Re: Tomcat Internal Architect for JSP compilation?
One possible workaround is to precompile the JSP's at build time. https://tomcat.apache.org/tomcat-9.0-doc/jasper-howto.html#Web_Application_Compilation -Tim On Fri, Mar 22, 2024 at 1:37 AM Subodh Joshi wrote: > > Why i am doing this exercise? > In our some of the deployed linux environment many clients are complaining > about this issue , We tried to monitor who actually deleting these > /tmp/tomcat folder but still we are not able to figure it out and we are > not able to reproduce it . So i have to do reproduce it manually deleting > the /tmp/tomcat directory. > >
Re: Operation not permitted errors [EXTERNAL]
Crazy wild guess looking at the stack trace ... > sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) > at sun.nio.fs.UnixCopyFile.copyFile(UnixCopyFile.java:283) at A snoop of sun.nio.fs.UnixCopyFile shows its calling the system call utimes() or futimes() (probably utimes) - And the CIFS mount doesn't support that. A quick test would be to write a "1 liner" java program that uses java.nio.file.Files.copy with paths in that CIFS mount -Tim On Wed, Feb 7, 2024 at 10:49 AM Beard, Shawn wrote: > It is on a Linux server, The file system mentions is actually a CIFS mount > from a windows server. Its not creating a directory, only that file. Odd > thing is that I can manually create a file in that directory as the user > Tomcat is running as using touch. > > > > > > On 2/6/24 13:52, Beard, Shawn wrote: > > An application we have running in Tomcat 9 using Java 8 is throwing > > this error when trying to create a file: > > > > java.nio.file.FileSystemException > > /path/to/filesystem/202311WEB/040389461310_08_37_246.jpg: Operation > > not permitted at > > sun.nio.fs.UnixException.translateToIOException(UnixException.java:91) > > at > > sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) > > at > > sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) > > at sun.nio.fs.UnixCopyFile.copyFile(UnixCopyFile.java:283) at > > sun.nio.fs.UnixCopyFile.copy(UnixCopyFile.java:581) at > > sun.nio.fs.UnixFileSystemProvider.copy(UnixFileSystemProvider.java:253 > > ) at java.nio.file.Files.copy(Files.java:1274) at > > org.apache.commons.io.FileUtils.copyFile(FileUtils.java:850) at > > org.apache.commons.io.FileUtils.copyFile(FileUtils.java:756) at > >
Re: Rotating/archiving catalina.out
One option (hacky workaround) is to try using "swallowOutput" which may mitigate the worst of your issue. (Beyond a rewrite with a logging framework) https://tomcat.apache.org/tomcat-9.0-doc/config/context.html -Tim On Mon, Jan 29, 2024 at 3:28 PM Aryeh Friedman wrote: > We need to shrink the size of catalina.out but looking at the logging > documentation I do not see any way to do this with the standard > logging.properties (or else where). Due to the nature of the > production site we never bring it completely down unless we must (life > critical 24/7/365) > > Specifically we have a fair number of System.out.println's with > debugging information to it and we dumb stack traces into it also. > And without stopping and restarting tomcat we want to make it so there > is periodic rotation of catalina.out to some other file? (note stack > traces do go to the dated one but not the System.out.println's) > >
Re: How to access the request URL in a custom valve implementation?
See AbstractAccessLogValve (which AccessLogValve overrides) Then you could override AbstractAccessLogValve.createAccessLogElement() which has case 'q': return new QueryElement(); To possible do doing something like case 'q': return new ObfuscatedQueryElement(); Where ObfuscatedQueryElement is much like the existing QueryElement with your additional requirements. They both would implement AccessLogElement which has access to the Request object -Tim On Fri, Jan 26, 2024 at 7:58 AM Manak Bisht wrote: > I want to obfuscate values of query params for certain URLs, however, I > would still like to log the request. Therefore, I cannot use the existing > conditionif/conditionunless attributes that AccessLogValve provides. > >
Re: How to access the request URL in a custom valve implementation?
My bad - AccessLogValve also supports that feature too - *%{xxx}r* write value of ServletRequest attribute with name xxx (escaped if required, value ?? if request is null) https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging -Tim On Fri, Jan 26, 2024 at 7:23 AM Tim Funk wrote: > It depends on what you are trying to accomplish. ExtendedAccessLogValve is > a > little more flexible where you can write out arbitrary request > attributes but still format the request like the standard access > log. So you could have a filter set the value and not need to > write your own access logger. > > -Tim > > On Fri, Jan 26, 2024 at 5:47 AM Manak Bisht > wrote: > >> Hi, >> I am trying to extend the AccessLogValve to modify logging behaviour for >> certain URLs. However, I don't have access to the request object in the >> AccessLogValve API. So, I am left with regex matching on the >> CharArrayWriter >> message object. Is there a better way to do this? >> >
Re: How to access the request URL in a custom valve implementation?
It depends on what you are trying to accomplish. ExtendedAccessLogValve is a little more flexible where you can write out arbitrary request attributes but still format the request like the standard access log. So you could have a filter set the value and not need to write your own access logger. -Tim On Fri, Jan 26, 2024 at 5:47 AM Manak Bisht wrote: > Hi, > I am trying to extend the AccessLogValve to modify logging behaviour for > certain URLs. However, I don't have access to the request object in the > AccessLogValve API. So, I am left with regex matching on the > CharArrayWriter > message object. Is there a better way to do this? >
Re: Conditional access logs
I don't think there is a technical reason why it couldn't be added. I think the hard part is getting the config wording/naming correct Alternatively, I think an out of the box workaround could also be Tomcat's RewriteValve where the condition matches on header and sets the "environment variable" https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html You can submit a feature enhancement request in the bug database https://tomcat.apache.org/bugreport.html#How_to_submit_patches_and_enhancement_requests -Tim On Thu, Apr 21, 2022 at 5:08 PM Chris Cheshire wrote: > Tomcat 9. > > I wanted to separate out access logs for external api calls to log > different info than the standard access log line. For example, the api key > used which is set as a request header. > > Adding that to the pattern was easy. > > However the conditional logging was clunky. I found the ‘conditionIf’ and > ‘conditionUnless’ attributes for the access log valve, but these only work > on request attributes, not headers (at least that’s what the documentation > says). > > I have created a filter that copies the values from the request headers to > equivalent attributes, just so the condition can work. This is where it > feels clunky, especially since the access log valve has replacement > parameters for logging request headers. > > Is there a technical reason why the condition checking can’t work on > request headers in the valve? If not, can this be considered as a feature > request please? > > >
Re: Tomcat 7 - Log4j Vulnerability Guide Request
Out of the box, no version of Apache Tomcat uses any log4j version. If log4j is used, it is by a specific application (not provided by the ASF) deployed to Tomcat. (Or an admin changed the default install to add it) -Tim On Fri, Jan 28, 2022 at 10:36 AM Samuel Anderson-Burrell | Cloud21 wrote: > Good Afternoon Apache > Hope your well, my name is Samuel I work for a Security firm Cloud 21 and > we have been working with a client who uses your software in particular > Tomcat. > We are looking to see if there is a security patch against log4j. The > version they are using is tomcat 7, checking your dedicated page for Tomcat > version 7 Apache Tomcat(r) - Apache Tomcat 7 vulnerabilities< > https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities> > there does not appear to be an article to patch against it. > Forgive me if I'm not looking in the correct area if there is one please > could you point me in the right direct. I did try and email your security > mailbox but received an automated message back saying that I needed to be > on the subscribed list which I have attempted to subscribed too but I have > not had a response back yet. > >
Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?
LOG4J2 allows for multiple keyword types of keyword expansions in the logs. Keyword expansion is a "great way" to log items possibly only known at run time. And with trace, debug level logging - Comparing those expanded values to logged values makes debugging "easier". (The closest you'll get to breakpoints in production) The downside (exploit) is when the expansion (lookup) does things a little too powerfully. Then other folks come along and use that to *chain* other exploits. Remote LDAP calls were not in mind when the original idea was presenting a value from "java:comp/env". That's gap #1. Then gap #2 was the ability for jndi calls via LDAP to allow serialized results to come back. And the deserialization allowed for arbitrary code execution. WIth a modern java, the (trivial) de-serialization exploit won't happen. But there are many other chaining opportunities still out there. A key takeaway is you might judge individual single exploits not to be bad. But if you can easily chain multiple ones together, then the black hat party can begin. -Tim On Mon, Dec 13, 2021 at 7:24 PM James H. H. Lampert wrote: > > I can *barely* wrap my mind around the idea of getting executable code > from an RMI server, but what legitimate purpose could be served by > allowing a *logger* to resolve executable code? > >
Re: Strange error with JSP
My guess? ClassNotFoundException is rooted in some other exception. Such as a different error is thrown during class initiation. Such as a static { doStuff();} block where doStuff does bad stuff. Hopefully there is more stack trace out there. If the JSP has static initializers - wrap them in try {} catch blocks{} even if you think they don't need wrapped in those blocks. -Tim On Wed, Jun 2, 2021 at 1:53 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > > I'm getting this error in production, and I can reproduce it every time > I access the page. Here's the exception stack trace: > > java.lang.ClassNotFoundException: org.apache.jsp.admin.SessionSnooper_jsp > java.net.URLClassLoader.findClass(URLClassLoader.java:382) > at > org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:128) > at > org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:59) > at > > org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:159) > at > > org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:192) > at > > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:413) > at > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:382) > at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) > [...filters, etc...] > > This is a relatively simple JSP. There are no tag libraries in use and > there are 3 imports of JSPs which contain some static utility functions. > >
Re: Append content to OutputStream after RequestDispatcher#forward
Forward needed to be used due to this in the original email > I also tried using RequestDispatcher#include but I need to keep response > headers, added during the forward And include() is not allowed to set headers. -Tim On Tue, Sep 29, 2020 at 2:27 PM Christopher Schultz wrote: > > If you want to add content before/after the target, why not use > include() instead of forward()? > > -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Append content to OutputStream after RequestDispatcher#forward
Advice: Redesign since this will be a support nightmare for you in the future since the design is not in the spirit of how the spec works. Now onto the real solution (over simplified .. but google can expand on each sub-idea) Create a ServletResponseWrapper and pass that to the forward() method where the ServletResponseWrapper does 2 things 1) Extends all instances of header manipulation (setHeader(...)) 2) Extends the output writing capabilities and pushes everything to a buffer HttpServletResponse wrappedResponse = new MyHttpServletResponseWrapper(response); resource.forward(request, wrappedResponse); // Add code to loop over all headers set during forward() and set them on response now response.getWriter().append("prepend string"); response.getWriter().append(wrappedResponse.yourBuffer()); response.getWriter().append("postpend string"); // newly invented word -Tim On Tue, Sep 29, 2020 at 5:31 AM Nicolò Boschi wrote: > > Hi all, > I would like to know how to append (or prepend) some content in a Servlet, > after RequestDispatcher#forward is called. > > @Override > public void doGet(HttpServletRequest request, HttpServletResponse > response) > throws ServletException, IOException { > > final String finalUri = ... // compute some resource URI; > RequestDispatcher resource = request.getRequestDispatcher(finalUri); > > response.getWriter().append("prepend string"); > resource.forward(request, response); > } - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hiding tomcat version from error pages
It should be ... http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve On Thu, Sep 17, 2020 at 10:40 AM Rathore, Rajendra wrote: > > Hi Tim, > > I am using tomcat 8.5.x, will that available over there? > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hiding tomcat version from error pages
It should a tweak to the ErrorReportValve as documented here: (inside of server.xml) https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Error_Report_Valve You'll want to set showServerInfo and showReport to false -Tim On Thu, Sep 17, 2020 at 8:20 AM Rathore, Rajendra wrote: > Hi All, > > > > Please let me know the standard way to hide tomcat version from error > pages, I tried on google and saying that you need to modify some properties > inside catelina.jar, but that is not a standard way. > > > > > > Thanks and Regards, > > Rajendra Rathore > > 9922701491 > > >
Re: What would it take for you to attend ApacheCon North America in April 2015
On Mon, Dec 8, 2014 at 4:39 PM, Mark Thomas ma...@apache.org wrote: The call for papers is currently open for ApacheCon North America in April 2015. While I could submit some talks on what ever Tomcat related subject I fancy talking about, I'd prefer to talk about what you want to hear. So, with that in mind what Tomcat talk(s) would need to be on the schedule for you to be able to (convince your manager to let you) attend ApacheCon North America next year? Can't attend ... but I'll throw out 4 fun [YMMV] ideas in case there is interest by someone else ... - Security year in review ... My heart bled POODLE and other reasons I was kept up at night. - On the road[map] again, possible inclusions in the next servlet spec and how that will affect the next Tomcat release. - Non-blocking IO. Is everything awesome? - Getting the cat back in the bag. Deploying your apps in Tomcat on Docker.
Re: throttle filter
[resend ... I just realized my email settings were borked for sending] It might be easier (and much more efficient) for your operating system to do this for you: For example: http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable On Fri, Dec 5, 2014 at 8:19 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, On 12/2/14 5:12 PM, Leo Donahue wrote: On Tue, Dec 2, 2014 at 3:28 PM, Chris Gamache cgama...@gmail.com wrote: You could probably be more sophisticated in your throttling, letting certain IPs or requests through while tarpitting others. I was thinking about how, from my perspective, I see developers wanting to throttle back the number of requests to their web applications (and web services) based on the same ip, session, and other factors appearing in a given amount of time.
Re: [ANN] New committer: Felix Schumacher
+1 Awesome! Welcome! -Tim On Fri, Sep 19, 2014 at 3:49 AM, Rainer Jung rj...@apache.org wrote: On behalf of the Tomcat committers I am pleased to announce that Felix Schumacher (fschumacher) has been voted in as a new Tomcat committer. Please join me in welcoming him. Regards, Rainer
Re: How to read time from a Tomcat server?
Depending on how you look at it - use the HTTP spec and look at the Date response header http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.18 The above technique doesn't require shell access and is an easy way to get the date of ANY webserver. (read the spec for caveats) On Wed, Jan 8, 2014 at 11:39 AM, Bradley Rogers bradley.rogers.engin...@gmail.com wrote: HI Is there a command i can issue to get the exact system time that the remote Tomcat server is using? and then is there a command or some way (with applicable admin rights) to set the remote time? the idea is the sync'ing of the different PC's im hoping to use, if there is some other way used I am grateful to hear it. im setting up a distributed system thats running in linux. thanks
Re: [OT] WEB-INF
Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not allowed to be requested by the browser - its a simple enforcement mechanism to prevent users from direct access to calling jsps. (Since it may be common to have jsp's as snippets for header / footers etc -- and there for they might be able to be called in surprising ways and exposing funny attacks) On Wed, Jul 10, 2013 at 6:08 PM, Leo Donahue - RDSA IT leodona...@mail.maricopa.gov wrote: When did it start that developers decided to place jsps in the WEB-INF directory? Was that intended from the beginning, or was it stumbled upon? Leo
Re: asp file and session creation
yes - this is the pattern we use and trivial to put in your own webapp For completeness ... in web.xml jsp-config jsp-property-group url-pattern*.jsp/url-pattern include-prelude/WEB-INF/prelude1.jspf/include-prelude /jsp-property-group /jsp-config prelude1.jspf contents: %@page session='false' % -Tim On Mon, Apr 23, 2012 at 5:06 PM, Konstantin Kolinko knst.koli...@gmail.comwrote: 2012/4/24 Christopher Schultz ch...@christopherschultz.net: It might be worthwhile proposing a setting for Jasper where the default session setting could be set to false (in obvious violation of the servlet specification) so that JSPs must specifically set session=true in their headers, but such a patch might be very far-reaching. I wonder whether this is already possible to do using jsp-property-group + include-prelude in web.xml.
Re: Is there a way to bake in URL parameters to a URL path?
While useful ... I would conjecture that things like this eventually undergo feature creep and over time would turn into http://www.tuckey.org/urlrewrite/ -Tim On Wed, Aug 24, 2011 at 11:14 AM, Mattmann, Chris A (388J) chris.a.mattm...@jpl.nasa.gov wrote: Thanks for your reply Chuck. It looks like you can do what I'm suggesting, but it's pretty complex. I'm also wondering why this isn't part of Tomcat proper. It would seem to be a very useful tool to include. An ALv2 licensed type of filter that does things like the URLRewrite Filter. Another thing too is that this filter seems to do a huge superset of what I'm actually looking for. I'm really just looking for something simple, with a limited config, something like: url path=/fictionbooks origPath=/books param name=category value=fiction/ param name=something else value=${env.SOMEPROPERTY}/ /url I might just write a plugin that does that and contribute it back to the Apache Tomcat community. Would folks here find that useful?
Re: TC 7.0.16 IllegalStateException thrown by pageContext.include
Looks like this is the root cause from DefaultServlet ... While the ISE is caught ... since the mimetype for js was changed - it doesn't match the fallback method try { ostream = response.getOutputStream(); } catch (IllegalStateException e) { // If it fails, we try to get a Writer instead if we're // trying to serve a text file if ( (contentType == null) || (contentType.startsWith(text)) || (contentType.endsWith(xml)) ) { writer = response.getWriter(); // Cannot reliably serve partial content with a Writer ranges = FULL; } else { throw e; } } So one patch is this (which will catch all javascript variants if multiple exist) if ( (contentType == null) || (contentType.startsWith(text)) || (contentType.endsWith(xml)) +|| (contentType.contains(/javascript)) ) { -Tim On Thu, Jun 23, 2011 at 9:12 PM, David Wall d.w...@computer.org wrote: This was working under TC 6, but I have a tag that extends BodyTagSupport, and in my doStartTag() method I get my JspWRiter 'out' using pageContext.getOut(). I have a bunch of out.write() statements that all work fine. Then I have these: out.write(style type=\text/css\\n/* platform esf.css */\n); pageContext.include(/static/**esf/esf.css,true); pageContext.include(docPage.**context.**getDocumentStyleIncludeUrl(),** true); out.write(/style\n); out.write(script type=\text/javascript\\n); pageContext.include(/static/**esf/esf.js,true); out.write(/script\n); But the exception IllegalStateException is thrown on the include of the esf.js file. The reason is null, so there's no more details. I find it odd in that the two prior includes works okay, but that third one fails. The file is definitely there (and has been working under TC 6.0 before). If I comment out that include, my tag works fine. What might be causing this? Thanks, David --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache/Tomcat_means...?
Apache = Apache Software Foundation. This is the legal organization which has all the wonderful bureaucracy in setting up rules for software development and making sure projects adhere to various countries laws. Tomcat - Actually Apache Tomcat - the implementation of the servlet spec. A project in the Apache software foundation. Apache web server - Also know has Apache httpd - the original project which begat the the Apache software foundation. Many times when Apache is mentioned, the speaker will imply Apache httpd. That being said ... Apache Tomcat and Apache httpd are 2 different products with their own different methods of installation. You may also use Apache Tomcat without needing Apache httpd. The Tomcat FAQ has some more details about that. -Tim On Wed, Jun 22, 2011 at 12:01 PM, Fred fdu...@yahoo.fr wrote: Hi, I'm really confused with Apache; Apache/Tomcat; Tomcat. Please correct me if I'm wrong: When I install Apache/Tomcat, I install Apache web sever and Tomcat application sever at the same time.I could do the same thing by installing Apache web sever, and Tomcat application server separatelyThanks in advance, Fred,
Re: One process per webapp
** Observations ... 1) If relying on native - it might be easiest to place the System.loadLibrary() and its classes in the common classloader. Then use a Valve to call System.loadLibrary() so it's only called once. Hack, yes ... also very simple to do. This might allow webapps to be reloaded without a problem [depending on the nature of the change.] 2) apache httpd can easily handle the proxy scenario. Utilize the hot standby feature and have it point to the primary Tomcat. Then when you wish to restart ... you can bring up a new Tomcat which will be configured as the hot standby. Then shutdown the primary Tomcat and all traffic goes to the hot standby. Once the primary is down, change the proxy rules that now the failover is the primary and the standby will be located in the config for the next new tomcat instance. All the the proxy rules can be in an include. (a really simple one - probably less then 10 lines) You'd also need some httpd graceful restarts in there too to capture the new changes to the include proxy rule file. All of the this can probably be easily scriptable. (Even though there was a desire to avoid scripting) -Tim On 6/14/2011 3:54 PM, cowwoc wrote: SNIP seen:reload the entire JVM. Fixing this in the official release would benefit anyone wishing to use JNI (or libraries that use JNI) from within Tomcat. Nowadays with the rise of RESTful interfaces, it makes a lot more sense to wrap a RESTful interface around libraries that interface with native code. SNIP JVM. I'm talking about sticking a proxy (on port 80) that acts a front-man. Then each webapp run in its own JVM in some custom port. The proxy redirects traffic to the custom ports. Reloading webapps would do the following: * Grab a blank (loaded without any webapps) Tomcat instance from some pool, ask it to load the new webapp instance. * The new instance runs in a different port than the existing instance * We ask the proxy to forward traffic to the new port instead of the old one * We ask the old instance to shut down * Note that traffic moves across instances instantly (without waiting for the old instance to shut down) I wouldn't want to try implementing this in terms of simple script files. It's a lot more involved.
Re: Static resource mapping in web.xml
Your easiest workaround is to use a filter. So 1) have the default servlet map to /* (which is the default) 2) keep the invoker declared 3) And make your filter do this ... doFilter(..) { if (request.getServletPath().matches(regex-here)) { servletContext.getNamedDispatcher(invoker).forward(request,response); return; } chain.doFilter(...) } Where regex-here is something which limits the mayhem you are imposing on yourself .. like this: /servlet/com\.yourcompany\..+ -Tim On 6/8/2011 10:17 AM, falva...@geocom.com.uy wrote: Dear all, I'm faceing the following problem in tomcat (probably just configuration). I have a WEBAPP which uses the invoker servlet (i know how bad it is, but for now it gets the job done). The static content is under /images/ path. So a tipical URL was likehttp://host:8080/webapp/servlet/home; http://host:8080/webapp/servlet/home. To avoid the servlet part of the URL I layed hands in web.xml. This is the result: web-app servlet-mapping servlet-nameinvoker/servlet-name url-pattern/*/url-pattern /servlet-mapping servlet-mapping servlet-namedefault/servlet-name url-pattern/images/*/url-pattern /servlet-mapping /web-app The problem is that static content is not shown under images, it is shown under images/images. For example: http://host:8080/webapp/images/help.png ERROR http://host:8080/webapp/images/images/help.pngOK In order to keep things as tidy as possible I would like static content to be served under images. Using ROOT is not an option because this tomcat is shared among several WEBAPPS. Is there anything wrong with my configuration or am I missing something? This post addresses the same issue: http://stackoverflow.com/questions/234210/can-anyone-explain-servlet-mapping Thanks in advance and please excuse my bad English. Best regards, Federico. OS CentOS 5 Tomcat6.0.29 JVM 1.6.0_20-b02
Re: Static resource mapping in web.xml
No - images will be served by the default servlet so nothing needs to be done for images. The filter is used as a way to let the invoker work and be a tiny bit more secure. So the filter is mapped to /* and will forward anything to the invoker serllet if the requested path *looks like one of your classes*. ... otherwise the filter uses chain.doFilter(...) to let the request be handled by any other mapped servlets. (In this case the default servlet) There are many tutorials on the web about filters -Tim On 6/8/2011 11:25 AM, falva...@geocom.com.uy wrote: Interesting Tim. But a little confusing for me. Never used filters, but for what you said and I googled: I would have to build a filter and map it to /images/*, right? Something like: filter filter-nameResource filter/filter-name filter-classcom.mycompany.resourcefilter/filter-class /filter filter-mapping filter-nameResource filter mapped/filter-name servlet-name/images/*/servlet-name /filter-mapping If I understand correctly, every request made to this URL path will be answerd with what I declare in the filter.
Re: Static resource mapping in web.xml
If your images are in the correct directory then tomcat will serve them for you with its DefaultServlet. There should be nothing to do. Then to serve resources via the invoker - this is where the filter is handy. You declare the invoker servlet - but you do not map it. The servlet api allows you to invoke an unmapped servlet by requesting it by name from the ServletContext. So the filter is doing the access control mapping to determine if the invoker should be invoked. -Tim On Wed, Jun 8, 2011 at 12:34 PM, falva...@geocom.com.uy wrote: I thought the filter would allow me to serve the static resources under /images/. I understand if it is in order to make invoker more secure. But what I'm actually trying to achieve is the proper serving of resources. I don't know exactly why, but mapping the default servlet to /* is not working (probably my fault). What Mark pointed in his first mail is that this kind of mapping was added in release 6.0.30. I'll try this as soon as possible.
Re: Static resource mapping in web.xml
yes - that would be a problem. The invoker doesn't know how to serve static resources. -Tim On Wed, Jun 8, 2011 at 1:44 PM, falva...@geocom.com.uy wrote: I agree with you. The static resources where never a problem to me, but since I messed with the web.xml they started to behave oddly. Maybe this line is causing trouble: servlet-mapping servlet-nameinvoker/servlet-name url-pattern/*/url-pattern /servlet-mapping It used to be: servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping What do you think? Can this be interfering with the requests to resources?
Re: Tomcat with Cisco ACE Load Balancer
This looks looks like a nice time to look at your existing traffic and get actuals of 1) Hits per second 2) Bandwidth usage Then use your access logs (or if you have a test suite - use that ... guessing owning 8 weblogic instances probably means there was a budget to own a test suite) to determine the load to hit a single tomcat instance. Now stress test that single tomcat instance. Now you have a baseline of what a single tomcat can do. Can a single instance handle all the traffic? if so - you are done since you have a second server available you now have failover/redundancy. if your still reading to this point - the above is a lie. [ok - not a lie ... just not completely accurate] We don't know how session management is handled. If session management is clustered where both tomcats need to handle the other tomcat's sessions in failover ... then you have more performance testing todo. Because the overhead to replicate sessions may overwhelm the server. (via cpu, network, or both) If you are doing sticky management where a server goes down and all the sessions are lost ... then - you actually are done your testing. (and can easily scale too - minus that one pesky side effect of session loss) [As other mentioned too ... Tomcat is just a servlet container - if your using any other J2EE features - they might not be readily available on Tomcat.] [I have a suspicion that you can run one tomcat on each server with no problem and greatly simplify the existing setup.] -Tim On 6/1/2011 4:08 PM, Tauqir Akhtar wrote: Thanks Pid for you updates. All I am trying here to implement Tomcat in Load Balanced Environment. WE have Java EE base web Application. And we have two 36 GB web servers. Currently they have WebLogic installed on them. Four Instance of WebLogic managed servers run on each machine. Our Java Appplicatiion is deployed on all of these web servers. Machine 1 : WebsLogicServer1 (Port : 6001) WebsLogicServer2 (Port : 6002) WebsLogicServer3 (Port : 6003) WebsLogicServer4 (Port : 6004) Machine 1 : WebsLogicServer4 (Port : 6005) WebsLogicServer6 (Port : 6006) WebsLogicServer7 (Port : 6007) WebsLogicServer8 (Port : 6008)
Re: OT: Versioning in Javascript Files
I've loathed this issue too. There are 2 major cases to deal with - Libraries changing (like dojo, prototype, etc) - Your external files changing The first is easy to change .. in that you create a /scripts/ dir and all 3rd party libraries go into their own directory with version number. New version - new directory (and hope the file names remain the same). Then *hopefully* you have a common include file that you just need to change once to point to the new directory. (Of course a global find/replace in this case is easy) The second is trickier. Relying on random query string is not fun since it may cause some browsers/proxies to be less prone to caching which can really affect performance. Especially if the the query string is dynamic. An easier solution is to use place your scripts is a special directory - then use a rewrite (or similar) rule to access them. So that the path is dynamic (and somewhat bogus). For example: /scripts/2011-04-11-072730/dojo.js - and in this case - you can have a rewrite rule look for a pattern and remove it from the path and forward to the script and let the default servlet handle things. Then to populate 2011-04-11-072730 - you can do that one of 3 ways: - At build time - calculate the timestamp and replace it - At run time - use a configuration parameter in context.xml - A combo of both - I like this one best since a build can trigger a new name, but sometimes you may run into situations where you don't need a build but you need it refreshed - so a server parameter tweak makes this easy too (and if savvy enough can be done via JMX to save a restart from occurring) Good luck ... -Tim On 4/11/2011 5:47 PM, George Sexton wrote: I'm looking for ideas on how other people are doing versioning in Javascript files. I'm hitting issues if I change my files in an incompatible way, or I upgrade files. For example, if I upgrade from DOJO 1.5 to DOJO 1.6, the user's browsers are not always refreshing the DOJO files, and things don't work. Similarly, if I update a javascript function to take additional arguments, then the browser using the old version throws an error. I've spent a lot of time in the past few days telling users to click on the refresh button of their browser and I'm pretty sick of it. I've thought of versioning my whole scripts directory. IOW, if my app version is 3.4.9, make the scripts directory scripts-3.4.9 to force the browser to get files from the new location. This is kind of a pain for version control reasons but otherwise it's OK. I'm really looking for ideas on how other web developers are handling this problem. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
Or it could be in the world of outsourcing you have a giant pool of 1st, 2nd, and 3rd level support who are offshore which need access to perform basic trouble shooting before escalation. And 90% of them have no idea they have access but getting them access when they would need it becomes a giant hassle. But since everyone is on the ACL - its secure :) -Tim On 2/23/2011 2:44 PM, Mladen Turk wrote: On 02/23/2011 07:28 PM, Jason Pyeron wrote: encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. That list includes 78 people. You mean 78 people monitor your network for trouble or you have your production servers in the same network segment as your local intranet? Cannot tell which one is worse :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to configure Tomcat/Coyote to deliver a P3P Header on Every Request
No coding needed if you use Url Rewrite Filter ... http://urlrewritefilter.googlecode.com rule from.*/from set type=response-header name=P3PP3P code here/set /rule -Tim On 1/17/2011 8:11 AM, Joseph Morgan wrote: You know what... I need to learn to read what I write... you are correct, it needs to be added to every response. Thanks -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, January 14, 2011 3:07 PM To: Tomcat Users List Subject: Re: How to configure Tomcat/Coyote to deliver a P3P Header on Every Request Joseph Morgan wrote: Using Tomcat 6.0.13, how do we configure the Coyote server to deliver a P3P header on every request, even if for a JavaScript, Image, CSS, etc? I don't know about the Coyote server, and it won't work for a request, but if you are talking about a Tomcat webapp and its responses, how about a servlet filter mapped to /* and adding such a header to every response ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat dying on its own
I'm late to the party. But how about trying the following ... 1) Add a filter which runs first and logs the request. This WILL have a performance impact - but a non-running application is a tad bit slower than writing each request to disk. With luck - this may call out a class of (or single) urls which can then be examined to see if you can reproduce the app death. 2) Run all the code in the webapp through a decompiler and look for System.exit() - then for all the spots where System.exit exists - then see if that piece of code might be called. [warning: Depending on who wrote the code, or the libraries used - this may violate some licenses.] -Tim On 12/8/2010 5:37 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Victor, On 12/6/2010 3:47 PM, Victor Kabdebon wrote: Your Linux may also be involved. If you have some weird configuration of your system, it may kill/shutdown some services / applications. If it's the Linux OOM killer, you should get a syslog message about it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] How to obtain the id of the current process
If you have Apr available ... you might be able to use this ... org.apache.tomcat.jni.Stdlib.getpid() // public static native int getpid(); -Tim On 11/18/2010 6:10 AM, Pid wrote: On 18/11/2010 10:47, André Warnier wrote: The justification according to which a PID is not necessarily available on every platform seems a very weak one. Quite. In which case, return a null. Enough other methods do... p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Any tools to detect tomcat services failure, and start it again automatically?
Has anyone successfully used (or experimented with) either of these? -XX:OnError=cmd args;cmd args -XX:OnOutOfMemoryError=cmd args; cmd args -Tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restricting access to tomcat via httpd proxy only
See RemoteIpValve http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_IP_Valve -Tim On 11/9/2010 1:34 PM, Ari King wrote: Hi all, I have an httpd proxy in front of my tomcat servers/instances, and I'd like to restrict access to those tomcat servers/instances to be through the httpd proxy. This is in a lab settings so I'd prefer to use tomcat configurations, rather than use something like a firewall. Anyone have any suggestions on how I can accomplish this? Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restricting access to tomcat via httpd proxy only
Doh - too fast in copy paste - I pasted the wrong name. You want *RemoteAddrValve* - you do NOT want RemoteIpValve -Tim On 11/9/2010 3:18 PM, Tim Funk wrote: See RemoteIpValve http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_IP_Valve -Tim On 11/9/2010 1:34 PM, Ari King wrote: Hi all, I have an httpd proxy in front of my tomcat servers/instances, and I'd like to restrict access to those tomcat servers/instances to be through the httpd proxy. This is in a lab settings so I'd prefer to use tomcat configurations, rather than use something like a firewall. Anyone have any suggestions on how I can accomplish this? Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSP Precompilation and Servlet 3.0
An enhancement bug has been entered for those with the itch. It appears the existing JspC task still writes out 2.3 when it writes a new web.xml. https://issues.apache.org/bugzilla/show_bug.cgi?id=50234 -Tim On 11/8/2010 5:45 AM, Ronald Klop wrote: +1 Precompiled jsp's with annotations in a jar. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSP Precompilation and Servlet 3.0
While I like the idea of using web-fragment.xml for precompiled jsp's - it would require the meta-data complete flag to be set to false which may as a side effect allow other artifacts to be loaded too. Hopefully jsp-precompile is part of the webapp build/deploy process so a developer can ignore it during development. But an admin (or release manager) can ensure that all jsps do compile before release is deployed. Setting up jsp-precompilation is a PITA the first time or 2 but once you get the hang of it, the precompilation step can be part of a standard snippet which can be pulled in via ant import. (For those of us who love ant) -Tim On 11/5/2010 10:13 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, Tim has just given his talk at ApacheCon NA about Servlet 3.0 / Tomcat 7.0. It was really my first taste of the 3.0 spec and I had a thought about the new features available for webapp configuration /other/ than web.xml: - - web.xml fragments - - class annotations The current method for JSP precompilation (which I've never used, mind you, so forgive my ignorance if I'm incorrect) is cumbersome: - - run the compiler - - copy the new .class files somewhere - - drop a huge load of junk into web.xml It occurred to me that that these new servlet 3.0 features could help JSP precompilation. Let's see what Tomcat 7.0's JSP precompiler could do (roughly): $ jsp-precompile /path/to/jsps my-jsps.jar $ cp my-jsps.jar /path/to/webapps/mywebapp/WEB-INF/lib (done) The precompiler could translate and compile all of the classes and package them into a .jar file for you. Great. What about servlet mappings? Well, we have two options: 1. Use annotations in the translated .java files 2. Generate a web.xml fragment and stuff it into my-jsps.jar/WEB-INF/web-fragment.xml Does anyone have any preferences? I suppose it could be an option to the precompiler, or we could even do both (do duplicate mappings conflict?). Hopefully, this will make JSP precompilation less onerous for users. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzUER4ACgkQ9CaO5/Lv0PCfUgCgtgRRQd+Qw6X2aLDWyHq0STbd UzgAnR7DtoAKbzLOdRSLWFPX4Qjp9UN5 =k337 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml cant load because of listener
Check all the files in the log dir. There should be an exception there with ContextLoaderListener throwing some exception. (Probably a SaxException) -Tim On 11/3/2010 12:14 AM, Will Sumekar wrote: Hi When I put these lines: listener listener-class org.springframework.web.context.ContextLoaderListener /listener-class /listener my appln can't load at all. When I go to http://localhost:8080/app it's not loaded. But when I remove those lines it loads correctly. I've put the necessary lib containing org.springframework.web.context.ContextLoaderListener in ./app/WEB-INF/lib. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Release COM Objects
Ideally - you would do this as a servlet filter and configured as part of the webapp. So when the filter is destroyed - it unregisters the object. -Tim On 11/2/2010 2:53 PM, Leo Donahue - PLANDEVX wrote: http://j-integra.intrinsyc.com/support/com/doc/gc/index.html #4 com.linar.jintegra.Cleaner.releaseAll(); Can Tomcat call this method prior to shutting down as a windows service? If so where would I configure this? JSF 1.2 (Sun RI) mojarra-1.2 Tomcat running as a windows service Using CATALINA_BASE: C:\apache-tomcat-6.0.29 Using CATALINA_HOME: C:\apache-tomcat-6.0.29 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.29\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_20 Using CLASSPATH: C:\apache-tomcat-6.0.29\bin\bootstrap.jar Server version: Apache Tomcat/6.0.29 Server built: July 19 2010 1458 Server number: 6.0.0.29 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. Leo Donahue - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access log timing details
Its the time the Valve starts processing until the valve has finished processing. Vague heh? So this means that Tomcat will need to do the following first before timing starts - Accept the connection - Receive the 1st line of the request, and probably the headers such as Host - From there - Tomcat now knows where to send the request and can create/invoke the Valve chain and the AccessLogValve can start its timing - Then AccessLogValve records as its end time when the valve is finished its processing (which is after your servlet/jsp is already done since it wraps it). So (if I am correct) it may be possible that the OS could be buffering some bytes waiting to go out which could also cause a time difference. -Tim On 11/1/2010 12:48 PM, Alex Quezada wrote: Hello, I'm trying to debug some performance issues, and see discrepancies from the time reported by HttpClient and Tomcat's access log. This is for post requests (I'm running Tomcat 6.0.18 just in case). Does the time reported in the access log include the entire session, including the time it took to upload the post request, or is it only the response time once the request and payload are fully received? I've looked around but no luck finding details on the response times. Thanks for any info! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access Log Valve - Query String
Use pattern=combined to see the querystring -Tim On 10/12/2010 12:21 PM, Leo Donahue - PLANDEVX wrote: I am currently using the common pattern to log all requests using the Access Log Valve. Valve className=org.apache.catalina.valves.AccessLogValve directory=c:/apache-tomcat-logs/webappname prefix=webappname_access_log. suffix=.txt pattern=common resolveHosts=false/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: listing directory content outside tomcat root
Enable listings is sort of** a global setting. Since the default servlet is declared in conf/web.xml - its inherited in *every* webapp. So its config is also inherited. (Bummer) BUT - if you add a WEB-INF/web.xml to EVERY webapp with the default servlet settings - then you can remove the default servlet config from conf/web.xml and have the default servlet per webapp config. That means - in docBase=/path_to_some_dir/ -- you need /path_to_some_dir/WEB-INF/web.xml What I forget is - what happens if you only create /path_to_some_dir/WEB-INF/web.xml and leave conf/web.xml alone. Which of course would be the easiest thing to do. -Tim On 2/25/2010 6:22 AM, Ivan Longhi wrote: hi, I would like to list the content of a directory outside tomcat root without enabling the listings parameter in default servlet. conf/web.xml servlet servlet-namedefault/servlet-name servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class init-param param-namelistings/param-name param-valuefalse/param-value /init-param /servlet conf/server.xml . Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Context path=/test docBase=/path_to_some_dir/ Parameter name=listings value=true / /Context .. if I try to get a file inside the dir it works ( http://localhost:8080/test/some_file.txt ) but if I try to list the content of the directory ( http://localhost:8080/test/ ) I get 404. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Uniqueness of a sessionId
The way things work now by default ... The session cookie is set at the path level and is different per context. So you may have multiple sessino id cookies set for a given server (but given the path constraint on the cookie - you only get one of those cookies (typically)) But (IIRC) you can also configure tomcat to use one session id for all contexts. (Comes in handy for portlets) -Tim On 1/8/2010 8:07 AM, Arnab Ghosh wrote: Dear Friends, I have an doubt.Tomcat is using *org.apache.catalina.session.ManagerBase* to generate sessionId. Now I wants to know whether this generated key will be unique in all context running under a tomcat service or it will be unique under a particular context?? Thanks, Ghosh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Equally well Location ~ /WEB-INF/ AllowOverride none deny from all /Location The docs say AllowOverride is not allowed on regex's so I believe in reality - this could be overridden with effort. -Tim Pid wrote: On 25/11/2009 16:47, Nikolay Diulgerov wrote: Try Location /myapp/WEB-INF AllowOverride None deny from all /Location Probably a better solution would be: LocationMatch /*/WEB-INF/ AllowOverride None deny from all /LocationMatch LocationMatch /*/META-INF/ AllowOverride None deny from all /LocationMatch ... but we're really just guessing what config is already in place - maybe the mod_jk / mod_proxy config could be adjusted instead. Correcting a poor/broken config is a much better solution than attempting, blindly, to stick bandages on an unknown setup. p -Original Message- From: Jonathan Mast [mailto:jhmast.develo...@gmail.com] Sent: Wednesday, November 25, 2009 6:40 PM To: Tomcat Users List; p...@pidster.com Subject: Re: Preventing httpd from accessing WEB-INF contents yes I am keeping the all the web-app stuff in place. I don't have the time to re-architect my entire system to your suggested format. I really need to just prevent httpd from accessing anything with WEB-INF in the url. On Wed, Nov 25, 2009 at 11:21 AM, Pidp...@pidster.com wrote: On 25/11/2009 16:13, Jonathan Mast wrote: Can someone please provide the magical httpd config-cantation that will block httpd from accessing anything in WEB-INF directories? I need something that will be apply globally and can't be overridden by VirtualHost directives. I've dug around the httpd config documentation and I'm just not understanding it, everything I've tried just hasn't worked. thanks httpd 2.2 Tomcat 6.0 At a guess, I'd say you've published, via HTTPD, the web application directory. This is one of the reasons we advise users not publish webapp directories via HTTPD. Using a separate webapps and document root is advisable. E.g. /path/to/site.com/httpdocs /path/to/site.com/httpdocs/index.html /path/to/site.com/httpdocs/images/ /path/to/site.com/httpdocs/scripts/ /path/to/site.com/webapps /path/to/site.com/webapps/ROOT /path/to/site.com/webapps/myapp If this isn't the case, you'll have to supply information about your mod_jk / mod_proxy config so we can see what you're doing. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: per context access log
Sorry - (AFAICT) there isn't a way to do that. You have to configure each one. -Tim Ursula Walenciak wrote: Hi, I'm trying to configure access-logging per context by using the AccessLogValve. Actually I would like to produce one log-file per context but avoid configuring it for each context separately. Is there a possibility to place the Valve-Configuration Valve className=org.apache.catalina.valves.AccessLogValve prefix=${context?!} suffix=.log pattern=combined/ into the default context.xml an chose a prefix such that a separate file is generated for each context, not one common for all contexts? Or is there another possibility to reach the desired behaviour? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to cancel a servlet startup?
I'll one up it to make it trivial ... // put this in a filter mapped to everything doFilter(...) { if (servletContext.getAttribute(initFailed)) { response.sendError(503); return; } chain.doFilter(request,response); } // and put this in any servlet or listerer } catch(Throwable e) { servletContext.getAttribute(initFailed, Y); } If you have access to URLRewrite filter - then you don't even need to write the filter above - but that configuration is left as an exercise to the user -Tim Mark Thomas wrote: Dan Armbrust wrote: I'll tell you what, if you can tell me how to prevent my users (who have full control over the application / installation / hardware where this is running) from being able to shoot themselves in the foot and do something that causes my app to fail - I'll buy you a case of beer and not worry about this. Until then, my servlet needs to do system checks - and if something is wrong, it needs to not deploy. Thats the bit I haven't yet figured out... How do I get tomcat to disable the entire context, when I detect that something is broken during startup? And ideally, redirect the users to an error screen that tells them that it's broken.. Sounds like a job for a filter / context listener combination. Not the only solution something like: - context listener fire when app starts - do checks - set static with the result - all requests run through filter - filter checks static - if OK - allow request - if !OK don't allow request return error page. Mark Thanks, Dan On Thu, Nov 12, 2009 at 11:42 AM, Joseph Morgan joseph.mor...@ignitesales.com wrote: Dan, Pardon my advice, but... this sounds like a programming/config/illegal state error that shouldn't make it to production. Of course, you could simply add instrumentation to the system to detect that this servlet didn't do its thing, and route every request to a holding page. Joe -Original Message- From: Dan Armbrust [mailto:daniel.armbrust.l...@gmail.com] Sent: Thursday, November 12, 2009 10:48 AM To: Tomcat Users List Subject: How to cancel a servlet startup? If I have a servlet which fails during init() for whatever reason - the example below takes a null pointer public class MyServlet extends HttpServlet { private static final long serialVersionUID = 7997991143724219371L; @Override public void destroy() { //do stuff super.destroy(); } @Override public void init() throws ServletException { try { String a = null; a.toString(); } catch (Exception e) { System.err.println(Startup error - cancelling startup. + e); try { destroy(); } catch (Exception e1) { //noop } throw new ServletException(Startup failing due to unexpected error: + e); } } } How can I make tomcat cancel the deployment of the entire war file that this servlet was distributed with? I thought that throwing a ServletException back up to Tomcat would make the webapp unavailable - but Tomcat continues to serve pages from this webapp even though the startup failed. That doesn't seem like correct behavior... am I missing a setting somewhere? Thanks, Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows distribution vunerability
Confirmed. The docs are not in sync with what the installer does. We'll get this fixed in a future release. In future, please report possible security issues privately rather than publicly. -Tim David Norheim wrote: Hi, I would like someone's opinion on the following issue that we have discovered using the windows distribution of Tomcat 6. (tested for Tomcat 6.0.14, 6.0.16 and 6.0.20 downloaded from [1] ) The documentation for Tomcat 6 states It would be quite unsafe to ship Tomcat with default settings that allowed anyone on the Internet to execute the Manager application on your server. Therefore, the Manager application is shipped with the requirement that anyone who attempts to use it must authenticate themselves, using a username and password that have the role manager associated with them. Further, there is no username in the default users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned this role. Therefore, access to the Manager application is completely disabled by default. While installing the zip or tar.gz version of the binary distributions does not open for the manager application, the windows exe version does. Having downloaded the exe version and started the wizard you get to screen where you are asked to enter Administrator Login username and password. The default settings leaves you with a tomcat-users.xml file that has the manager application enabled. Also there are (as far as I can see) no way to avoid this step in the installation wizard. The net result is that you end up with an unsafe installation, having this statement in the tomcat-users.xml file user name=admin password= roles=admin,manager / This is as far as I can see related to some of the problems that has occurred in the past, notably [2] and we also had a situation related to this in our installation. As far as I can see there is nothing wrong with the distribution file itself - it seems to be valid in relation to the md5 file so this must have been a design choice. Could someone please comment on this, and if there are any planned actions related to this. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FOO / HTTP/1.1
For Servlets - as long as Servlet.service(ServletRequest,ServletResponse) is implemented - you wont see the 501. So thats why you see the 501 for your servlet. JSP's are funny since there is nothing in the spec which restricts the request method. So service(...) is overridden by all JSP's so it will handle GET/POST/HEAD/??? - which isn't necessarily a bad thing since you *could* implement PUT (Or any other valid but typically unused method) in a Servlet and forward to a JSP to render the results. -Tim Ronald Klop wrote: The question is why Tomcat does not return a 501 NOT IMPLEMENTED error like Apache does? But I already found something. It does give a 501 when I call my servlet which only implements doGet, but when it goes to index.jsp the jsp stuff calls the service() method which doesn't check the http method. Probably this is ok. Ronald. Op maandag, 12 oktober 2009 12:01 schreef André Warnier a...@ice-sa.com: Ronald Klop wrote: Hi, If I send this to my Tomcat it responds with HTTP/1.1 200 OK and calls my servlet. :-) telnet localhost 8080 FOO / HTTP/1.1 Host: localhost What is this suppost to do? :-) I don't know what is the context, and how you determine that Tomcat is the target, nor how you know that your servlet is being called, but on the face if it, it does exactly what it is supposed to do. From the above, the conclusions that can be drawn are : - there is a webserver on localhost which answers to port 8080 - it has a valid document to return for the URL / - and it is not too picky about HTTP verbs, since it seems to consider FOO as an acceptable alias for GET If you want more information, I am afraid that you will have to supply more details about your configuration, and maybe explain exactly what the question is. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cannot set remote address in valve (Tomcat 5.5)
Context filters are executed before webapp filters. I believe (but not confirmed) that valves execute before the filters. -Tim Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 10/2/2009 5:55 AM, Mark Thomas wrote: Elli Albek wrote: A few reasons why not to do this as a servlet filter: 1. There are many web apps on the server and I don't want to include the filter in each. You don't have to. Configure it in the global web.xml. Are the filters configured in conf/web.xml considered before those in WEB-INF/web.xml... that is, will they be called before the webapp-defined ones? 2. There are other valves like request filters that cannot work without the correct IP, as well as custom login valve. Filters should be OK providing they are defined in the right order. Aren't all Valves always called before Filters? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cannot set remote address in valve (Tomcat 5.5)
My bad - by context filter I meant to say the web.xml as found in $CATALINA_HOME/conf/web.xml There is nothing contexty about it -Tim Caldarale, Charles R wrote: From: Tim Funk [mailto:funk...@apache.org] Subject: Re: Cannot set remote address in valve (Tomcat 5.5) Context filters are executed before webapp filters. I'll bite: what's the difference between a context filter and a webapp filter? Aren't all filters are configured in some web.xml? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Memory behavior: Tomcat versus Jetty
If you use JSP tags where the JSP body does not directly stream but needs buffered for the tag to finish processing it (using BodyContent) - then tomcat will allocate and reuse these. If you are creating pages with large body contents - this can take *A LOT* of memory. The rational is to reuse these instead of letting them go to the GC. But there is a way to not have tomcat reuse these. http://tomcat.apache.org/tomcat-5.5-doc/jspapi/javax/servlet/jsp/tagext/BodyContent.html -Tim Christian Stöber wrote: Hello list, we are about to migrate our webserver cluster from Jetty 5.1.14 to Tomcat 6.0.20. Currently there are four servers in our cluster with simple load balancing and no session clustering. At the moment we are testing Tomcat on 2 nodes of our cluster (also no session clustering yet). 2 remains with Jetty. Same WAR file an the same environment. Our first test ends in an OutOfMemoryError after two days. The java vm of the Tomcat servers has the same memory parameters as the server with the Jetty: -Xmx512m. And no other special GC parameters. Apperently the Tomcat needs more memory than Jetty. So we are trying to give Tomcat more memory: -Xmx768m. After two days the Tomcat is still running fine. Obviously Tomcat needs just a little bit more memory than Jetty. After these two days we can state the following memory behavior. Node Mem used Mem reserved 1 TC 400m 530m 2 TC 350m 495m 3 J230m 350m 4 J290m 400m Averagely Tomcat is using round about 110m more memory than Jetty. But why? I have seen that the Tomcat DefaultServlet may cache content up to 10m per default. But that are only 10m. Are there some other things Tomcat may cache and Jetty does not? Do you have any experiences? Thanks in advance Christian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Non-http tcp protocol
Don't - there are other apache projects which can do that much better than Tomcat. -Tim Sergio Bello wrote: Hi all, I'm trying to figure out how to use tomcat as a TCP server. The basic idea is to receive tcp connections, through a given port, process them and return a response. Has anyone done it? I've googling but I've not found much information. Which do you think is the best/simplest way to do it? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Constraint conflict
See 13.8.1 of the servlet spec. The result in is unioning all the constraints together for one that passes It might be easier to write a filter to implement the restriction that only GET/POST/HEAD is allowed. -Tim Peter Holcomb wrote: We have a situation where we recently introduced a new security constraint into our configuration that has caused a conflict with our previous constraint. Here's our current configuration: security-constraint display-nameRestrict access to XHTML pages/display-name web-resource-collection web-resource-nameRestrict access to XHTML pages/web-resource-name url-pattern*.xhtml/url-pattern /web-resource-collection auth-constraint descriptionWith no roles defined, no access granted/description /auth-constraint /security-constraint !-- restrict HTTP protocol methods that are not needed -- security-constraint web-resource-collection web-resource-nameProtected Context/web-resource-name url-pattern/*/url-pattern http-methodPUT/http-method http-methodDELETE/http-method http-methodTRACE/http-method http-methodOPTIONS/http-method /web-resource-collection auth-constraint / /security-constraint The purpose of the first constraint is to restrict access to all .xhtml documents. This was our original configuration and has been working. The second constraint was put in place in order to block methods that we do not use (HTTP PUT, DELETE, TRACE, ect...). This constraint has had the effect of causing our .xhtml documents to now be accessible. You can point your browser to an .xhtml page and grab it. When we remove the second constraint, the .xhtml files are once again inaccessible. What are we doing wrong? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Constraint conflict
My bad - I was quoting the servlet 3.0 spec (usually the headings align) I need to reread but it might be a bug. (I dont have the spec in front of me) but IIRC it said something to the effect of using the url + the HTTP method to get all applicable constraints. And then unioning them together. Since the /* doesn't apply to GET - it shouldn't count as part of the UNION (but I'd have to create a test case and trace it to see whats happening in reality in the code) It sounds like the case described just takes into account URL for the unioning of contraints. -Tim Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter, On 9/18/2009 4:34 PM, Peter Holcomb wrote: Thanks for your response. I've read through the example in 13.7.2 of the spec Which version of the spec? I don't see a section 13.8 at all in either 2.4 or 2.5 of the spec. I see the heading Combining Constraints listed under 12.7.1. but I don't think I'm understanding how the union works. I think Tim is incorrect, here. Neither the url-pattern nor the http-methods overlap, therefore no combining should occur. According to my thought process, the url patterns are: *.xhtml - access precluded /* PUT,DELETE,TRACE,OPTIONS - access precluded The example I see in 12.7.2 seems to support your expectations. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: access log and Apache server
There is no way. But you can alter the format property to log the Via header which does have the ip address. (But it will also have more text in it too) The javadocs for AccessLogValve have all the variables you can use. -Tim Angelo Chen wrote: Hi, I run tomcat behind an Apache server, Apache will proxy to tomcat from port 80, this works quite well, but the access log in tomcat shows only 127.0.0.1, not the real IP: 127.0.0.1 - - [17/Sep/2009:08:51:21 -0400] POST /sendmsg HTTP/1.1 302 - any idea how to have real IP in the log? Thanks, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very high CPU and load...
you have a config issue. I bet you have 250 apache workers (per server) and 250 tomcat workers(per server). But there are 500 apache workers (250 * 2). So in the worst case - you need tomcat to handle 500 connections. -Tim keeplearning wrote: I am running a load test with 2 web (apache) and 2 appservers (tomcat). I am noticing that after 250 users, I start seeing very high CPU usage and very high load. Below is the o/p from top command. I also saw this message in catalina.out: SEVERE: All threads (250) are currently busy, waiting. Increase maxThreads (250) or check the servlet status top - 00:31:21 up 138 days, 7:44, 0 users, load average: 20.68, 14.47, 6.99 Tasks: 88 total, 2 running, 86 sleeping, 0 stopped, 0 zombie Cpu(s): 95.1%us, 2.5%sy, 0.0%ni, 0.9%id, 0.0%wa, 0.1%hi, 1.4%si, 0.0%st Mem: 16439088k total, 3260004k used, 13179084k free, 187148k buffers Swap: 2031608k total,0k used, 2031608k free, 1528756k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 4771 tomcat16 0 3119m 1.3g 25m S 396 8.2 41:56.61 java 1 root 18 0 10308 660 552 S0 0.0 0:01.54 init 2 root RT 0 000 S0 0.0 0:00.07 migration/0 3 root 34 19 000 S0 0.0 0:00.00 ksoftirqd/0 4 root RT 0 000 S0 0.0 0:00.00 watchdog/0 5 root RT 0 000 S0 0.0 0:00.05 migration/1 6 root 34 19 000 S0 0.0 0:00.00 ksoftirqd/1 7 root RT 0 000 S0 0.0 0:00.00 watchdog/1 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very high CPU and load...
At this point, no one on the list will have a clue since we don't know 1) apache version 2) tomcat version 3) type of connector used, mod_proxy_ajp, mod_jk, or mod_proxy_http But if tomcat is saying All threads (250) are currently busy, waiting. - that means it is only configured to handle 250 workers. -Tim keeplearning wrote: Where do I see # of apache workers and tomcat workers in the config file? With what you said, shouldn't 2 tomcat servers handle 500 connections (250 *2)? Thanks a lot Prakash funkman wrote: you have a config issue. I bet you have 250 apache workers (per server) and 250 tomcat workers(per server). But there are 500 apache workers (250 * 2). So in the worst case - you need tomcat to handle 500 connections. -Tim keeplearning wrote: I am running a load test with 2 web (apache) and 2 appservers (tomcat). I am noticing that after 250 users, I start seeing very high CPU usage and very high load. Below is the o/p from top command. I also saw this message in catalina.out: SEVERE: All threads (250) are currently busy, waiting. Increase maxThreads (250) or check the servlet status - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-users.xml and manager role
This worked fine for me conf/tomcat-users.xml - make sure this is the full XML file: tomcat-users role rolename=manager/ user username=tomcat password=s3cret roles=manager/ /tomcat-users (and then restart tomcat) -Tim Bruce Nourish wrote: Hi, I have a 6.0.20 Tomcat binary distribution downloaded and untarred directly from the Tomcat site. My system is Ubuntu 8.04 with Java version 1.5.0_16. When I configure the manager role precisely as directed in the 401 Error message: role rolename=manager/ user username=tomcat password=s3cret roles=manager/ I am still unable to access the manager -- the basic auth dialog box just keeps coming back. I have restarted Tomcat after making this change. Looking at the documentation, I see discussion of MemoryRealm, but judging by the comments in server.xml this information is out of date: Tomcat is instead using UserDatabaseRealm. I can't find any solutions in the Tomcat wiki, mailing lists, or the internet at large. There is nothing that looks relevant or non-routine in the logs. Could someone please explain what is going on here, and what I need to do to fix it? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Testing apache
jvmRoute needs to be unique across all the tomcat instances. server1: Engine name=Catalina defaultHost=localhost jvmRoute=worker1 server2: Engine name=Catalina defaultHost=localhost jvmRoute=worker2 To test - tail the access logs on each tomcat and see what appears. -Tim given.shiri...@sita.co.za wrote: Hi Guyz. I got two linux servers machine running,in both of them,I have tomcat 5 running i.e server1:/opt/tomcat1 server2:/opt/tomcat1 I want to have the load balancing using mod_jk and apache2 to delegates the request for both servers. I want the server1 to be the controller node or having apache2 installed. under apache2/conf,I created the workers.properties file to do all my load balancing task The file look like this workers.java_home=/opt/jdk1.5.14 workers.tomcat_home=/opt/tomcat1 #worker.list=worker1,worker2 worker.list=balancer worker.worker1.port=8019 worker.worker1.host=10.128.79.145 worker.worker1.type=ajp13 worker.worker1.lbfactor=1 worker.worker2.port=8019 worker.worker2.host=10.128.79.139 worker.worker2.type=ajp13 worker.worker2.lbfactor=1 worker.balancer.type=lb worker.balancer.balance_workers=worker1,worker2 worker.balancer.method=B And again I compiled the tomcat-connectors-1.2.28-src which gave me mod_jk.so under apache2/modules/mod_jk.so which is good. On Both servers,under tomcat server.xml I did the following server1: Engine name=Catalina defaultHost=localhost jvmRoute=worker1 server2: Engine name=Catalina defaultHost=localhost jvmRoute=worker1 How to test if the apache is doing the load balancing. Best regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple DataSource's for fail-over.
I thought the Oracle JDBC driver allowed for all the nodes to be placed into the connect string and the driver was smart enough to detect failover. [So its a configuration exercise on the connection string.] -Tim Ognjen Blagojevic wrote: This is interesting topic. IANA-failover-expert, but one question comes to my mind. What happens when the first server is recovered? Some cached connections will still point to second server, while newly created connections will go to the first one? Is that acceptable? Regards, Ognjen Bill Davidson wrote: Tomcat 6.0.20 using DBCP DataSource Java 1.6.0_16 Oracle 10g with RAC. I've got two Oracle RAC nodes, mirroring each other. My current fail-over method if the primary node fails is to shut down the web servers, reconfigure them to use the secondary node and restart the web servers. Not pleasant. I'm thinking I can make a FailOverDataSource that implements DataSource and wraps around DataSource's for each of the two nodes. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Share file between 2 apps
There are too many unknown constraints to answer - but I'll try. In app B - use an init parameter which is a filename where test.xml is located. context-param param-namemyfile/param-name param-value/usr/local/more/cowbell/test.xml/param-value /context-param Then when app b needs to write the file; File f = new File(servletContext.getInitParameter(myfile)); FileWriter fw = new FileWriter(f); fw.write(stuff); ... If you need to read the file from app B, use a file reader. This is an easy way to keep the apps decoupled -Tim ramzi khlil wrote: Hi All, I need to share a file between two applications, A and B. A: I put my web site under Root folder and it is using test.xml file. B: The second application which generate the xml file is host under webapps application. My question is how to allow to application B to update test.xml ? Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Share file between 2 apps
If the file is loaded via a ClassLoader - then the JVM will cache it and you'll need to reload the webppa or restart tomcat. -Tim ramzi khlil wrote: Hi, Thank you for your response. It's working for me. I have a problem with caching. The server doesn't update the file in temp directory. I set cachingAllowed to false, but it doesn't work for me. Do you have any idea ? Regards On Wed, Sep 2, 2009 at 1:01 PM, Tim Funk funk...@apache.org wrote: There are too many unknown constraints to answer - but I'll try. In app B - use an init parameter which is a filename where test.xml is located. context-param param-namemyfile/param-name param-value/usr/local/more/cowbell/test.xml/param-value /context-param Then when app b needs to write the file; File f = new File(servletContext.getInitParameter(myfile)); FileWriter fw = new FileWriter(f); fw.write(stuff); ... If you need to read the file from app B, use a file reader. This is an easy way to keep the apps decoupled - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.lang.UnsatisfiedLinkError: running tomcat on java headless?
http://wiki.apache.org/tomcat/FAQ/Linux_Unix -Tim method8 wrote: Dear all, I'm using the iText library to generate pdfs from a database on the fly. Whenever I use some of it's features that require simple things like java.awt.Color, I get an java.lang.UnsatisfiedLinkError as shown: - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.lang.UnsatisfiedLinkError: running tomcat on java headless?
1) Are you passing -Djava.awt.headless=true to tomcat via CATALINA_OPTS (or JAVA_OPTS) 2) I have found that even if you are headless, you can't use all the Graphics/awt stuff. I wish I could recall what it was, but I thought the death was in similar manner. (But this was also a few years ago). Of course - since you are using iText - this shouldn't be an issue. -Tim Michael Ludwig wrote: Tim Funk schrieb: http://wiki.apache.org/tomcat/FAQ/Linux_Unix You're probably alluding to: How do I run without an X server and still get graphics? You either need to run headless or run an alternate X-server. [...] if your are using a JVM 1.4 or better, you can use the system property java.awt.headless=true Indeed, isHeadless() returns true for my Java 5 and 6 installations. import java.awt.GraphicsEnvironment; // http://mindprod.com/jgloss/headless.html public class Headless { public static void main( String[] args) { boolean headless = GraphicsEnvironment.isHeadless(); System.out.println( Ohne Tastatur, Maus, GUI? + headless); String p = java.awt.headless; System.out.println( p + ? + System.getProperty( p)); } } The iText color test (which produces graphics in a PDF) still works when I specify java.awt.headless=false, which also makes isHeadless() return false. So it seems to work with or without this headless property. So why does it not work for Method8 (the OP)? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: EL - access to nonexisting property, but no error ?
Put this in a JSP all by itself - you should get an error (or at least - I did): %request.setAttribute(aList, new java.util.ArrayList());% ${aList.a} Not sure why yours did not produce an erro - a more complete snippet would be needed. -Tim David Balažic wrote: versions: Tomcat 5.5.28, Java 1.6.0_15 and Windows XP Pro SP3 Hi! Can someone explain why does an EL like ${someListobject.a} NOT give an error ? someListobject is an attribute of type java.util.List a is not a property of java.util.List, so according to Servlet 2.4 specs (page I-68), it should cause an error. Also a question on the SCWCD exam asks this and the correct answer is it causes an error. (from the book Head First Servlets and JSP, Second Edition) There is also nothing to be seen in the logs. (and the page is sent to the client, with full content, no erorrs; the EL above shows up as empty string) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom 404 page when webapp stopped
My first inclination is that this a bug or enhancement request. From a user point of view, if I have an app (which is not the root webapp) and I stop it, then all requests should then go to the root webapp. Of course doing this might introduce bad side effects during the course of an application restart. As a workaround, there is an option in Tomcat to use your own ErrorReportValve. This might be an option. http://tomcat.apache.org/tomcat-6.0-doc/config/host.html - see errorReportValveClass -Tim llg wrote: Hi, I have a webapp that needs to be down if we are doing some maintenance. I use the manager to make the application unavailable but in this case the 404 customized error-page is not displayed. I modified the default web.xml (in conf/) to add the error-page 404, but it doesn't seems to be resolved when the context is stopped. If I type an URL that doesn't exists, that doesn't map to any context, I get the right error page. But if it match a context path of a webapp that is stopped, I have the Tomcat default error page. Is there a way to fix this? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom 404 page when webapp stopped
From a high level, whats the difference between a webapp thats stopped and a webapp thats undeployed? One could call stopped a special scenario. In the past - a 503 was returned to the user. Now its a 404. IIRC ... it changed to 404 as part of a bug report but maybe that is the wrong change to make. (Too lazy to look up the bug report) [Personally - I'd rather stick apache in front let apache trap the condition during the outage window and not worry about the rest.] -Tim Caldarale, Charles R wrote: From: Tim Funk [mailto:funk...@apache.org] Subject: Re: Custom 404 page when webapp stopped From a user point of view, if I have an app (which is not the root webapp) and I stop it, then all requests should then go to the root webapp. Is that really true? If the webapp is undeployed, I can understand that unmatched requests will be handled by ROOT, but a stopped webapp is still known to Tomcat, just not available. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Accessing Properties file located in Conf Directory of Tomcat 5.XX
I am assuming loader is an instance of a classloader. The classloader doesn't see the conf directory. (But as your noticed - it does see the common directory) Your easiest (but tomcat specific) solution is to do something like this: File confDir = new File(System.properties(catalina.home), conf); File propFile = new File(confDir , genPricing.properties); Properties p = new Properties(); p.load(new FileInputStream(propFile)); -Tim kaverappa.prabha...@do.treas.gov wrote: We have to place, as per rules set by the department, the properties file in the Conf directory of Tomcat AS. The TOMCAT does not find the properties file placed in CONF directory but it does find when placed in Common or Shared directory of TOMCAT. I tried placing the directory path in the java code of Jdeveloper (see below for variation of codes used) and created WAR file using Jdeveloper to deploy it on TOMCAT. But still it does not find it. I tried placing the directory path in the java code of Jdeveloper (see below for variation of codes used) and created WAR file using Jdeveloper to deploy it on TOMCAT. But still it does not find it. prop.load(loader.getResourceAsStream(genPricing.properties)); prop.load(loader.getResourceAsStream(/genPricing.properties)); prop.load(loader.getResourceAsStream(/conf/genPricing.properties)); prop.load(loader.getResourceAsStream(conf/genPricing.properties)); prop.load(loader.getResourceAsStream($tomcat_home\\conf\\genPricing.properties)); prop.load(loader.getResourceAsStream(${tomcat_home}/conf/genPricing.properties)); Any suggestion as to how to read the properties file located in CONF directory. Quick response would be greatly appreciated. Prabhakar - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom 404 page when webapp stopped
Since there is manual intervention to stop the app. There can be manual intervention to tell apache not to forward requests to tomcat, for example: - change the apache config and graceful restart (but it does require a restart) - Use mod_rewrite to look for some marker (file existence or rewrite map setting) and use that as a toggle to a 404 page. -Tim Len Popp wrote: How would you trap the condition? Apache httpd's ErrorDocument directive won't work because as long as Tomcat is running you get Tomcat's error pages. If you stop Tomcat completely then you can use Apache's ErrorDocument to show a site down page, but not if you just stop one webapp in Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Any way to make tomcat send the disable caching headers on all responses?
Out of the box - no. But you can write a filter to add the response to all requests. doFilter(...) { response.setHeader(Cache-Control,no-cache); /* or no-store YMMV*/ response.setHeader(Pragma,no-cache); response.setDateHeader (Expires, 0); chain.doFilter(); } -Tim Epithemeus wrote: Hi all, I've run into a similar problem with Tomcat 6.0 and am hoping to find some information on why this might be happening. I have an xml file which contains information to display a graph. I also have an HTML file which creates an applet to view the graph. The xml file is updated based on inputs from the user (specified in StartPage.jsp). So, the user gives an input, the xml file is updated and the corresponding graph should be displayed. What is happening in practice is that: the xml file is indeed updated but the graph being displayed is an older version (corresponding to the older .xml file which has now been over-written). I gather that this means tomcat is caching the xml files. I have tried including cachingAllowed to false in context.xml. I have also deleted the application_folder under $TOMCAT_HOME\work\Catalina\localhost\. Neither of these options has helped in disabling caching. I would really appreciate any help on how I could get around this! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: catalina.sh and java_opts question
Something will eventually call bin/startup.sh (or bin/catalina.sh). Changing bin/startup.sh (or bin/catalina.sh) is typically a bad idea. Whatever is calling that should export JAVA_OPTS first. For example: export JAVA_OPTS='-Xmx256m' - or - export JAVA_OPTS='-Xmx256m -Djava.awt.headless=true' -Tim Susan Teague Rector wrote: Hello all, I've searched around on the net and have found differing opinions about where to actually place the java_opts env var for tomcat. Should this variable be in /tomcat/bin/catalina.sh? When I set it in this file and then print out all env vars, it looks like it is not set. How do I set java_opts to enable my tomcat applications to get to it? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: method invocations in EL?
I doubt this will be seen in tomcat 6. The closest you'll get are the function taglibs functionality. -Tim Jess Holle wrote: I note in http://java.dzone.com/articles/unified-el-learns-method that in JEE 6 EL finally allows method invocations. Is there any chance this feature can be used in JSPs in Tomcat 6 today? If so, how? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: method invocations in EL?
You might be able to replace jasper-el.jar and have it work, but what needs changed? That'll require some digging. (It might even require changing jsp-api.jar) -Tim Jess Holle wrote: That's unfortunate. One can apparently drop this upgrade into Glassfish. I don't, however, need Glassfish -- just a servlet engine. Nor do I need most Servlet 3.0 stuff at this time. A better Tomcat 6 would be nice, though :-) Tim Funk wrote: I doubt this will be seen in tomcat 6. The closest you'll get are the function taglibs functionality. -Tim Jess Holle wrote: I note in http://java.dzone.com/articles/unified-el-learns-method that in JEE 6 EL finally allows method invocations. Is there any chance this feature can be used in JSPs in Tomcat 6 today? If so, how? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom response header not working because of Content Length
If you are doing this: doFilter() { chain.doFilter() response.addHeader(...) } Expect failure to occur. (unless you are sending less than 8k in the response) -Tim Anantha Padmanabha wrote: I'm using tomcat 6.0.18. I added a filter that adds a custom response header by doing setIntHeader/addIntHeader, but it didnt work. I debugged,looked at source and figured out that the place where its not working. Before adding headers, there is a check like this: public boolean isAppCommitted() { return (this.appCommitted || isCommitted() || isSuspended() || ((getContentLength() 0) (getContentCount() = getContentLength(; } Since contentCount [output buffer] and contentLength [Content-Length response header] are equal in my case, its not adding that header. When there is no content-length in response [ex: status code 304], my custom header is coming out nicely. Is there a way to not use fixed content lengths or should I add calculate and change content length while adding custom header? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom response header not working because of Content Length
Its probably also failing for less than 8k since I am guess the view is a jsp and when the jsp finishes execution - the response will be committed. (Or somewhere in the request/response cycle - a forward() was done which also will eventually commit the response per the servlet spec) If you are trying to log latency, your best bet is to use log4j or your favorite logging library and log everything to info(). Then when you need to see latency - you configure info level log message to appear. -Tim Anantha Padmanabha wrote: Hi people, You are correct. My header got ignored and was attempting to add after 'commit'. I moved it to beginning of filter and tried updating towards the end, but after 'commit', I wont be able to able to set the header value :( I'm using struts2 application. I want to add some latencies [say mysql, our components and tomcat itself] to header, so that I can print this in Apache logs. Then looking at single apache log file, I would then be able to see what took time. Is it possible to achieve this in any way? (unless you are sending less than 8k in the response) I dont think this is working. I tried a file where content length came out to be 10599 and 72 [8K], but my header didnt get proper value in both cases. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is encryption of AJP traffic between Apache and Tomcat possible out of the box?
An ssh tunnel is also easy too. (but can also open other security holes depending on how its deployed and the requirements) -Tim Mark Thomas wrote: Florian Kirchhoff wrote: Hi, I know this has been asked before, but after reading the documentation and searching previous threads: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-to7746284.html#a7764525 2006 thread http://www.nabble.com/AJP-talking-TLS-or-SSL-to12245661.html#a12245661 2007 thread I am seeking confirmation that AJP traffic still cannot be encrypted out of the box. Is this correct? Yes. If you need httpd-tomcat encryption use mod_proxy_http and proxy over https. (not the only way but - in my view - by far the simplest) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Try adding this to web.xml (and IIUC - this is portable across all containers) security-role-ref role-nameusers/role-name role-linkSG-FooBar-Users/role-link /security-role-ref security-role-ref role-nameadmins/role-name role-linkSG-FooBar-Admins/role-link /security-role-ref -Tim Jason Royals wrote: Hello Tomcatters, Consider the following scenario. I have a Java web application, and it is a packaged, commercial application I may not change it. In fact, I don't have the source so I couldn't even if I wanted to. The application declares two roles in web.xml - users and admins. In our corporate environment, those role names are far too generic to be group names in our LDAP repository. The groups in LDAP are called SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group names to the roles declared in the web.xml. We have this running currently on Weblogic, and to map the roles to groups, we have a Weblogic configuration as follows (in weblogic.xml) weblogic-web-app security-role-assignment role-nameusers/role-name principal-nameSG-FooBar-Users/principal-name /security-role-assignment security-role-assignment role-nameadmins/role-name principal-nameSG-FooBar-Admins/principal-name /security-role-assignment /weblogic-web-app Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar features in their container-specific configurations. How can I achieve the same result in Tomcat, remembering I cannot change the application, and I cannot change the groups or the LDAP repository (which has hundreds of thousands of users and groups)? Is it even possible with Tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI Authentication
JNDIRealm is based on communicating to an LDAP server. (Which is one way AD can communicate) -Tim Geofrey Rainey wrote: Does anyone know what type of authentication Tomcat uses by default to authenticate to an AD server using the JNDIRealm? (I haven't specified any particular authentication type on either the server (AD), or the client (Tomcat 6.0), it's working fine but I'm wondering If it's using SASL). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI Authentication
http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm authentication A string specifying the type of authentication to use. none, simple, strong or a provider specific definition can be used. If no value is given the providers default is used. By default - authentication is null so the code is not called. -Tim Geofrey Rainey wrote: Im sorry, I don't understand your response. I'm writing a Login Module to auth against an active directory server and know the authentication type is specified by: Context.SECURITY_AUTHENTICATION (Which can be something like simple, for clear text, or SASL, etc) Presumably the JNDIRealm sets this variable and I'm wondering what it is. In the Tomcat source code, I can see the following (JNDIRealm.java), but don't know what the authentication is defined as? if (authentication != null) env.put(Context.SECURITY_AUTHENTICATION, authentication); -Original Message- From: Tim Funk [mailto:funk...@apache.org] Sent: Tuesday, 4 August 2009 11:55 p.m. To: Tomcat Users List Subject: Re: JNDI Authentication JNDIRealm is based on communicating to an LDAP server. (Which is one way AD can communicate) -Tim Geofrey Rainey wrote: Does anyone know what type of authentication Tomcat uses by default to authenticate to an AD server using the JNDIRealm? (I haven't specified any particular authentication type on either the server (AD), or the client (Tomcat 6.0), it's working fine but I'm wondering If it's using SASL). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org == For more information on the Television New Zealand Group, visit us online at tvnz.co.nz == CAUTION: This e-mail and any attachment(s) contain information that is intended to be read only by the named recipient(s). This information is not to be used or stored by any other person and/or organisation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to hide x-poweredBY response header
See conf/web.xml in your tomcat installation (and look for xpoweredBy in the comments) - if that doesn't exist - then you'll need to consult the JBOSS docs since they configure it in a different manner. -Tim acastanheira2001 wrote: Mark, Could you tell me what Tomcat doc is? Thanks for your atention, Andre Mark Thomas-18 wrote: acastanheira2001 wrote: Hi, Although I´ve set false to xpoweredBy tag, it continues to appear in response headers. init-param param-namexpoweredBy/param-name param-valuefalse/param-value /init-param Where did you read that was the way to set it? That isn't what the Tomcat docs say. How to hide the following information? X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP02 (build: SVNTag=JBPAPP_4_2_0_GA_CP02 date=200801291544)/Tomcat-5.5 But given you are using JBoss, it could be completely different. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat server Not starting when symantec installed!
Don't run Symantec ? :) Symantec is probably doing 1 of 2 things 1) Noticing tomcat is trying to bind to a socket (it is a webserver) and killing it 2) It has bad heuristics and thinks its a trojan My bet is #1. You probably need to white list tomcat. Actually - you might need to whitelist java. Symantec should provide a faq or tech support. -Tim Raghu.p wrote: Hi, I have installed Tomcat 6.0.18 in Windows 2003 server previously it is working fine, today I have installed Symantec End Point Protection 11.0 In that same server, then I restarted the server, now tomcat is not starting and it’s not recording any error messages in log files. Then I have un-installed Symantec then again Tomcat is working fine. Can anybody tell solution to resolve the issue. Thanks Raghav - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RemoteAddressValve
allow is a regex - you probably want this: allow=176\.24\..+ with allow=176.24.*.* - you would also let through 176.240. 176.241. ... 176.249. -Tim Leo Donahue - PLANDEVX wrote: I want to restrict web access to a specific web app to only allow it to be available on our domain. If I put the following nested in the Host element of my server.xml, is that the right way to do it? Context path=/mywebapp docBase=mywebapp debug=0 privileged=true Valve className=org.apache.catalina.valves.RemoteAddrValve allow=176.24.*.*/ / - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Null value in response.sendRedirect() causes original url to be invoked 20 times
LiveHttHeaders is your friend ... Lets assume I have this as foo.jsp: % response.sendRedirect(null); if (out!=null) {return;} % http://localhost/foo.jsp GET /foo.jsp HTTP/1.1 Host: localhost HTTP/1.x 302 Moved Temporarily Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 0 Date: Fri, 26 Jun 2009 16:33:15 GMT With no Location header in the response - some browsers will giveup. Others may redirect to the original URL. Others may do odder things. -Tim Jonathan Mast wrote: A null value in bounce_url is causing the original Request url to be invoked exactly 20 times, rather than dying with NullPointerException: - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help: auth-constraint with Tomcat 6
Do you really want to have allow different passwords for the same user id? Sounds dangerous. For different access control restrictions you needs to set up various roles, which are names chosen by you. Which can be something like - reader, writer - admin, superuser, user - it, sales, marketing, hr Then your role names * would be gone and you would need a security-constraint for each resource category you need to protect. (Google for more details on security-constraint for more help on that) -Tim Clement Chong wrote: Hi tomcat users, I am using Tomcat 6.0.20 and have successfully implemented a lockout realm with nested JDBCRealm and JNDIRealm. The security constraint has also been setup in my application WEB-INF/web.xml file: auth-constraint !-- Anyone with one of the listed roles may access this area -- role-name*/role-name /auth-constraint User is now authenticated via JDBCRealm followed by JNDIRealm and would be able to access protected pages with any role. The question I have is how can I deny a group of users with a particular role to all protected pages even if they can provide correct combination of username/password? Would it also be possible to change the behavior of the combinedRealm/LockoutRealm such that if username is found in prior realm and password is incorrect, then it skips the other realms? It only look into the other realms if username is not found in prior realms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help: auth-constraint with Tomcat 6
If you want a black list - it would probably be easier to write a filter [programmatic security] instead of declarative security. [At a minimum, everyone would still need to be authenticated - its the authorization which is done via the filter (actually the filter will defer to the realm so there isn't much extra work)] Ex: doFilter(req, resp, chain) { if (req.isUserInRole(blacklist)) { response.sendError(403); return; } chain.doFilter(...); } -Tim Clement Chong wrote: Hi Tim, Basically the first realm contains list of users we want to deny access. The password would be dynamic, making it difficult to get through. Well, maybe I should really consider working with specific roles. That is, grant users with roles that would allow them access. Then I would probably just need a single realm for authentication. However, this would mean almost all users require such a role granted except for some whom we like deny access. Then every new users would also probably need granted the role. A little extra work there, besides working with IT to get the new role setup.. A black list would work better than a white list in this case. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reading POSTed data
Change your loop to be: int i; while ((i=in.read())) { out.write(i); } available() - Returns the number of bytes that can be read (or skipped over) from this input stream without blocking by the next caller of a method for this input stream. So its not an accurate gauge of how much content is available from the client. -Tim Kyle Brantley wrote: I'm honestly not sure (being an entire day into tomcat servlets), but I don't believe so. Full code: public class Frontend extends HttpServlet { public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); InputStream in = request.getInputStream(); response.setContentType(text/xml); response.setCharacterEncoding(UTF-8); response.setStatus(HttpServletResponse.SC_OK); while (in.available() 0) out.write(in.read()); } } - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Serving images from classes directory
If the images are physical images in the classes directory - you have a few options. 1) At build time - move (or copy) the files from the classes directory to somewhere more sane that the default servlet can access 2) Write a filter the detects these images that live in the classes dir, and then forwards to the images. (You need to be careful with this one) For # 2 - it would look something like this: doFilter(...) { String p = request.getServletPath(); if (p.matches(/magic_prefix/[\\w]+\\.gif$)) { String np = request.getServletPath().replaceFirst(.+/, ); request.getRequestDispatcher(/WEB-INF/class/more/cowbell/ + np) .forward(request, response); } else { chain.doFilter(...); } } -Tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Serving images from classes directory
The filter (below) can be made smarter to perform smarter checks - so regular images could be excluded. -Tim Susan G. Conger wrote: Thanks Tim. I don't have control during build because that is done by the third party tool. I am not going to mention their name. I was hoping that this would be easy. You know a servlet mapping in the web.xml file that would allow me to just map the directory/file type and I could just put that in my html. Since I can't use jsp everywhere I need the images. Again I am tied into their system and they have stuff in html files that they create. I edit the html template files they have to add my images and javascript. I use their environment to create/edit/build the web application. Underneath I have tied in netBeans the best I can so I can debug their stuff. But that has issues too. Thanks, Susan -Original Message- From: Tim Funk [mailto:funk...@apache.org] Sent: Wednesday, June 17, 2009 1:07 PM To: Tomcat Users List Subject: Re: Serving images from classes directory If the images are physical images in the classes directory - you have a few options. 1) At build time - move (or copy) the files from the classes directory to somewhere more sane that the default servlet can access 2) Write a filter the detects these images that live in the classes dir, and then forwards to the images. (You need to be careful with this one) For # 2 - it would look something like this: doFilter(...) { String p = request.getServletPath(); if (p.matches(/magic_prefix/[\\w]+\\.gif$)) { String np = request.getServletPath().replaceFirst(.+/, ); request.getRequestDispatcher(/WEB-INF/class/more/cowbell/ + np) .forward(request, response); } else { chain.doFilter(...); } } -Tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] using static helper classes within servlets
correction: The double checked idiom was fixed in java5. The variable which is checked needs to be declared as volatile. The link states that at the bottom. -Tim Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 6/14/2009 5:43 PM, David Blevins wrote: Regardless of that choice we will still handle sychronization of instantiation, so double-check-locking or other things will not be necessary. NB: DCL does not work in Java. Period. http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html There are cases where you /can/ make it work, but let's face it: most programmers simple cannot be trusted to do it properly. Also, the techniques are very sensitive to JVM level, etc. so you'd need to have a different implementation depending on which JVM you were running. Yuk. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
See |caseSensitive| here http://tomcat.apache.org/tomcat-6.0-doc/config/context.html But doing so makes your installation VERY insecure in a windows environment. (Since ACL's can be bypassed since most ACL rules are case sensitive) I performance is of no concern - you could go crazy and force all URL's to lower case (using a filter to 30X redirects) then your ACL rules can be simplified. But even that idea might have some flaws in it. -Tim Alexander Diedler wrote: Hello, We have an Application based on IIS 6.0 and Tomcat 6.0.18. In this Application will be opened a PDF (href=start.PDF). In this PDF are many links to other documents, that will be opened in the browser. (KapA.PDF, KapB.PDF). Now the distributor deliver updatefiles with changing extensions or names. The link is KapA.PDF in the overview, but the file is called KapA.pdf on filesystem and Tomcat said 404 because “PDF” not equal “pdf”. Also it can be kapb.pdf in Overview and filesystem KAPB.PDF Is there are any option to disable case-sensitive on Tomcat or it is a “base-feature” of Java architecture? Greetings Alexander - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html 3.6.1 All HTTP/1.1 applications MUST be able to receive and decode the chunked transfer-coding, and MUST ignore chunk-extension extensions they do not understand. So you have to jump through big hoops to not use chunked encoding [IIRC - This thread had to do with a CDN not caching due to chunked encoding. A good CDN should be able to cache content if you pass the appropriate cache friendly headers. (Like Etag, expires, etc) And handle the chunked encoding for you.] -Tim Anthony J. Biacco wrote: No dice. I tried a bufferSize of 16384 and an 11K response still got chunked. Even tried using packetSize and max_packet_size (mod_jk). -Tony --- Manager, IT Operations Format Dynamics, Inc. 303-573-1800x27 abia...@formatdynamics.com http://www.formatdynamics.com -Original Message- From: Anthony J. Biacco Sent: Thursday, June 11, 2009 2:31 PM To: 'Tomcat Users List' Subject: RE: chunked encoding I tested with a 8K jsp and did get it chunked. Do you happen to know the parameter for changing the buffer size? Perhaps I can increase it to a number representing the largest length of my servlet content. Which isn't too big, maybe 20K. NM on this, I found bufferSize for the AJP connector. I'll test it out. -Tony - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Its there for convenience (and been there forever) - but it is a great big security whole if we ignore case (Try asking for /web-INF/wEb.xml - or even more evil /web-INF/wEb.xm%6c) -Tim André Warnier wrote: Even that wouldn't work. Since the filesystem is case-sensitive, it may well have both abc.html and ABC.HTML in the same directory. So which one would it pick to keep ? So, back to the Tomcat developers. What /is/ the point of the caseSensitive attribute in the Context element ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat maxThreads Issue
Looking at the history of the thread - here are some guesses You have a connector on port 81 (http) and a connector on 8011 (ajp) and commented out connector for 443. The port 81 connector and commented out connector are set to 600 - which means absolutely nothing if apache is talking to tomcat via jk. Set |maxThreads on the connector for using port 8011 and life should be better. If there are mulitple apache servers in front of tomcat - you need to ensure you have (#apaches * max number connections per apache) threads available on each tomcat. The thread history seems to indicate you only have one apache with 100 workers max. So raising the maxThreads in tomcat from 200 to something higher is not needed. Is there a firewall between apache and tomcat? If so - it could mean that your firewall is timing out the connection and then bad things happen. | http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html -Tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does user's network connection speed affect response time logged by AccessLogValve (i.e. %D) ?
AccessLogValve cannot log until the request is done. Done meaning that the Servlet is done writing its content. So AccessLogValve can execute once the Servlet is done writing. It may (or may not) mean the client has yet received all the content since the OS might do some buffering. The outputBuffer with a default of 8k is unrelated to this topic. -Tim William Milbratz wrote: Hi all, Pardon me if this seems an ignorant question. I’ve recently discovered the %D option in the tomcat AccessLogValve to record response times on the “server side”. I wanted to doublecheck an issue: does the user’s network connection speed affect the time recorded by the AccessLogValve. Initially I thought that this time is “pure server side”. Then as I considered TCP/IP socket details (and my ignorance), as well as where/when buffering takes place in the Tomcat/Coyote stack, I thought I should dig a bit deeper. I’ve delved into the tomcat source (5.5) but didn’t get terribly far. I do know that the coyote “outputBuffer” has a default 8K buffer size, but don’t know if classes farther up the stack has more buffering . - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Loading dynamically created content: An old chestnut but still a problem.
Odd Personally - I would do the following: Make all calls to the servlet and the servlet does this: 1) Sanity check the incoming path 2) Check for the existence of the image (using ServletContext.getResource(path) 3) If not exists - load the image from the db and store to disk 4) forward to image via request.getRequestDispatcher(path).forward(request, response) The above assumes the image cache directory is part of the webapp and visible to ServletContext.getResource If the image cache directory lives outside the webapp - then I amazed that the default servlet was ever working. In which case - you can use a symlink. If you are stuck on windows or all the above still doesn't work - then you can still do this: 0) In apache - you can map the image cache dir to some location - or have tomcat do that too in its own webapp 1) Sanity check the incoming path 2) Check for the existence of the image using a filesystem call 3) If not exists - load the image from the db and store to disk 4) redirect to the static image path -Tim Lyallex wrote: Hi I'll try to explain in as few words as possible. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat maxThreads Issue
If your not scared of the performance penalty (which these days isn't scary unless you really have high load) - try adding this to your apache config - it will end the connection between apache and tomcat after each request. This virtually eliminates the chance of a firewall dropping connections for you. JkOptions +DisableReuse YOu prob dont want this permanantly but its a good test http://tomcat.apache.org/connectors-doc/reference/apache.html -Tim Jones, Keven wrote: Thank you Tim I am going to attempt to set the maxThreads on 8011 to 600 and hope it helps. The config is 1 linux apache2 server with 4 linux tomcat servers and each tomcat server has 4 sepearte tomcat instances. So we have a total of 16 tomcat instances across 4 servers. Yes, there is a firewall between the web sever and the app(tomcat)/db(mysql) server. KJ -Original Message- From: Tim Funk [mailto:funk...@apache.org] Sent: Wednesday, June 10, 2009 1:02 PM To: Tomcat Users List Subject: Re: Tomcat maxThreads Issue Looking at the history of the thread - here are some guesses You have a connector on port 81 (http) and a connector on 8011 (ajp) and commented out connector for 443. The port 81 connector and commented out connector are set to 600 - which means absolutely nothing if apache is talking to tomcat via jk. Set |maxThreads on the connector for using port 8011 and life should be better. If there are mulitple apache servers in front of tomcat - you need to ensure you have (#apaches * max number connections per apache) threads available on each tomcat. The thread history seems to indicate you only have one apache with 100 workers max. So raising the maxThreads in tomcat from 200 to something higher is not needed. Is there a firewall between apache and tomcat? If so - it could mean that your firewall is timing out the connection and then bad things happen. | http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html -Tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSP/Japer in batch
A better fit is Velocity or Freemarker for templating outside of a web environment. -Tim Mitch Claborn wrote: I'm looking for a good general purpose template engine to use with various Java projects, not just web projects. Is it possible to use Jasper outside of a servlet engine? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Caching rendered page - reducing hits to the backend?
Worrying is good. Making sure you have metrics is better. You can cache lots of different items such as - stuff from the database - parts of a rendered page - the entire page - any combination of above But it really depends on where the bottlenecks are as you scale. Even if the DB has a few million entries, if there queries are simple and the database has enough memory - the database might never really be touching disk to return the results of your query not be your bottleneck. The key is making sure you have the ability to log how long differnt things take. (And the ability to turn them on or off) Otherwise you are flying blind. -Tim Andre-John Mas wrote: Hi, Much of the content on the site which I am in the process will be semi-static, and I want to be able to cache the rendered pages to reduce database hits. To explain: A given page will depend on dynamic data that is stored in the database, but that data is updated about once a month. The only true dynamic information will be the header where the user login state is shown. There will likely be a few million entries in this database and we are planning to support high traffic. The pages can be localised. The page is going to be queried as such: http://myhost.com/myapp.action?id=12345678 Although I am using a direct JPA access, we might change to use web services in the future. Am I worrying unecessarily? At the same time are there recommended approaches. I am currently using struts2 and JPA for the web site, if it makes a difference. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org