var, so how to do next in my case? Unset JRE_HOME before starting Tomcat, make sure JAVA_HOME really is exported. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can not start tomcat and the jre_home var error
04.03.2010 14:44, maven apache: The tomcat directory is /home/kk/ProgramFiles/apache-tomcat-6.0.24' In the terminal , I enter this the bin directory and run sudo ./startup.sh Why do you start Tomcat as root? -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can not start tomcat and the jre_home var error
04.03.2010 14:56, maven apache: 2010/3/4 Markus Schönhaber tomcat-us...@list-post.mks-mail.de Why do you start Tomcat as root? Ok, I tried it again. ? -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can not start tomcat and the jre_home var error
04.03.2010 15:01, maven apache: 2010/3/4 Caldarale, Charles R chuck.caldar...@unisys.com From: maven apache [mailto:apachemav...@gmail.com] Subject: Re: can not start tomcat and the jre_home var error In the terminal , I enter this the bin directory and run sudo ./startup.sh Try it without the sudo. You should never run Tomcat as root. Thanks, it works. But I wonder why? Because, by default, sudo resets the environment. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can not start tomcat and the jre_home var error
04.03.2010 15:13, maven apache: Now I found there is something wrong with the apr component because I got the info: INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /home/kk/ProgramFiles/jdk1.6.0_17/jre/lib/i386/client:/home/kk/ProgramFiles/jdk1.6.0_17/jre/lib/i386:/home/kk/ProgramFiles/jdk1.6.0_17/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib This is just an INFOrmational message that tells you that the native component is not installed. And the whole logs can be found here:http://dpaste.com/167789/ Does it matter? If it starts with SEVERE, it does matter. WAG: By starting Tomcat using sudo, a work directory was created that isn't writeable by an unprivileged user. Remove work and try again. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cyclos Webapp Trouble (404)
18.01.2010 15:57, Rick Bragg: On Mon, 2010-01-18 at 09:43 -0500, David Smith wrote: MySQL leave the tcp port disabled for security reasons. I've never understood the decision, but it happens. You can test w/ the mysql command: mysql -P 3306 -h localhost -u cyclos -p Yes the above works perfect. I can log into MySQL in exactly that way. I also double checked the password. And it still works, if you replace localhost with 127.0.0.1 (since that's what you configured)? I. e. mysql -P 3306 -h 127.0.0.1 -u cyclos -p -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TomCat multiple ssl support
29.12.2009 15:28, Mark Thomas: However, there is a spec for this: RFC 4366, SNI (Server Name Indication). It should be implementable for at least the APR/native connector. Not sure of the extent, if any, of support in the browsers. If a recent article in the German c't magazine is right (an I remember it correctly) browser support for SNI is better than I thought it was. According to this article, most modern browsers already support SNI - the major exception being IE on Windows XP. As I understand it, IE uses the OS'es cryptographic libs and those of XP don't support SNI. BTW: SNI support was added to Apache httpd with version 2.2.12. Nevertheless, as long as IE on XP still has a significant market share, I think the *general* usefulness of SNI for public websites is still somewhat limited. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Config Question
09.12.2009 15:31, steflik: I'm teaching a Web Programming course and am using Tomcat 6 for the servlet/jsp portion of the course. I have created a context for each student in the server.xml file and it seems to work pretty good but if a student modifies the web.xml file in their application I have to restart the sever before it takes effect. Is there a way to configure Tomcat so that changes in a users web.xml file will be automatically sensed by the server and take effect immediately? Adding Contexts to server.xml is strongly discouraged nowadays. Among the reasons for this discouragement is exactly the problem you're facing now. See http://tomcat.apache.org/tomcat-6.0-doc/config/context.html -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL only working on localhost
In addition to Pid's comment, which you should take heed of: 02.12.2009 13:41, Michael Dockery: i have wiresharked the server, and can see the inbound 443 connections, so the firewall does not seem to be the issue. (note: the other computers are on the same subnet/lan) What exactly do you mean by can see the inbound 443 connections? My guess would be that wireshark only shows incoming TCP packets directed to port 443 of your server. If my guess is correct, this proves nothing wrt to the packet filter's settings. It might well throw those packets away. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.17 crashes too often
Am 27.11.2009 15:00, schrieb Rocco Scappatura: I have no idea if it's in any way related to the problem you're seeing, but... vm_info: Java HotSpot(TM) Server VM (1.5.0_09-b01) for windows-x86, built on Sep 7 2006 13:40:20 by java_re with MS VC++ 6.0 ...the first thing I'd check is whether a (much) more recent JVM (for example 1.5.0_22 or even a Java 6 VM) still shows this problem. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 and Apache2 VS Tomcat 6 alone
TheGrailer: So what do you all think? Is the Apache2 infront of the Tomcat 6 a waste of time or worth while? I agree with what Pid and Peter already said. Just to phrase it with my own words: I see two major reasons why you'd want to put httpd in front of Tomcat 1. To act as a load balancer for multiple Tomcats. 2. To serve dynamic content written in something that Tomcat isn't able to process as good as httpd (if at all), for example PHP. Judging from what you wrote, neither seems to apply to your case. Nevertheless it would be interesting to hear why your friend, who advocates the use of httpd, thinks this additional complexity is justified. In my experience, simply having some static content to serve, isn't a justification. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to make tomcat persistant ?
daulat khan: I know that tomcat use session manager to persist sessions and reload them when \ server starts up. But I can not find where to configure it. How can I turn it off so \ that I don't get the error message? Take a look at conf/context.xml. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Understanding context.xml
Carsten Pohl: When I deploy the project to a local tomcat (Apache Tomcat/6.0.20) Everything works as expected. Meaning, the context.xml is copied to /conf/Catalina/localhost and renamed to testprojekt.xml. When I edit the testprojekt.xml to: ?xml version=1.0 encoding=UTF-8? Context Parameter name=companyName value=My BLAH Company, Incorporated override=false/ /Context I see the following output in the catalina.out: 02.11.2009 13:21:35 org.apache.catalina.startup.HostConfig checkResources INFO: Undeploying context [/testprojekt] 02.11.2009 13:21:35 org.apache.catalina.core.StandardContext resourcesStart SCHWERWIEGEND: Error starting static Resources java.lang.IllegalArgumentException: Document base /opt/tomcat6/webapps/testprojekt does not exist or is not a readable directory [...] INFO: Container org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/testprojekt] has not been started Why is that? Is that the expected result? What is the right way to change parameters in a context.xml? You might be affected by this bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=47343 -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Understanding context.xml
Carsten Pohl: If I change the testprojekt.xml in conf/Catalina/localhost/testprojekt.xml my webapplication will be redeployed (assuming the bug is fixed), and it would get the new values. If I change the conf/context.xml all my webapps will be RELOADED, but new values and changes to values in conf/context.xml will not be given to the webapp. Hm, indeed. If the changes in conf/context.xml aren't propagated to the webapps, I don't see the point in reloading the apps on changes in that file. But I don't know if this is a (known) bug or if it works as designed and I'm simply misunderstanding how it's supposed to work. I am using the tomcat connection pooling to connect to a postgres DB, I would like to put the configuration (hostname, username, etc) somewhere, so that i can change it, when I change the databasehost. Where is the right place to put such a configuration? If i put the configuration in conf/context.xml the changes to the values wont be given to running applications. If i put it in the conf/Catalina/ the application will be redeployed, which causes downtimes. What is the right place to PUT and later change the connection infos to the database? Well what is right for you depends on your needs. I configure Resource elements in the webapp's context.xml - but YMMV. Anyway: I don't know of a built-in method that would enable a webapp to see changes in a Resource configuration without a reload of the app. But maybe someone else can provide better/additional information. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
Nirvann: I mean't authorization. Consider a scenario as follows. There are two users, admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has rights to both the pages but user can access only userPage.jsp. Lets assume that the user logs in as user (not admin) and accesses userPage.jsp. It is fine upto this point because user has access to userPage.jsp. But what happens if the user tries to access adminPage.jsp for which he is not authorized. As you have indicated it should fail through 403 access denied. But, I am getting HTTP 404 - File not found in IE and blank page in Mozilla. In a situation like the one you describe my Tomcat responds with 403 response code and the standard access denied page (I did not change it in web.xml). So, I second Curtis' guess that you did something wrong. BTW: What IE shows you is of very little use, unless you turn off friendly error messages. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 5.5.25 and loosing spaces between printing jstl variables
with trimWhiteSpaces set to true:
${firstName} ${name} produces firstNamename without spaces in the html
${firstName}${' '}${name} produces firstName name with spaces in the html
If the second behaviour changes I have to reedit all my jsp files.
On Mon, Oct 19, 2009 at 4:49 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Markus,
On 10/17/2009 2:52 AM, Markus Stauffer wrote:
private final String emptyText = new String();
Anyhow, it probably makes sense to change the emptyText string from
to (that is, use a space instead of nothing).
This bugzilla entry might be interesting to you:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45931
Changing emptyText from to would break the workaround. It would
lead to 2 spaces in the html. Please don't do it.
What workaround?
Just FYI:if you want to comment on the bug and/or the fix, do it in
bugzilla so people will actually read it.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrcfGcACgkQ9CaO5/Lv0PBZUQCeO4itbf83tL+MilHHn36swHUV
YtYAn1OtoUcZCeGBOt2eKWMabPOIFfTE
=OU/u
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
Markus Stauffer
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 5.5.25 and loosing spaces between printing jstl variables
ok thanks :)
On Mon, Oct 19, 2009 at 5:05 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Markus,
On 10/19/2009 10:59 AM, Markus Stauffer wrote:
with trimWhiteSpaces set to true:
${firstName} ${name} produces firstNamename without spaces in the html
${firstName}${' '}${name} produces firstName name with spaces in the html
If the second behaviour changes I have to reedit all my jsp files.
Don't worry: I was the only one complaining about the feature. The
specification is clear that spaces should be completely eliminated. The
proposed patch adds a third value for trimSpaces: single. It basically
does the same thing as I suggested, but it does it in a configurable
way, rather than simply imposing it on everyone. You will be safe
if/when this change is incorporated into Tomcat.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrcgCAACgkQ9CaO5/Lv0PAeMACeJ2CrrF4M5e/thLjSQngVDcVL
WPcAoL7amnGqTnL71LTJXbNLtBp8nR45
=nspI
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
Markus Stauffer
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is the difference between running Tomcat 6 as a Windows Service vs. running from the command line?
Alan Kennedy: I need to find out what is the difference between running Tomcat 6 as a Windows Service and running it from the command line. The reason is that I'm getting a bizarre bug when a jython based servlet is run under Tomcat6-as-Service. But the bug does NOT appear when Tomcat 6 is run from the command line using bin\startup.bat. The most prominent difference I can think of is the user account Tomcat runs as. Although I have no idea why this should cause the endless recursion you are seeing, I'd (temporarily) change the user account of the Tomcat service to your personal account and see if the problem still exists. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is the difference between running Tomcat 6 as a Windows Service vs. running from the command line?
Alan Kennedy: Unfortunately, it did not solve the problem: the behaviour is exactly the same when running under my own account: the bug still occurs. Well, that seems to rule out any permission problems - and leaves me pretty much out of ideas. One thing, though: do you run Tomcat in both cases from the same installation (same binary, same config etc.)? If not, maybe that's where the difference is. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 5.5.25 and loosing spaces between printing jstl variables
private final String emptyText = new String(); Anyhow, it probably makes sense to change the emptyText string from to (that is, use a space instead of nothing). This bugzilla entry might be interesting to you: https://issues.apache.org/bugzilla/show_bug.cgi?id=45931 Changing emptyText from to would break the workaround. It would lead to 2 spaces in the html. Please don't do it. regards -- Markus Stauffer
Re: tomcat 5.5.25 and loosing spaces between printing jstl variables
My suggestion: set trimSpace to true on both servers.
Then use ${firstName}{' '}${lastName}
regards
Am 13.10.2009 um 23:08 schrieb Curtis Garman:
Has anyone else experienced loosing spaces between printing jstl
variables. I've got something that is printing
${firstName} ${lastName} -- Curtis Garman
but instead the space in between the two names is getting lost so it
prints as
CurtisGarman
The wierd thing is that it displays just fine on a mirrored server but
messes up on our production server? My thought is that it has to be a
combination of tomcat/jstl. I've had this problem before but it has
never mattered. Any ideas or fixes? I do have set in the default
web.xml...anyone know if this is a problem?
init-param
param-nametrimSpace/param-name
param-valuetrue/param-value
/init-param
...I set it because apache recommends this
http://tomcat.apache.org/tomcat-6.0-doc/jasper-howto.html#Production%20Configuration
--
Curtis Garman
Web Programmer
Heartland Community College
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging startup parms for Tomcat...
Tony Anecito: I need to see the jvm startup params (memory settings, ect) for Tomcat. How do I enable that to showup in the logs? If you simply want to see the JVM startup params (i. e. logging them would be just one one way to achieve that, but not the only one acceptable to you), you could use jconsole (provided you're using a sufficiently recent JVM from Sun). The VM Summary tab shows quite detailed info about the VM and it's parameters. Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat and Bayeux for HTTP streaming
Hi all, I would like to use TOMCAT together with Bayeux to develop a streaming application. My question: 1) is it possible with Bayeux to send in one and the same HTTP response several messages at different times back to the client? 2) where can I find additional informations about Tomcat and Bayeux in context with streaming? many thanks Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Comet question with Tomcat
Hi all,
I am using Tomcat6 together with Comet. I implemented as described in
the article Advanced IO and Tomcat the servlet, message sender ...
The main reason for using comet is that I would like to implement a kind
of streaming, what means:
I am launching from the client with a AJAX request that is processed by
the servlet: on the server the EventType.BEGIN is passed to the event
method and than I start to run an specific algorithm. In this algorithm,
whenever a specific event occurs, the message sender is notified and
writes into the response write a content. This stream is send to the
client, parsed and displayed in the page.
Unfortunately on the client I only see the content send from message
sender after the first event. All others are not send to the client even
if the message sender writes it out int the response which is still open.
On client side the javascript function (see below go()) is invoked only
once. Any idea what I am doing wrong?
function go(){
var url = http://myHost:8080/myServlet;;
var request = new XMLHttpRequest();
request.open(POST, url, true);
request.setRequestHeader(Content-Type,
application/x-javascript;);
request.onreadystatechange = function(){
if (request.readyState == 4) {
if (request.status == 200) {
if (request.responseText) {
document.getElementById(msgContainer).innerHTML =
request.responseText;
}
}
}
};
request.send(null);
}
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Comet and mod_jk
Hi all, I see that when using Mod JK (ver. 1.2.26-2) together with Comet I always get the message: 405 HTTP method POST is not supported by this URL. (My servlet engine is tomcat 6.0.14) I googled and found out that mod_jk has its own connector which does not support the comet event. Is there a way to solve this problem ? E.g. specify in mod_jk to use the connector org.apache.coyote.http11.Http11NioProtocol If not, what else can you suggest me? For me it is not important to use mod_jk. The important thing is that the servlet invoked in my webpage (specified without port) is redirected tomcat. Many thanks Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Comet and mod_jk
Filip Hanik - Dev Lists wrote: There are only two connectors in Apache Tomcat that support Comet, APR HTTP and NIO HTTP connectors. This means, if you want Apache in front of it, you would use mod_proxy_http Many thanks for your suggestion. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Default character encoding for ServletRequest
It all depends on the client. IIRC if you set the charset in the content type header to utf-8, like this contentType=text/html; charset=utf-8 most browsers will then use utf-8 for HTTP GET and POST requests when responding to the given page. See this thread for some more information: http://mail-archives.apache.org/mod_mbox/tomcat-users/200111.mbox/%3cd913221a882fd31198d90008c75d6909058b4...@cwnl-ams-pri01.nl.compuware.com%3e#archives Markus Halm Reusser schrieb am 01.10.2009 13:22: Pid wrote: How about? request.setCharacterEncoding(ENCODING); I wan't do it within the application. I prefer to configure the app container or the app itself. Bearing in mind that you're not really changing what the client requests, or might expect you to be setting... Is there a possibility to force the client to use a specific encoding? -Halm - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to check if the client dropped the connection
Jason Brittain schrieb: The first time you call flush, it will send the HTTP response headers to the client, so you would need to first set the headers before flushing. That sounds difficult for you to do because you're writing an image, and one of the headers would be Content-Length, which you probably don't know until your image is generated. Actually, Content-Length is optional as per the HTTP-1.1 spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html However, my take on the OP is that a better optimization strategy in this case would be to just cache a larger image on the server rather than generating every image on-demand. That is, when the user is moving around in the image, the server, on the first request, would calculate the image for a much larger portion of the map than requested and stores it on disk in temporary storage (or in some cache area in RAM, if feasible, after all RAM is cheap these days and 64-bit machines can have lots of RAM). Storage of the images would not be done all at once but in tiles. When then user then moves around in the client, the requests just reads the tiles of the created image from disk, puts them together and clips the borders, then compresses the image and sends it to the client. It is possible that PNG even has some support for compressing parts of an image so the tiles itself could be already stored in compressed format, but it's been a while since I read the PNG spec last time. The same could be done for zooming by storing images in a pyramidal structure, like it is done in pattern recognition. While the user is moving, a background thread associated with the client could try to anticipate where the user is likely to be moving to and calculate the given tiles in advance. Actually, this sounds like an interesting project for several Ph.D. theses... Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to check if the client dropped the connection
aaime74 schrieb: Well, something like that has actually been done already, it's called tile caching, and works under the restrictive conditions that you can force the client to make requests in predetermined sizes and tiles. As for applying this to the general case, I invite you to have a look at how big the raster surface is and how much space is required to actually store on the disk a full map (only _one_ map, some GeoServer installs do serve 500-1000 different layers) here: I'm not saying you should store the whole map all at once. My approach was to dynamically cache requests that the client may want to make in advance. An easy example would be if a client makes a request for the city center, you create the map for the city center plus the suburbs around it and store it somewhere, then return the city center. If the user then moves around a bit to see the suburbs, you already have the whole map cached and just need to return it, no need to do any further calculation. If you then also compress the image on the fly while you are reading it from disk (or from some memory cache), you will start writing to the output stream very soon (also detecting the dropped connection very soon) and the servlet will not need much RAM. Of course this does not work if you just use Java's built-in PNG encoder. Obviously, caching always comes with the price that you will have the occassional cache miss :-) That is, this does not work for every request but may decrease load and RAM usage a lot for typical use cases. In your OP you write: Unfortunately in the meantime the older requests are still running, drawing a map takes time and a lot of memory, for example the above request, which is a small one btw, allocates a BufferedImage of 700KB. This indicates that you (1) seem to not use any caching (drawing a map takes time - with caching the map would already have been drawn) and (2) you use BufferedImage which of course does not allow you to PNG-encode on the fly. Both problems would be solved with the above suggestion. Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to check if the client dropped the connection
Martin Gainty schrieb: could you explain just a bit more what is a tile? If you have a very large image, say 1 million x 1 million pixels or something like that, it is more efficient to split the image into tiles, that is small images of, say, 256 x 256 pixels. If a certain portion of the big image is requested, you can then load these tiles individually from disk and put them together to form the portion of the image that was requested. Tiles which are inside the requested image portion can be used as is, tiles at the borders may not be contained fully in the requested image and must possibly be clipped. How tiles are used can be seen e.g. in Google Maps: when you have a slow internet connection, while scrolling you can actually see that the map consists of rectangular tiles which are loaded on demand. This is more or less the same concept as blocks when doing paging of virtual memory or pages when talking about processor caches. Even Audacity (audio editor) uses this concept to achieve fast editing of very large audio files. Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Typo on http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html ?
Hi think there's a typo at http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html . If you search for ROOR you will find: Note that the default or ROOT context for ren would be deployed as $CATALINA_HOME/renapps/ROOT.war (WAR) or $CATALINA_HOME/renapps/ROOR (directory). cheers, - Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat App Configuration
Hi, just use an entry like the following in your Tomcat's server.xml configuration file: Context path=/ docBase=/path/to/where/your/webapp/resides/ HTH Markus skarahan schrieb: Hi, I use tomcat5.5 on ubuntu and have java web application.When I run it, its address looks like http://servername:8180/myapp; on browser address line.But I don't like this.when I write http://servername:8180/; address on web browser address line,I want to open my application. I hope that I can explain my question.. Thanks for your help. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat App Configuration
I'm not sure what's the problem, but I would not put the app into /usr/share/tomcat5.5/webapps because this is the default location. I would put the webapp into a different location. Also, check if you already have a ROOT directory in your webapps/ path which may interfere with your other root setting. Markus skarahan schrieb: Hi , thanks your help.I add this line server.xml Context path=/ docBase=/usr/share/tomcat5.5/webapp/myapp/ I can see it manager page path column.But its not running.is there another xml file to congire it.? Markus Meyer wrote: Hi, just use an entry like the following in your Tomcat's server.xml configuration file: Context path=/ docBase=/path/to/where/your/webapp/resides/ HTH Markus skarahan schrieb: Hi, I use tomcat5.5 on ubuntu and have java web application.When I run it, its address looks like http://servername:8180/myapp; on browser address line.But I don't like this.when I write http://servername:8180/; address on web browser address line,I want to open my application. I hope that I can explain my question.. Thanks for your help. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat App Configuration
Hi André, sorry if I got that one wrong. It's just that it works for me the way I describe it. (I generally avoid putting my webapps into the default setting and create Context entries for all of them.) Markus André Warnier schrieb: Markus, that was a bad recommendation. Look here instead : http://wiki.apache.org/tomcat/HowTo#head-2e16a614a1be6e03102fc69dd59587a30e20bc5c Markus Meyer wrote: I'm not sure what's the problem, but I would not put the app into /usr/share/tomcat5.5/webapps because this is the default location. I would put the webapp into a different location. Also, check if you already have a ROOT directory in your webapps/ path which may interfere with your other root setting. Markus skarahan schrieb: Hi , thanks your help.I add this line server.xml Context path=/ docBase=/usr/share/tomcat5.5/webapp/myapp/ I can see it manager page path column.But its not running.is there another xml file to congire it.? Markus Meyer wrote: Hi, just use an entry like the following in your Tomcat's server.xml configuration file: Context path=/ docBase=/path/to/where/your/webapp/resides/ HTH Markus skarahan schrieb: Hi, I use tomcat5.5 on ubuntu and have java web application.When I run it, its address looks like http://servername:8180/myapp; on browser address line.But I don't like this.when I write http://servername:8180/; address on web browser address line,I want to open my application. I hope that I can explain my question.. Thanks for your help. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Configuring different environment variables for different vhost context?
Hi, I want to deploy multiple version of an application (Hudson [1] in my case). Each running instance needs the environment variable HUDSON_HOME point to a different location. However I only manage to either specify either a HUDSON_HOME for all instances or none at all :-( In tomcat55/server.xml I added Host name=hudson-test.dev appBase=/var/lib/tomcat5.5/hudson-test/ in tomcat55/Catalina/hudson-test.dev/ROOT.xml I have Context docBase=/data/java/archives/hudson-1.322.war Environment name=HUDSON_HOME type=java.lang.String value=/data/java/hudson-test/ /Context However it does not pick up HUDSON_HOME and I end up Hudson creating and using /usr/share/tomcat5.5/.hudson/ instead. I was only able to add global HUDSON_HOME variable which would be the same for all Hudson deployments (either passed them in the shell when starting tomcat or in the tomcat55/context.xml file). I found http://forums.java.net/jive/thread.jspa?messageID=85039tstart=0 which suggest to do exactly would I did, but it doesn't pick it up from there. I directed my question to Hudson but was suggested it may be a TC configuration issue. Can someone point me into the right direction? thanks, - Markus [1] https://hudson.dev.java.net/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuring different environment variables for different vhost context?
Hi,
Caldarale, Charles R wrote:
I think you're confusing environment variables with environment entries -
they are completely different things. Environment variables have a scope of
process, and are accessed in Java via System.getenv(). Environment entries
(what you have configured) have a scope of webapp, and are retrieved via JNDI
lookup. Read the servlet spec.
I think you're absolutely right; I'm sill new into all that Java/Tomcat
stuff.
I searched a bit in the Hudson sources and found the following:
// check JNDI for the home directory first
try {
InitialContext iniCtxt = new InitialContext();
Context env = (Context) iniCtxt.lookup(java:comp/env);
String value = (String) env.lookup(HUDSON_HOME);
if(value!=null value.trim().length()0)
return new File(value.trim());
// look at one more place. See issue #1314
value = (String) iniCtxt.lookup(HUDSON_HOME);
if(value!=null value.trim().length()0)
return new File(value.trim());
} catch (NamingException e) {
// ignore
}
Matching that with your comment about JNDI, I see a partial match here
:) However I lack the knowledge to understand what the context lookup to
java:comp/env really means in relation to HUDSON_HOME .
Am I still on the right track now with my environment entry
configuration from my ROOT.xml? I can imagine that I'm missing only a
small link now ...
thank you in advance,
- Markus
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuring different environment variables for different vhost context?
Hi, Caldarale, Charles R wrote: I think the code snippet you posted should be working with the Environment element you posted previously. Might be time to add some print statements to find out what the Hudson code gets back from the Context.lookup() calls. Thanks, your message made me confident that it must be an error on my side, which it was. I was just not able to realize that the application was picking up the environment variable properly :/ sincerely, - Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user / password
I do not know NetBeans but you probably want to have a look at tomcat-users.xml in the Tomcat configuration directory. Chris Lenart schrieb: NetBeans is trying to connect to Tomcat and asking for an ID and password. Wher do I find this? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user / password
See http://www.netbeans.org/kb/61/websvc/gs-axis.html Search for tomcat-users.xml in this document. Chris Lenart schrieb: I did but it's blank. Do I add one? -Original Message- From: Markus Meyer [mailto:me...@mesw.de] Sent: Thursday, August 27, 2009 3:14 PM To: Tomcat Users List Subject: Re: user / password I do not know NetBeans but you probably want to have a look at tomcat-users.xml in the Tomcat configuration directory. Chris Lenart schrieb: NetBeans is trying to connect to Tomcat and asking for an ID and password. Wher do I find this? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Strange problems with SSL support in Tomcat 6
Hi, I have a Debian machine where previously, Tomcat 5.5 was installed (using the Tomcat 5.5 Debian package). uname -a returns: Linux server02 2.6.26-2-amd64 #1 SMP Sun Jul 26 20:35:48 UTC 2009 x86_64 GNU/Linux Now, for some reason I installed Tomcat 6 by using the binary distribution of Tomcat 6.0.20 downloadable from the website (because there's no Debian package for Tomcat 6 yet). I copied over the configuration files: logging.properties, server.xml, tomcat-users.xml and everything works fine except SSL. The server listens on port 80 for HTTP requests and on port 443 for HTTPS requests. With the exact same configuration and certificate file, SSL works with Tomcat 5.5 but not with Tomcat 6. Everything else works without any flaws. When I try to access the server using https://myserver.com/; in firefox, the error code ssl_error_rx_record_too_long appears. However, no errors are logged at all, although I set everything to ALL in the logging.properties file. I even converted the PKCS12 certificate I use to JKS format but although keytool shows the certificate just fine, using the JKS keystore has the same effect. I use the following connector settings in /opt/tomcat6/conf/server.xml: Connector port=443 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/opt/tomcat6/conf/cert.p12 keystorePass=* keystoreType=pkcs12 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false connectionTimeout=2 disableUploadTimeout=true acceptCount=100 / Tomcat is run as root (for now at least), so permission problems should not occur. Of course /opt/tomcat6/conf/cert.p12 exists and is a valid certificate. I would be extremely grateful if someone has an idea on how I could attempt to debug this strange problem. Thanks in advance! Best regards Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Strange problems with SSL support in Tomcat 6
Just for the record: many thanks for Martin for helping me off-list. My problem was that I had not added the AprLifecycleListener to server.xml. Lesson learned: do not copy over configuration files from Tomcat 5.5 to Tomcat 6 but start with the new ones from Tomcat 6 and insert the appropriate directives. Markus Markus Meyer schrieb: Hi, I have a Debian machine where previously, Tomcat 5.5 was installed (using the Tomcat 5.5 Debian package). uname -a returns: Linux server02 2.6.26-2-amd64 #1 SMP Sun Jul 26 20:35:48 UTC 2009 x86_64 GNU/Linux Now, for some reason I installed Tomcat 6 by using the binary distribution of Tomcat 6.0.20 downloadable from the website (because there's no Debian package for Tomcat 6 yet). I copied over the configuration files: logging.properties, server.xml, tomcat-users.xml and everything works fine except SSL. The server listens on port 80 for HTTP requests and on port 443 for HTTPS requests. With the exact same configuration and certificate file, SSL works with Tomcat 5.5 but not with Tomcat 6. Everything else works without any flaws. When I try to access the server using https://myserver.com/; in firefox, the error code ssl_error_rx_record_too_long appears. However, no errors are logged at all, although I set everything to ALL in the logging.properties file. I even converted the PKCS12 certificate I use to JKS format but although keytool shows the certificate just fine, using the JKS keystore has the same effect. I use the following connector settings in /opt/tomcat6/conf/server.xml: Connector port=443 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/opt/tomcat6/conf/cert.p12 keystorePass=* keystoreType=pkcs12 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false connectionTimeout=2 disableUploadTimeout=true acceptCount=100 / Tomcat is run as root (for now at least), so permission problems should not occur. Of course /opt/tomcat6/conf/cert.p12 exists and is a valid certificate. I would be extremely grateful if someone has an idea on how I could attempt to debug this strange problem. Thanks in advance! Best regards Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Increasing Heap Size and Max Perm Size
Daniele Development-ML: Forgot to mention that when I try with the following command: java -Xms512m -Xmx750m it does succeed in creating the JVM [...] I don't understand why I get different behaviour passing this option the JVM when starting Tomcat, and when I give directly to the JVM From your OP: JAVA_OPTS=$JAVA_OPTS -Xmx=100m -XX:MaxPermSize=350m -Dfile.encoding=UTF-8 You get different behaviour because you're passing *different* options to the VM. Moreover, as you've been told by the VM and André, -Xmx=100m isn't a valid way to set the VM's maximum heap size. And BTW: instead of changing a Tomcat-provided script like catalina.sh to set your options you should create (or edit) setenv.sh and set the desired env vars there. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
possibility of runtime replication of jkstatus / mod_jk
Hi list members, I am Markus Pohle, new subscriber to this list and long time user of apache tomcat and tomcat connector (with apache httpd). I do have a question according to mod_jk and jkstatus for which I did not find any answer or solution, neither on internet/google nor the mailing list and I hope, someone of you can help me. Here is the scenario: - two physical frontend servers, each with one apache httpd webserver with mod_jk - two physical middle tier servers, each with two apache tomcat servers - the two frontend servers use linux-ha and heartbeat for failover - mod_jk on the frontend servers are used to connect thru ajp13 to the tomcat servers and do simple loadbalancing and failover (for the tomcats) - the both frontend servers with apache httpd have same mod_jk configuration (of course!) now it comes... during uptime changes are made to the mod_jk configuration thru the jkstatus pages, like disabling or stopping one tomcat node. if that happens, the actual jkstatus configuration does not match the static mod_jk-conf-file configuration any more. if the first frontend server (or the apache httpd server on it) crashes, linux-ha and heartbeat do a takeover to the second frontend server and start apache httpd on the server. during apache httpd startup it loads its mod_jk configuration, but that one differs from the actual jkstatus configuration on the crashed first frontend server! My problem is, that I do not know how to replicate the actual jkstatus config from the first frontend server to the second one so that i case of takeover the modified configuration from with jkstatus is being kept. Does anybody ever had the same problem? Is there a solution? Any help would be realy appreciated! TIA, Markus Pohle - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: catalina.sh and java_opts question
Susan Teague Rector: I've searched around on the net and have found differing opinions about where to actually place the java_opts env var for tomcat. Should this variable be in /tomcat/bin/catalina.sh? When I set it in this file and then print out all env vars, it looks like it is not set. How do I set java_opts to enable my tomcat applications to get to it? Judging from /tomcat/bin/catalina.sh you mention, I assume you're on Linux (or another Unix-like platform). If so, it will probably not matter much where you set an environment variable java_opts because it's JAVA_OPTS that gets passed to the java command starting Tomcat. IMO the Tomcat-provided scripts like cataline.sh should not be modified. Instead set JAVA_OPTS in setenv.sh (create it if it doesn't already exist). setenv.sh will be sourced by catalina.sh. BTW: unless you really need the options set even when stopping Tomcat, CATALINA_OPTS may be the better choice to set your options. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to configure per-webapp logging
Hi,
I'd like to configure my webapp to log into a separate file. (Actually,
I'd like to have two files, one with only the SEVERE messages and one
with all messages, but let's start with an easy example here.)
This is a Debian 5.0 server.
The webapp is installed in
/var/lib/tomcat5.5/webapps/productionserver_test, and I have created a
file
/var/lib/tomcat5.5/webapps/productionserver_test/WEB-INF/classes/logging.properties
as per the tutorials with the following content:
handlers= org.apache.juli.FileHandler
org.apache.juli.FileHandler.level = ALL
org.apache.juli.FileHandler.directory =
${catalina.base}/logs/productionserver_test
org.apache.juli.FileHandler.prefix = productionserver_test
com.gfii.productionserver.handlers = org.apache.juli.FileHandler
The class com.gfii.productionserver is the name of the logger. In the
webapp, I call Logger.getLogger(com.gfii.productionserver) whenever I
need to have access to the logger.
When I add this logging.properties file, this has two effects:
- Logging information for com.gfii.productionserver is not logged to
the main Tomcat logs anymore
- The directory ${catalina.base}/logs/productionserver_test is created
However, no log files are created in this directory.
What am I doing wrong? Please let me know if you need more information.
Thanks in advance!
Markus
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 on Windows Server 2003, HTTPS and tc-native
Fred Janon: It looks like you have an extensive experience deploying Tomcat 5.5.x on Win XP, SBS, Enterprise and Datacenter, so maybe you can tell me where the option to use APR/tc-native is during the installation using the msi file? The installation wizard contains a page where you can choose what to install. Among those choices is the native lib. Just wanted to share my experience, since the same issue has popped up several times for over a year, but fine with me if you think I am an idiot and the doc is perfect. I made an effort to subscribe to the list, post something, but if you have an issue with that, fine. And Chuck made an effort to post a reply that adds *real* value to the topic by explaining what went wrong and providing pointers to the relevant docs. If, to you, this is the same as calling you an idiot, your view of the world seems to be *very* different from mine. BTW: The solution to the problem is not deleting a DLL but using the appropriate configuration for the Connector you chose. And for choosing the POJ Connector it isn't even necessary to remove the native DLL. Looks like the Jetty folks are less agressive. Lots of choices for a servlet container out there. If you think Jetty suits your needs better, that's fine. The freedom of choice is IMO one of the main advantages of open source software. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IAVM Identified Vulnerability - 2009-B-0026_0028
Owen, Scott A CTR IT/IM Bldg1490: I am currently running Tomcat 5.5.27 on a Windows 2003 server for the application Business Objects Enterprise XI R2. I have been notified by my IA department of an IAVA that has been identified and needs immediate action. The IAVM is 2009-B-0026_0028 and references the following CVE vulnerabilities: CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 I have searched the Apache Tomcat site for any assistance, and the only thing I am able to find references a fix in Tomcat 5.5.SVN. However, I am unable to find this package to install on my server to resolve these vulnerabilities. This is not a package you can install but (probably) refers to the current state of development, where those vulnerabilities are already fixed. Can somebody point me in the right direction on implement this fix to make my system compliant with this identified IAVA? Look at the corresponding announcements here: http://mail-archives.apache.org/mod_mbox/tomcat-announce/ For CVE-2009-0781 see: http://mail-archives.apache.org/mod_mbox/tomcat-dev/200903.mbox/%3c49b147b2.1060...@apache.org%3e But this vulnerability only effects a component of the example webapps - which shouldn't be deployed on a production server anyway. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem of port 8080
Please don't hijack a completely unrelated thread. Xia Guowen: Tomcat running for some time, do not have access to 8080, but 8009 and 8005 is ok. mod_jk access is normal. Is a Connector listening to port 8080 indeed configured? If so, what's in the logs? # netstat -lnut |grep 8080 tcp0 0 127.0.0.1:8005 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80090.0.0.0:* LISTEN Is that the output of netstat -lnut |grep 8080 Seems very odd to me. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat startup as service on CentOS 5.3
tomcatastrophe: When I try to run /etc/init.d/tomcat restart or /sbin/service tomcat restart (or stop or start) I get this error: -bash: /etc/init.d/tomcat: /bin/bash^M: bad interpreter: No such file or directory When you create script files for Linux on a Windows box, make sure you save them with the proper line endings, i. e. \n instead of \r\n. dos2unix might help. RUN_AS_USER=root # Adjust run user here Not a good idea. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat startup as service on CentOS 5.3
tomcatastrophe: I was using root just trying to get it to work. I'm not sure what you mean about line endings here... I don't have any \n in my file... or do you mean the character return ? I'm a little confused. I'm talking about the character(s) that denotes a line ending, return in a manner of speaking. Fix the line endings of your script using dos2unix or, as Jason proposed, using nano. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Celebrating Apache Tomcat 10th Anniversary
Mladen Turk: So, wish us happy anniversary :) Congratulations! And thanks for a decade of good work! -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
Anthony J. Biacco: Hence the idea about downgrading to http 1.0. But that doesn't get me the content length header still (which in itself is strange), No, it's not strange at all. If the length of the response body is not known when the response headers are sent, you obviously can't add a Content-Length header. That has nothing to do with the HTTP version used. though I could (although I'm sure to get yelled at for) fake the content-length header with something in apache like: Header add Content-length 5 Where 5 is some number larger than my largest possible response. Again, probably not the greatest idea. Probably not. Did you try using ServletResponse#setBufferSize as I suggested in my other post? BTW: For Tomcat's NIO Connector I see the socket.appWriteBufSize property which seems to set the output buffer size globally. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
Rainer Jung: On 12.06.2009 10:43, Markus Schönhaber wrote: No, it's not strange at all. If the length of the response body is not known when the response headers are sent, you obviously can't add a Content-Length header. That has nothing to do with the HTTP version used. ... true, but an HTTP/1.0 client can also just read until the connection is closed. That's another way of handling content of unknown length. Yes, that's exactly what I was pointing at. IOW, using HTTP/1.0 doesn't magically add a Content-Length header (as the OP seems to have expected) in situations where the size of the response body isn't known beforehand. The difference between HTTP/1.1 and HTTP/1.0 wrt this situation is simply what has to be done to enable the client to know about the end of transmission. While 1.1 will need to transfer the body chunked (at least with keep-alive), 1.0 doesn't know nor care about chunked because the server will close the underlying TCP connection when the response is completely sent. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
André Warnier: In summary thus : - making the request be HTTP 1.0, no matter how it's done, is not going to magically make Tomcat send the response in one chunk nor add a Content-Length header. Exactly. (it may just /prevent/ it from adding a Content-transfer-encoding: chunked header, yes ?) It may prevent it from sending chunked content (and adding the appropriate header) in 100% of the cases, since there's no chunked transfer encoding in HTTP/1.0. IOW, you may replace may with will in the above sentence ;-). - the first-choice solution would be to have the CDN fix their software, or select another CDN which can handle chunked content. I agree. - the second-best would be : (presuming the OP knows at some point the real size of the data chunk that has to be sent back.) Write a servlet which obtains the data, then uses response.setContentLength(nnn), then does a response.getWriter/getOutputStream, then writes the data there. Yes ? - if the above is not acceptable/practical, then another solution would be to intercept and buffer the full response somewhere, calculate its size, and then forward it unchunked, preceded by a proper Content-Length header. Yes. I just noticed that the OP said he was going to experiment with setting the bufferSize attribute of the AJP Connector to a higher value. That might indeed be the easiest workaround - provided the output his servlets/JSPs generate do not exceed the buffer size - and this attribute really does what I understand it does. Using ServletResponse#setBufferSize, which I already mentioned, might work too - on an per servlet level. But if increasing the value of the bufferSize attribute of the Connector works, it's much less hassle. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
Anthony J. Biacco: Here's my problem. When the request is to a servlet (static apache files and JSPs through mod_jk are fine) in the form of a GET, instead of sending a Content-Length response header, I get a Transfer-Encoding: chunked header I'd like to know: 1) What are the causes of either Tomcat (or Apache is it?) enabling chunking on the connection? Tomcat, probably, since you're talking about a servlet-created response. And it's not chunking the connection but transferring the response body chunked. If at the time the response headers are sent the size of the response body is already known (for example, if it's just the contents of a file), it's easy to send a Content-Length response header. OTOH, how big the output of a servlet will be is generally not known before the servlet has finished. If you want to send a Content-Length header anyway, I see two (well, really only one) alternatives: 1. Cache the complete servlet output and count the bytes - which isn't very practical.[1] 2. Don't send a Content-Length header. Alternative 2. creates another problem: With HTTP/1.0 a client can quite reliably determine when the entire response body is transferred, even if no content-length header is sent: when the server closes the underlying TCP connection. With HTTP/1.1 this isn't the case any more since the TCP connection may be left open to be used to transfer additional requests/responses (keep-alive). To enable the client to determine when the entire response was transmitted, you'll have to transfer it chunked. 2) How do I get a Content-Length reponse header instead? Do I need to downgrade the client to HTTP/1.0 or is there another way? What's the point in caching dynamically created responses? FYI, the reason I'm trying to do this is that I use a CDN, and they won't cache my data without the presence of a Content-Length response header, so my servlet data isn't getting cached at the CDN. What's a CDN? [1] Tomcat will, by default, cache some output of servlets. IIRC the default buffer size is 8k. So, if your servlet creates output of no more then 8k, a Content-Length header will be sent. Otherwise chunked encoding will be used. This might be the reason why you see Content-Length headers from your JSPs - their output is probably small enough. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
