date:20100122


Hi All,

 

I have an existing Apache 2.0.52 installation, and a new tomcat 6.0.20 
installation.

They are both sitting on the same Linux box - uname -a returns the following:

Linux [machine name] 2.6.9-55.ELsmp #1 SMP Fri Apr 20 16:36:54 EDT 2007 x86_64 
x86_64 x86_64 GNU/Linux

 

I'd like if possible to add mod_jk to enable the two to talk to each other, 
without fiddling with the existing tomcat / apache versions.

 

So far I've build mod_jk 1.2.28 from source on the destination machine, and set 
up the following workers:

 

(in apache conf)

IfModule mod_jk.c
  JkWorkersFile /etc/httpd/conf/workers.properties

  JkLogFile /etc/httpd/logs/mod_jk.log

  JkLogLevel debug

  JkLogStampFormat [%a %b %d %H:%M:%S %Y] 

  JkWorkersFile /etc/httpd/conf/workers.properties

  JkLogFile /etc/httpd/logs/mod_jk.log

  JkLogLevel debug

  JkLogStampFormat [%a %b %d %H:%M:%S %Y] 

  JkRequestLogFormat %w %V %T

  JkOptions +ForwardURICompatUnparsed

  JkExtractSSL On
  JkHTTPSIndicator HTTPS
  JkSESSIONIndicator SSL_SESSION_ID
  JkCIPHERIndicator SSL_CIPHER
  JkCERTSIndicator SSL_CLIENT_CERT
/IfModule

 

(in apache conf, inside a virtual host)

SSLEngine on
SSLCertificateFile /etc/httpd/conf/filename

SSLCertificateKeyFile /etc/httpd/conf/filename

SSLCACertificateFile /etc/httpd/conf/filename

JkMount /* tomcatssl

 

(in workers.properties)

# 
# First tomcat server
# 
worker.tomcat1.port=8009
worker.tomcat1.host=10.13.0.218
worker.tomcat1.type=ajp13
worker.tomcat1.lbfactor=50

#-
# SSL tomcat server
#-
worker.tomcatssl.port=8443
worker.tomcatssl.host=10.13.0.218
worker.tomcatssl.type=ajp13
worker.tomcatssl.lbfactor=50

 

 

However when I kick things off and visit a URL matching the above virtual host, 
I get the following error message in mod_jk.log:

 

[Thu Jan 21 18:51:07 2010] [303:2537062720] [info] init_jk::mod_jk.c (3183): 
mod_jk/1.2.28 initialized
[Thu Jan 21 18:51:30 2010] [30428:2537062720] [error] 
ajp_connection_tcp_get_message::jk_ajp_common.c (1172): wrong message format 
0x1503 from 10.13.0.218:8443

 

 

Looking at jk_ajp_common.c I can see the following @ line 1172:

 


if (ae-proto == AJP13_PROTO) {
if (header != AJP13_SW_HEADER) {

if (header == AJP14_SW_HEADER) {
jk_log(l, JK_LOG_ERROR,
   received AJP14 reply on an AJP13 connection from %s,
   jk_dump_hinfo(ae-worker-worker_inet_addr, buf));
}
else {
jk_log(l, JK_LOG_ERROR,
   wrong message format 0x%04x from %s,
   header, jk_dump_hinfo(ae-worker-worker_inet_addr,
 buf));
}

 

 

So it seems the error has something do with AJP13 headers not being as expected.

 

Could anyone confirm that the 3 version numbers (2.0.52, 1.2.28, 6.0.20) are 
compatible together ?

 

If so - any ideas what might be going on here ?

 

 

 

thanks,

 

matt.
  
_
Tell us your greatest, weirdest and funniest Hotmail stories
http://clk.atdmt.com/UKM/go/195013117/direct/01/

Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52

2010-01-22 Thread Peter Crowther

I'm not an AJP expert, but I suspect:

- You're telling AJP to use a secure connection between httpd and Tomcat;
- The Tomcat connector on port 8443 is a SSL connector, not an AJP connector;
- AJP is getting confused.

I believe you should only need to configure one worker (the one on
8009); AJP is capable of passing through the information as to whether
or not the data arrived securely or not at httpd.

I suspect you'll get a better answer once the States wakes up, but
that's my guess.

- Peter

2010/1/22 Matt Turner m4tt_tur...@hotmail.com:

 Hi All,



 I have an existing Apache 2.0.52 installation, and a new tomcat 6.0.20 
 installation.

 They are both sitting on the same Linux box - uname -a returns the following:

 Linux [machine name] 2.6.9-55.ELsmp #1 SMP Fri Apr 20 16:36:54 EDT 2007 
 x86_64 x86_64 x86_64 GNU/Linux



 I'd like if possible to add mod_jk to enable the two to talk to each other, 
 without fiddling with the existing tomcat / apache versions.



 So far I've build mod_jk 1.2.28 from source on the destination machine, and 
 set up the following workers:



 (in apache conf)

 IfModule mod_jk.c
  JkWorkersFile /etc/httpd/conf/workers.properties

  JkLogFile /etc/httpd/logs/mod_jk.log

  JkLogLevel debug

  JkLogStampFormat [%a %b %d %H:%M:%S %Y] 

  JkWorkersFile /etc/httpd/conf/workers.properties

  JkLogFile /etc/httpd/logs/mod_jk.log

  JkLogLevel debug

  JkLogStampFormat [%a %b %d %H:%M:%S %Y] 

  JkRequestLogFormat %w %V %T

  JkOptions +ForwardURICompatUnparsed

  JkExtractSSL On
  JkHTTPSIndicator HTTPS
  JkSESSIONIndicator SSL_SESSION_ID
  JkCIPHERIndicator SSL_CIPHER
  JkCERTSIndicator SSL_CLIENT_CERT
 /IfModule



 (in apache conf, inside a virtual host)

 SSLEngine on
 SSLCertificateFile /etc/httpd/conf/filename

 SSLCertificateKeyFile /etc/httpd/conf/filename

 SSLCACertificateFile /etc/httpd/conf/filename

 JkMount /* tomcatssl



 (in workers.properties)

 # 
 # First tomcat server
 # 
 worker.tomcat1.port=8009
 worker.tomcat1.host=10.13.0.218
 worker.tomcat1.type=ajp13
 worker.tomcat1.lbfactor=50

 #-
 # SSL tomcat server
 #-
 worker.tomcatssl.port=8443
 worker.tomcatssl.host=10.13.0.218
 worker.tomcatssl.type=ajp13
 worker.tomcatssl.lbfactor=50





 However when I kick things off and visit a URL matching the above virtual 
 host, I get the following error message in mod_jk.log:



 [Thu Jan 21 18:51:07 2010] [303:2537062720] [info] init_jk::mod_jk.c (3183): 
 mod_jk/1.2.28 initialized
 [Thu Jan 21 18:51:30 2010] [30428:2537062720] [error] 
 ajp_connection_tcp_get_message::jk_ajp_common.c (1172): wrong message format 
 0x1503 from 10.13.0.218:8443





 Looking at jk_ajp_common.c I can see the following @ line 1172:




 if (ae-proto == AJP13_PROTO) {
    if (header != AJP13_SW_HEADER) {

        if (header == AJP14_SW_HEADER) {
            jk_log(l, JK_LOG_ERROR,
                   received AJP14 reply on an AJP13 connection from %s,
                   jk_dump_hinfo(ae-worker-worker_inet_addr, buf));
        }
        else {
            jk_log(l, JK_LOG_ERROR,
                   wrong message format 0x%04x from %s,
                   header, jk_dump_hinfo(ae-worker-worker_inet_addr,
                                         buf));
        }





 So it seems the error has something do with AJP13 headers not being as 
 expected.



 Could anyone confirm that the 3 version numbers (2.0.52, 1.2.28, 6.0.20) are 
 compatible together ?



 If so - any ideas what might be going on here ?







 thanks,



 matt.

 _
 Tell us your greatest, weirdest and funniest Hotmail stories
 http://clk.atdmt.com/UKM/go/195013117/direct/01/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52


OK - sounds likely, many thanks.
I'll give that a whirl.

 Date: Fri, 22 Jan 2010 12:49:49 +
 Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
 From: peter.crowt...@melandra.com
 To: users@tomcat.apache.org
 
 I'm not an AJP expert, but I suspect:
 
 - You're telling AJP to use a secure connection between httpd and Tomcat;
 - The Tomcat connector on port 8443 is a SSL connector, not an AJP connector;
 - AJP is getting confused.
 
 I believe you should only need to configure one worker (the one on
 8009); AJP is capable of passing through the information as to whether
 or not the data arrived securely or not at httpd.
 
 I suspect you'll get a better answer once the States wakes up, but
 that's my guess.
 
 - Peter
 
 2010/1/22 Matt Turner m4tt_tur...@hotmail.com:
 
  Hi All,
 
 
 
  I have an existing Apache 2.0.52 installation, and a new tomcat 6.0.20 
  installation.
 
  They are both sitting on the same Linux box - uname -a returns the 
  following:
 
  Linux [machine name] 2.6.9-55.ELsmp #1 SMP Fri Apr 20 16:36:54 EDT 2007 
  x86_64 x86_64 x86_64 GNU/Linux
 
 
 
  I'd like if possible to add mod_jk to enable the two to talk to each other, 
  without fiddling with the existing tomcat / apache versions.
 
 
 
  So far I've build mod_jk 1.2.28 from source on the destination machine, and 
  set up the following workers:
 
 
 
  (in apache conf)
 
  IfModule mod_jk.c
   JkWorkersFile /etc/httpd/conf/workers.properties
 
   JkLogFile /etc/httpd/logs/mod_jk.log
 
   JkLogLevel debug
 
   JkLogStampFormat [%a %b %d %H:%M:%S %Y] 
 
   JkWorkersFile /etc/httpd/conf/workers.properties
 
   JkLogFile /etc/httpd/logs/mod_jk.log
 
   JkLogLevel debug
 
   JkLogStampFormat [%a %b %d %H:%M:%S %Y] 
 
   JkRequestLogFormat %w %V %T
 
   JkOptions +ForwardURICompatUnparsed
 
   JkExtractSSL On
   JkHTTPSIndicator HTTPS
   JkSESSIONIndicator SSL_SESSION_ID
   JkCIPHERIndicator SSL_CIPHER
   JkCERTSIndicator SSL_CLIENT_CERT
  /IfModule
 
 
 
  (in apache conf, inside a virtual host)
 
  SSLEngine on
  SSLCertificateFile /etc/httpd/conf/filename
 
  SSLCertificateKeyFile /etc/httpd/conf/filename
 
  SSLCACertificateFile /etc/httpd/conf/filename
 
  JkMount /* tomcatssl
 
 
 
  (in workers.properties)
 
  # 
  # First tomcat server
  # 
  worker.tomcat1.port=8009
  worker.tomcat1.host=10.13.0.218
  worker.tomcat1.type=ajp13
  worker.tomcat1.lbfactor=50
 
  #-
  # SSL tomcat server
  #-
  worker.tomcatssl.port=8443
  worker.tomcatssl.host=10.13.0.218
  worker.tomcatssl.type=ajp13
  worker.tomcatssl.lbfactor=50
 
 
 
 
 
  However when I kick things off and visit a URL matching the above virtual 
  host, I get the following error message in mod_jk.log:
 
 
 
  [Thu Jan 21 18:51:07 2010] [303:2537062720] [info] init_jk::mod_jk.c 
  (3183): mod_jk/1.2.28 initialized
  [Thu Jan 21 18:51:30 2010] [30428:2537062720] [error] 
  ajp_connection_tcp_get_message::jk_ajp_common.c (1172): wrong message 
  format 0x1503 from 10.13.0.218:8443
 
 
 
 
 
  Looking at jk_ajp_common.c I can see the following @ line 1172:
 
 
 
 
  if (ae-proto == AJP13_PROTO) {
 if (header != AJP13_SW_HEADER) {
 
 if (header == AJP14_SW_HEADER) {
 jk_log(l, JK_LOG_ERROR,
received AJP14 reply on an AJP13 connection from %s,
jk_dump_hinfo(ae-worker-worker_inet_addr, buf));
 }
 else {
 jk_log(l, JK_LOG_ERROR,
wrong message format 0x%04x from %s,
header, jk_dump_hinfo(ae-worker-worker_inet_addr,
  buf));
 }
 
 
 
 
 
  So it seems the error has something do with AJP13 headers not being as 
  expected.
 
 
 
  Could anyone confirm that the 3 version numbers (2.0.52, 1.2.28, 6.0.20) 
  are compatible together ?
 
 
 
  If so - any ideas what might be going on here ?
 
 
 
 
 
 
 
  thanks,
 
 
 
  matt.
 
  _
  Tell us your greatest, weirdest and funniest Hotmail stories
  http://clk.atdmt.com/UKM/go/195013117/direct/01/
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  
_
Send us your Hotmail stories and be featured in our newsletter
http://clk.atdmt.com/UKM/go/195013117/direct/01/

Re: Problem starting connection pooling

2010-01-22 Thread David Smith

Mark Witczak wrote:
 I'm very new to Tomcat, connection pooling, JSP, etc. and I've been
 banging my head against a wall for two weeks trying to get a simple
 program to connect to a MySQL database.

 *Vital Stats:*
 Ubuntu 9.10, Java 1.6.0_0,  Java Servelet 2.5, Java Server Pages 2.1,
 JSTL 1.2, Apache2, Tomcat 6.0.20, MySQL 5.1.41  5.0.67
 MySQL Connector/J 5.1.11 (also 5.1.10) - in $CATALINA_HOME/lib
 dbcp 1.2.1 - in $CATALINA_HOME/lib
 (all standard Ubuntu issue)

 *testapp/WEB-INF/web.xml:*
 ?xml version=1.0 encoding=ISO-8859-1?
 web-app xmlns=http://java.sun.com/xml/ns/javaee;
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;
xsi:schemaLocation=http://java.sun.com/xml/ns/javaee
 http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd;
version=2.5

 description
   Servlet and JSP Examples.
 /description
 display-nameServlet and JSP Examples/display-name

 resource-ref
 descriptionDB Connection/description
 res-ref-namejdbc/mydatabase/res-ref-name
 res-typejavax.sql.DataSource/res-type
 res-authContainer/res-auth
 /resource-ref
 /web-app

 *testapp/META-INF/context.xml:*
 ?xml version=1.0 encoding=UTF-8?

 Context path=/junk docBase=junk
 debug=5 reloadable=true crossContext=true

 Resource name=jdbc/mydatabase auth=Container
 type=javax.sql.DataSource
maxActive=100 maxIdle=30 maxWait=1
username=foo password=bar
 driverClassName=com.mysql.jdbc.Driver
url=jdbc:mysql://test.hostname.com:3306/database_test1/
 /Context

 *testapp/testapp.jsp:*
 %@ page contentType=text/html %
 %-- These libraries are required for the c and sql tags --%
 %@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core; %
 %@ taglib prefix=sql uri=http://java.sun.com/jsp/jstl/sql; %
 meta http-equiv=Content-Type content=text/html; charset=UTF-8
 html
 head
 titleJNDI DBCP Test Page/title
 /head
 body

 h1JNDI DBCP Test Page/h1
 br/Executing the query ...
 br/

 %-- Note: Enter a query that is valid for your database here --%
 sql:query var=result dataSource=jdbc/mydatabase
 SELECT company FROM manuals
 /sql:query
 /body
 /html

 I create the WAR (jar cvf testapp.war *), undeploy the old version and
 redeploy the new one through Tomcat Web Application Manager. Then
 restart Tomcat (sudo /etc/init.d/tomcat restart). The result is:

 Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log
 INFO: ContextListener: contextInitialized()
 Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log
 INFO: SessionListener: contextInitialized()
 Jan 21, 2010 9:43:06 PM org.apache.catalina.core.StandardWrapperValve
 invoke
 SEVERE: Servlet.service() for servlet jsp threw exception
 javax.servlet.jsp.JspException: Unable to get connection, DataSource
 invalid: org.apache.commons.dbcp.SQLNestedException: Cannot create
 PoolableConnectionFactory (Communications link failure

 The last packet sent successfully to the server was 0 milliseconds
 ago. The driver has not received any packets from the server.)
 at
 org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.getConnection(Unknown
 Source)
 at
 org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.doStartTag(Unknown
 Source)
 at
 org.apache.jsp.test_jsp._jspx_meth_sql_005fquery_005f0(test_jsp.java:188)
 at org.apache.jsp.test_jsp._jspService(test_jsp.java:138)
 at
 org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
 Blah, Blah, Blah

 *More info: *The connection to MySQL tested successfully using the
 command line 'mysql'. There are no firewalls, that I can find, between
 the servers.

 What is going on here? What am I missing? What is going on here? How
 do I fix it?

 -Do I need to create a foo user in the tomcat-users.xml?
 -Do I have to mess with the policy files? or security?

 Thanks for your help.
 Mark



What options did you use with the mysql command to test MySQL?  Be
careful as the command line will use unix sockets instead of tcp/ip by
default.  The JDBC driver won't be able to do that.

--David


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: problem with tomcat 5.5 and apache AJP

2010-01-22 Thread André Warnier


David Delbecq wrote:


 Connector
port=8019
protocol=AJP/1.3 request.secret=MyPass
protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler
redirectPort=443
/Connector


and apache is configured as follow:
worker.list=lbJboss,lbOld,lbTomcat,status


# Define jbossBoromir
# modify the host as your host IP or DNS name.
worker.jbossBoromir.port=8009
worker.jbossBoromir.host=localhost
worker.jbossBoromir.type=ajp13
worker.jbossBoromir.lbfactor=1
worker.jbossBoromir.prepost_timeout=1 #Not required if using ping_mode=A
worker.jbossBoromir.connect_timeout=1 #Not required if using ping_mode=A
worker.jbossBoromir.secret=MyPass
#worker.tomcatBoromir.ping_mode=A #As of mod_jk 1.2.27
# worker.tomcatBoromir.connection_pool_size=10 (1)



worker.tomcatBoromir.port=8019
worker.tomcatBoromir.host=localhost
worker.tomcatBoromir.type=ajp13
worker.tomcatBoromir.lbfactor=1
worker.tomcatBoromir.prepost_timeout=1 #Not required if using
ping_mode=A
worker.tomcatBoromir.connect_timeout=1 #Not required if using
ping_mode=A
worker.tomcatBoromir.secret=MyPass
#worker.tomcatBoromir.ping_mode=A #As of mod_jk 1.2.27
#worker.tomcatBoromir.connection_pool_size=10 (1)


worker.tomcatIlluin.port=8019
worker.tomcatIlluin.host=illuin
worker.tomcatIlluin.type=ajp13
worker.tomcatIlluin.lbfactor=1
worker.tomcatIlluin.prepost_timeout=1 #Not required if using ping_mode=A
worker.tomcatIlluin.connect_timeout=1 #Not required if using ping_mode=A
worker.tomcatIlluin.secret=MyPass

# Load-balancing behaviour
worker.lbJboss.type=lb
worker.lbJboss.balance_workers=jbossBoromir


worker.lbTomcat.type=lb
worker.lbTomcat.balance_workers=tomcatBoromir


worker.lbOld.type=lb
worker.lbOld.balance_workers=tomcatIlluin

# Status worker for managing load balancer
worker.status.type=status



Hi.
(In the hope that solving this will help improve the weather in Belgium)

About your main issue : in my own experience, whenever we
get the kind of error messages which you indicate, they are right.
It really means that
the back-end Tomcat is for some reason not responding to Apache/mod_jk
within a certain limit of time.  That can be because it is really down,
or because it is very busy doing something else (all threads are already
processing requests, or the requested webapp is busy starting up, or
something like that). Or, you may be having network connectivity
problems (but that would normally not be the case if both Apache and
Tomcat are on the same host).
But maybe the confusion below about load balancing is the root cause of
the problems.


I don't know if I am understanding your quoted configuration correctly,
but if I do, it puzzles me a bit.

You seem to have 3 separate servlet engines : on localhost, you have a
jBoss and a Tomcat and on illuin, you have a Tomcat.

The jBoss on localhost has an AJP Connector listening on port 8009.
The corresponding worker is named jbossBoromir.

The Tomcat on localhost has an AJP Connector listening on port 8019.
The corresponding worker is named tomcatBoromir.

The Tomcat on illuin has an AJP Connector listening on port 8019.
The corresponding worker is named tomcatIlluin.

Then for each one, you have an additional load balancer worker.
So each load balancer worker only balances a single Tomcat/jBoss.
This seems a bit counter-intuitive.

Why not have
worker.list=jbossBoromir,tomcatBoromir,tomcatIlluin,status
directly, and take the load balancer workers out of the equation, since
they each balance only 1 back-end ?

Or, if your idea is really to balance all requests between all 3
back-ends, then use one single load-balancer worker, but have it balance
 all 3 real workers. Like :

worker.list=lb,status
worker.lb.balance_workers=jbossBoromir,tomcatBoromir,tomcatIlluin

The point is, in my understanding, a load balancer worker only makes
sense if it balances at least 2 real workers (tomcat or jboss).
Otherwise it seems pretty pointless. Or is it only in order to be able 
to use the status worker ?


What do your JkMount lines at the Apache level look like ?
That may allow us to figure out what you are trying to achieve.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52

2010-01-22 Thread Tobias Crefeld

I guess that you should exchange the JkMount /* tomcatssl by
JkMount /* tomcat1 provided you use a standard Tomcat-setup.

For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2
virtual-hosts in Apache2. One for Port 443 with the
standard-SSL-parameters Apache2 expects to integrate OpenSSL for https
and another for Port 80 / plain http. The Jk-directives are the same for
both virtual hosts and don't care about SSL and go to Tomcats port 8009
(= using standard configuration). 
8443 is typically the http-over-ssl-port (=http) for direct SSL access via
coyote-connector and has nothing to do with ajp.

If your Apache2 is doing the SSL-integration Tomcat sees no
SSL-traffic because Apache2 lets openssl do the conversion from SSL and
is connecting to Tomcat without any SSL-traffic but simple http.

You can give Tomcat some information about the SSL-session like you did
with

  JkExtractSSL On
  JkHTTPSIndicator HTTPS
  JkSESSIONIndicator SSL_SESSION_ID
  JkCIPHERIndicator SSL_CIPHER
  JkCERTSIndicator SSL_CLIENT_CERT

but then you have to give Apache2 an advice to deliver these
information by a 
 SSLOptions +StdEnvVars +ExportCertData

(http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might
give you an idea about the two possibilities to setup Tomcat + SSL)


On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat
6 on Solaris - nearly the same setup as under Linux.
These servers run with SSL and Non-SSL parallel but without these extra
Jk-SSL-indicator-parameters you are using.


Gruß,
 Tobias.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problem starting connection pooling

2010-01-22 Thread Mark Witczak




On 1/22/2010 8:05 AM, David Smith wrote:

Mark Witczak wrote:
   

I'm very new to Tomcat, connection pooling, JSP, etc. and I've been
banging my head against a wall for two weeks trying to get a simple
program to connect to a MySQL database.

*Vital Stats:*
Ubuntu 9.10, Java 1.6.0_0,  Java Servelet 2.5, Java Server Pages 2.1,
JSTL 1.2, Apache2, Tomcat 6.0.20, MySQL 5.1.41  5.0.67
MySQL Connector/J 5.1.11 (also 5.1.10) - in $CATALINA_HOME/lib
dbcp 1.2.1 - in $CATALINA_HOME/lib
(all standard Ubuntu issue)

*testapp/WEB-INF/web.xml:*
?xml version=1.0 encoding=ISO-8859-1?
web-app xmlns=http://java.sun.com/xml/ns/javaee;
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;
xsi:schemaLocation=http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd;
version=2.5

description
   Servlet and JSP Examples.
/description
display-nameServlet and JSP Examples/display-name

resource-ref
descriptionDB Connection/description
res-ref-namejdbc/mydatabase/res-ref-name
res-typejavax.sql.DataSource/res-type
res-authContainer/res-auth
/resource-ref
/web-app

*testapp/META-INF/context.xml:*
?xml version=1.0 encoding=UTF-8?

Context path=/junk docBase=junk
 debug=5 reloadable=true crossContext=true

Resource name=jdbc/mydatabase auth=Container
type=javax.sql.DataSource
maxActive=100 maxIdle=30 maxWait=1
username=foo password=bar
driverClassName=com.mysql.jdbc.Driver
url=jdbc:mysql://test.hostname.com:3306/database_test1/
/Context

*testapp/testapp.jsp:*
%@ page contentType=text/html %
%-- These libraries are required for thec  andsql  tags --%
%@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core; %
%@ taglib prefix=sql uri=http://java.sun.com/jsp/jstl/sql; %
meta http-equiv=Content-Type content=text/html; charset=UTF-8
html
head
titleJNDI DBCP Test Page/title
/head
body

h1JNDI DBCP Test Page/h1
br/Executing the query ...
br/

%-- Note: Enter a query that is valid for your database here --%
sql:query var=result dataSource=jdbc/mydatabase
 SELECT company FROM manuals
/sql:query
/body
/html

I create the WAR (jar cvf testapp.war *), undeploy the old version and
redeploy the new one through Tomcat Web Application Manager. Then
restart Tomcat (sudo /etc/init.d/tomcat restart). The result is:

Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Jan 21, 2010 9:43:06 PM org.apache.catalina.core.StandardWrapperValve
invoke
SEVERE: Servlet.service() for servlet jsp threw exception
javax.servlet.jsp.JspException: Unable to get connection, DataSource
invalid: org.apache.commons.dbcp.SQLNestedException: Cannot create
PoolableConnectionFactory (Communications link failure

The last packet sent successfully to the server was 0 milliseconds
ago. The driver has not received any packets from the server.)
 at
org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.getConnection(Unknown
Source)
 at
org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.doStartTag(Unknown
Source)
 at
org.apache.jsp.test_jsp._jspx_meth_sql_005fquery_005f0(test_jsp.java:188)
 at org.apache.jsp.test_jsp._jspService(test_jsp.java:138)
 at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
Blah, Blah, Blah

*More info: *The connection to MySQL tested successfully using the
command line 'mysql'. There are no firewalls, that I can find, between
the servers.

What is going on here? What am I missing? What is going on here? How
do I fix it?

-Do I need to create a foo user in the tomcat-users.xml?
-Do I have to mess with the policy files? or security?

Thanks for your help.
Mark



 

What options did you use with the mysql command to test MySQL?  Be
careful as the command line will use unix sockets instead of tcp/ip by
default.  The JDBC driver won't be able to do that.

--David
   


I used: mysql -u foo -p -h test.hostname.com

Is there a way to force the command to use TCP/IP? is there a parameter for 
networking that I should include in context.xml?

Thanks,
Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52


In my case sometimes I do need to pass through the SSL to Tomcat, as I'm 
running CAS which requires geniune SSL requests.

(I do also have some SSL requests that tomcat doesn't need to see - which I 
will send via 8009 as has been suggested).

 

The SSL pass-through requirement explains why I was attempting to pass through 
to :8443 directly - but it sounds like that's the wrong approach.

 

Should I just use something like..

  ProxyPass /cas https://10.13.0.218:8443/cas ?

 

Many thanks,

 

matt.
 
 Date: Fri, 22 Jan 2010 14:24:49 +0100
 From: t...@cataneo.eu
 To: users@tomcat.apache.org
 Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
 
 I guess that you should exchange the JkMount /* tomcatssl by
 JkMount /* tomcat1 provided you use a standard Tomcat-setup.
 
 For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2
 virtual-hosts in Apache2. One for Port 443 with the
 standard-SSL-parameters Apache2 expects to integrate OpenSSL for https
 and another for Port 80 / plain http. The Jk-directives are the same for
 both virtual hosts and don't care about SSL and go to Tomcats port 8009
 (= using standard configuration). 
 8443 is typically the http-over-ssl-port (=http) for direct SSL access via
 coyote-connector and has nothing to do with ajp.
 
 If your Apache2 is doing the SSL-integration Tomcat sees no
 SSL-traffic because Apache2 lets openssl do the conversion from SSL and
 is connecting to Tomcat without any SSL-traffic but simple http.
 
 You can give Tomcat some information about the SSL-session like you did
 with
 
  JkExtractSSL On
  JkHTTPSIndicator HTTPS
  JkSESSIONIndicator SSL_SESSION_ID
  JkCIPHERIndicator SSL_CIPHER
  JkCERTSIndicator SSL_CLIENT_CERT
 
 but then you have to give Apache2 an advice to deliver these
 information by a 
 SSLOptions +StdEnvVars +ExportCertData
 
 (http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might
 give you an idea about the two possibilities to setup Tomcat + SSL)
 
 
 On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat
 6 on Solaris - nearly the same setup as under Linux.
 These servers run with SSL and Non-SSL parallel but without these extra
 Jk-SSL-indicator-parameters you are using.
 
 
 Gruß,
 Tobias.
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  
_
Got a cool Hotmail story? Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/

Re: [OT] Re: Securing Tomcat Applications from Reverse Engineering

2010-01-22 Thread Mark H. Wood

On Thu, Jan 21, 2010 at 03:02:41PM +, Peter Crowther wrote:
 2010/1/21 Mark H. Wood mw...@iupui.edu
 
  Reverse engineering is not a technical problem; it is a legal
  problem.  You need a lawyer, not a program.
 
  Mmm, yes and no.  Burglary is also a legal problem, but I have locks (on /
 around the things I want to keep, of a cost and quality appropriate to my
 expected loss) as well as being able to engage a lawyer if required.

The analogy is imprecise.  If you lease a house to someone, you have
no feasible technical means to control who enters your house -- the
lessee possesses a key and can let in anyone he pleases.  But you could
write a lease which constrains the set of people lessee is permitted
to allow in.  (Dunno why, but you could.)

The house would be useless to lessee without a key.  Similarly a
program, distributed to a user, would be useless unless an
intelligible version can be loaded or derived by the user's equipment.
But if the user's equipment can load or derive an intelligible version
of the program, the program can be reverse-engineered.  That's why
software licenses almost always contain specific language about
reverse engineering.

In both cases the owner has *necessarily* given up technical control
of the property, and can only exert control through legal means.  You
can't stop people abusing property that you hand over to them, but you
may be able to punish them if they do.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Friends don't let friends publish revisable-form documents.


pgpQk69NLchSH.pgp
Description: PGP signature

Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52

2010-01-22 Thread Tobias Crefeld

Am Fri, 22 Jan 2010 14:25:11 +
schrieb Matt Turner m4tt_tur...@hotmail.com:

 The SSL pass-through requirement explains why I was attempting to
 pass through to :8443 directly - but it sounds like that's the wrong
 approach.

If it isn't possible to move the SSL-certificate and -keys to the
Apache2 (and change the Tomcat to service ajp- or plain-http-requests)
the only possibility to do a pass-through will be a NAT-machine /
firewall with port-forwarding (e.g. port 443 - 8443).

There is another approach to passthrough https (=443) to 8443 by using
xinetd:
 http://tp.its.yale.edu/pipermail/cas/2008-April/008083.html


 Should I just use something like..
 
   ProxyPass /cas https://10.13.0.218:8443/cas ?

I doubt that this will work. A https-client (alias webbrowser) is
transmitting SSL-traffic and ProxyPass is configuring a http-proxy
which expects http - no matter what kind of traffic it use to connect
to the real webserver.


RU,
 Tobias.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Polling and session timeout

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pid,

On 1/21/2010 5:07 PM, Pid wrote:
 On 21/01/2010 15:26, Christopher Schultz wrote:
 Pid,
 
 On 1/21/2010 3:32 AM, Pid wrote:
 On 21/01/2010 04:45, grailcattt wrote:

 That is exactly what I ended up doing and it is working well. I was
 hoping
 for a solution that used tomcat session management rather than
 managing my
 own session timeouts, but it works well.

 If you put the poll servlet in a separate app and are NOT using the
 single sign on valve, you could set a separate session timeout in that
 servlet/app.

 I think.
 
 If you access the session at all, it counts as a touch, thereby
 extending the life of the session. It's not possible to peek at the
 session without touching it AFAICT. There's probably a way to do this
 with a replacement for either the session manager or a valve, but I
 think the code would need to divine the intent of the calling code to
 work properly. :(
 
 True - the poll servlet would have to be stateless and couldn't use any
 login credentials without an independant login, which would probably be
 counter productive.
 
 But, the session would be separate and so this would meet the initial
 criteria of allowing the main app to time out 'naturally'.
 
 I think.

An interesting idea. Certainly, if the servlet were to call
request.getSession(), then the session would be touched. On the other
hand, for form-based logins, an HttpSession is precisely equal to a
login, so I would bet that Tomcat updates the session last-used date
when any request comes in with a valid session id, rather than requiring
the servlet itself to specifically request it.

Spelunking into Tomcat's code for this kind of thing will take a long
time, so I'm not willing to do it right now :) I suppose it could be
demonstrated empirically, too.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZyMcACgkQ9CaO5/Lv0PB6jwCfagGQ9nYPySWbpsPUjSdupJp5
r88An3AZqRfIs/oLIjB4ffGSo9YPqzX2
=3l2B
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Polling and session timeout

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Bob,

On 1/21/2010 8:36 PM, Bob Hall wrote:
 --- On Thu, 1/21/10 at 7:26 AM, Christopher Schultz 
 ch...@christopherschultz.net wrote:
 

 If you access the session at all, it counts as a touch,
 thereby
 extending the life of the session. It's not possible to
 peek at the
 session without touching it AFAICT.
 
 The Session timeout can be set when the response is being delivered
 via Session's setMaxInactiveInterval() method without extending the life of 
 the Session.
 
 In a JSP:
 
  % session.setMaxInactiveInterval(inactiveTimeSecs); %

Are you sure about that?

In order to get the local 'session' variable, the JSP must call
request.getSession(), which ought to extend the life of the session.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZyQcACgkQ9CaO5/Lv0PBFywCcDaq0QyP1f5vJer1soNrPq8Uj
LxwAnRIiodOhqbTtlkw0OiZV34yJRztV
=Bdyt
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic Authentication Failed with multibyte username

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

André,

On 1/21/2010 6:35 PM, André Warnier wrote:
 Basically, I would tend to say that if the server knows who the clients
 are and vice-versa, you should be free to use any encoding you want,
 with the limitation that what is exchanged on the wire conforms to HTTP
 (because there may be proxies on the way which are not so tolerant).

+1

 What the client is sending is already (in a way) conformant to HTTP,
 because it is base64 encoded and so, on the surface, it does not contain
 non-ascii characters.

+1

 But the problem is that the standard Tomcat code which decodes the Basic
 Authorization header does not work in the way you want, for these
 illegal headers.
 And this code should preferably not be changed in a way which breaks the
 conformance with standard HTTP.
 Because if you do that, then your Tomcat becomes useless for anything
 else than your special client.

+1

Another possibility would be to use something like SecurityFilter, which
allows you to (more easily) write your own authenticator and realm
implementations, and you could write a BasicAuthenticator that reads
these specially-formatted credentials.

I checked the sf source, and it looks like we might have a bug:

   private String decodeBasicAuthorizationString(String authorization) {
  if (authorization == null ||
!authorization.toLowerCase().startsWith(basic )) {
 return null;
  } else {
 authorization = authorization.substring(6).trim();
 // Decode and parse the authorization credentials
 return new String(Base64.decodeBase64(authorization.getBytes()));
  }
   }

That authorization.getBytes() is just asking for trouble, because it
uses the platform default encoding to convert characters to bytes. It
should be using US-ASCII, ISO-8859-1, or something like that.

It also calls the String constructor with a byte array without
specifying the encoding, therefore using the platform default.

Finally, this method is private, which means it cannot be overridden by
a subclass, which would be a nice feature. Maybe I'll fix all that. :)

 Or, you drop the container-managed security, and you use something like
 the SecurityFilter (http://securityfilter.sourceforge.net/), but read
 the homepage carefully first.

Note that the warning about BASIC authentication is waaay outdated: sf
definitely does support BASIC auth.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZy68ACgkQ9CaO5/Lv0PAdMACfVnkkBJRIo8Gt1LcsegO/JhPD
Tl0AoLcI5QP0XoCa8kgy5zFJnkKBvL6Y
=CBKO
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

TLS+SSLv3 but no SSLv2

Dear all,

on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the 
SSLProtocol:

Protocol which may be used for communicating with clients. The default is 
all, with other acceptable values being SSLv2, SSLv3, TLSv1, and 
SSLv2+SSLv3.

Does this really mean that I can not allow a TLSv1+SSLv3 setting while 
forbidding SSLv2? It seems so to me, since setting SSLProtocol to this 
obvioulsy defaults to ALL :-(


regards
Jens

Jens Neu
Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens@biotronik.de


www.biotronik.com

BIOTRONIK SE  Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

RMI reaper thread prevents JVM from exiting

2010-01-22 Thread Thomas Chabaud


Hi,

I have a problem with a webapp using RMI. When I try to shutdown Tomcat 
instance, the JVM doesn't exit.
I have called jstack to see the thread dump :

http://pastebin.com/fa55647

There is a non-daemon thread : RMI Reaper.

I've tried to add a servlet context listener to force RMI Object unexport on 
shutdown, but it has no effect :

http://pastebin.com/f324201e2

I'm using Tomcat 6.0.18 on a Red Hat Enterprise Linux Server release 5.3.
The JVM is a 64 bit JVM, version 1.6.0_07-b06 on a Intel Xeon E5420 CPU.

What can I do to force this RMI reaper thread to stop ?

Thanks in advance for your help.

Thomas


Ce message est protégé par les règles relatives au secret des correspondances. 
Il est donc établi à destination exclusive de son destinataire. Celui-ci peut 
donc contenir des informations confidentielles. La divulgation de ces 
informations est à ce titre rigoureusement interdite. Si vous avez reçu ce 
message par erreur, merci de le renvoyer à l'expéditeur dont l'adresse e-mail 
figure ci-dessus et de détruire le message ainsi que toute pièce jointe.

This message is protected by the secrecy of correspondence rules. Therefore, 
this message is intended solely for the attention of the addressee. This 
message may contain privileged or confidential information, as such the 
disclosure of these informations is strictly forbidden. If, by mistake, you 
have received this message, please return this message to the addressser whose 
e-mail address is written above and destroy this message and all files attached.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: TLS+SSLv3 but no SSLv2

 From: Jens Neu [mailto:jens@biotronik.com]
 Subject: TLS+SSLv3 but no SSLv2

 Does this really mean that I can not allow a TLSv1+SSLv3 setting
 while forbidding SSLv2?

I was under the impression that specifying TLSv1 would include SSLv3, since 
there are provisions within TLS to handle SSLv3.  Note that TLSv1.0 - TLVv1.2 
and SSLv3 all have the same major version number.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: error-page problem - nested exceptions

2010-01-22 Thread Len Popp

You could have your error handler check if the exception is a
NestedServletException and its getRootCause() is a
UnAuthorisedAccessException, and display the nested exception's error
message in that case. You might want to use a separate error-page
for NestedServletException.
-- 
Len



On Fri, Jan 22, 2010 at 07:06, rotis23 roti...@yahoo.com wrote:

 Hi All,

 I use web.xml error-page handlers, some with error-code and other with
 exception-type. At the end I have a catchall error-page that handles
 java.lang.Throwable - users never see a stack trace and the world is a good
 place.

 However, I've recently added a Hibernate security layer that throws a
 UnAuthorisedAccessException that gets wrapped in a Spring
 NestedServletException before it hits the error-page handlers.

 Now I understand that it tries to match the top level Exception in the stack
 first then uses the next nested exception after that and so on until an
 error-page is matched. The problem is that my catchall Throwable is matching
 the NestedServletException first before the wrapped
 UnAuthorisedAccessException hits its error-page handler. I need the users to
 see that they don't have the privleges rather than a generic error messge -
 I also need the catchall!

 Has anyone else dealt with this issue? I've been searchign for a couple days
 on this now.

 TIA, rotis23
 --
 View this message in context: 
 http://old.nabble.com/error-page-problem---nested-exceptions-tp27272261p27272261.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: TLS+SSLv3 but no SSLv2

unfortunately the behaviour for SSLProtocol=TLSv1 is:

j...@eluveitie:~ openssl s_client -ssl3 -connect server:8443
CONNECTED(0003)
9167:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake 
failure:s3_pkt.c:1053:SSL alert number 40
9167:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:530:

while
openssl s_client -tls1 -connect server:8443

works just fine. On top I also could not get IE 6.x to work with this, 
even with checking the TLS 1.0 setting in the Internet Options.

-Jens

Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens@biotronik.de



Caldarale, Charles R chuck.caldar...@unisys.com 
01/22/2010 05:42 PM
Please respond to
Tomcat Users List users@tomcat.apache.org


To
Tomcat Users List users@tomcat.apache.org
cc

Subject
RE: TLS+SSLv3 but no SSLv2






 From: Jens Neu [mailto:jens@biotronik.com]
 Subject: TLS+SSLv3 but no SSLv2
 
 Does this really mean that I can not allow a TLSv1+SSLv3 setting
 while forbidding SSLv2?

I was under the impression that specifying TLSv1 would include SSLv3, 
since there are provisions within TLS to handle SSLv3.  Note that TLSv1.0 
- TLVv1.2 and SSLv3 all have the same major version number.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you 
received this in error, please contact the sender and delete the e-mail 
and its attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





www.biotronik.com

BIOTRONIK SE  Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

Re: RMI reaper thread prevents JVM from exiting

2010-01-22 Thread Peter Crowther

2010/1/22 Thomas Chabaud ext_chabaud.tho...@agora.msa.fr:
 I have a problem with a webapp using RMI. When I try to shutdown Tomcat
 instance, the JVM doesn't exit.
 I have called jstack to see the thread dump :

 http://pastebin.com/fa55647

 There is a non-daemon thread : RMI Reaper.

 I've tried to add a servlet context listener to force RMI Object unexport on
 shutdown, but it has no effect :

 http://pastebin.com/f324201e2

 I'm using Tomcat 6.0.18 on a Red Hat Enterprise Linux Server release 5.3.
 The JVM is a 64 bit JVM, version 1.6.0_07-b06 on a Intel Xeon E5420 CPU.

 What can I do to force this RMI reaper thread to stop ?

If you know you're about to exit the process, then one nasty trick
would be to find the thread in your context listener and *set* it to
be a daemon thread.  An ugly hack, but it might just work!

- Peter

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS+SSLv3 but no SSLv2

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jens,

On 1/22/2010 11:10 AM, Jens Neu wrote:
 on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the 
 SSLProtocol:
 
 Protocol which may be used for communicating with clients. The default is 
 all, with other acceptable values being SSLv2, SSLv3, TLSv1, and 
 SSLv2+SSLv3.
 
 Does this really mean that I can not allow a TLSv1+SSLv3 setting while 
 forbidding SSLv2? It seems so to me, since setting SSLProtocol to this 
 obvioulsy defaults to ALL :-(

I agree with Chuck: TLSv1 ~= SSLv3.

Although the protocol attribute has a limited set of values you can
choose, you can always set the ciphers you will allow using the
ciphers attribute. This will allow you to pick and choose the ciphers
regardless of the overall protocol that you choose.

The ciphers available depend upon your environment, but these are the
ones I can see in mine:

java version 1.6.0_12
Java(TM) SE Runtime Environment (build 1.6.0_12-b04)
Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode)

Default Cipher
*   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
*   SSL_DHE_DSS_WITH_DES_CBC_SHA
*   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*   SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
*   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_RSA_EXPORT_WITH_RC4_40_MD5
*   SSL_RSA_WITH_3DES_EDE_CBC_SHA
*   SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
*   SSL_RSA_WITH_RC4_128_MD5
*   SSL_RSA_WITH_RC4_128_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_RC4_128_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ2ncACgkQ9CaO5/Lv0PCMJACfTyFfj8zJS7tkGRewU0h2gkct
fxkAn320dKYKKYrJ/jPyXOtMXy0I9fGE
=NL0x
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: RMI reaper thread prevents JVM from exiting

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thomas,

On 1/22/2010 11:25 AM, Thomas Chabaud wrote:
 There is a non-daemon thread : RMI Reaper.
 
 I've tried to add a servlet context listener to force RMI Object
 unexport on shutdown, but it has no effect :
 
 http://pastebin.com/f324201e2

This thread over on the Sun forums
(http://forums.sun.com/thread.jspa?threadID=169975) says that you can
either unexport all your objects or call System.exit(). :(

Are there some objects that you may have forgotten to unexport?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ3LoACgkQ9CaO5/Lv0PDSvwCgkC++5oDypir/RV3GcpsCha5m
rL0AniMx1E6klW0QrbkETWgcUefXt1b6
=AR7b
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: error-page problem - nested exceptions

2010-01-22 Thread rotis23


Hi Len,

Thanks for your message.

I don't have my 'own' error handler - I just use the error-page elements in
web.xml.

If I add an error-page for NestedServletException will the exception be
available to the corresponding jsp [in the request]? 

Has anyone extended tomcats error-page implementation to find nested
exceptions? 

Cheers, rotis23
-- 
View this message in context: 
http://old.nabble.com/error-page-problem---nested-exceptions-tp27272261p27276806.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Adding/removing hosts dynamically?

2010-01-22 Thread Jordan Michaels



Thanks Chuck,

I was able to find it and play with it a little bit. Pretty 
self-explanatory once I figured out how to modify the tomcat-users.xml 
file to get access to it.


It's a real bummer that it's not persistent, but it's still a great app.

Thanks for your help!

-Jordan


Caldarale, Charles R wrote:

From: Jordan Michaels [mailto:jor...@viviotech.net]
Subject: Re: Adding/removing hosts dynamically?

I'm extremely interested in this. Any chance anyone who has used this
before could provide some direction (example implementation)?


Try the HTML version of host-manager to get familiar with it:
http://localhost:8080/host-manager/html

Note that the updates made by the HTML and plain text servlets are not 
persistent, so will be lost upon Tomcat restart.  You'll need some additional 
means to preserve the added hosts.


From the org/apache/catalina/manager/host/HostManagerServlet.java source code:


* Servlet that enables remote management of the virtual hosts installed
 * on the server.  Normally, this functionality will be protected by 
 * a security constraint in the web application deployment descriptor.  
 * However, this requirement can be relaxed during testing.

 * p
 * This servlet examines the value returned by codegetPathInfo()/code
 * and related query parameters to determine what action is being requested.
 * The following actions and parameters (starting after the servlet path)
 * are supported:
 * ul
 * lib/add?name={host-name}aliases={host-aliases}manager={manager}/b -
 * Create and add a new virtual host. The codehost-name/code attribute
 * indicates the name of the new host. The codehost-aliases/code 
 * attribute is a comma separated list of the host alias names. 
 * The codemanager/code attribute is a boolean value indicating if the
 * webapp manager will be installed in the newly created host (optional, 
 * false by default)./li
 * lib/remove?name={host-name}/b - Remove a virtual host. 
 * The codehost-name/code attribute indicates the name of the host.

 * /li
 * lib/list/b - List the virtual hosts installed on the server.
 * Each host will be listed with the following format 
 * codehost-name#host-aliases/code./li

 * lib/start?name={host-name}/b - Start the virtual host./li
 * lib/stop?name={host-name}/b - Stop the virtual host./li
 * /ul
 * p
 * bNOTE/b - Attempting to stop or remove the host containing
 * this servlet itself will not succeed.  Therefore, this servlet should
 * generally be deployed in a separate virtual host.
 * p

Seems like the javadocs aren't currently installed on tomcat.apache.org, or I 
would have directed you there.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS+SSLv3 but no SSLv2

Christopher,

my Problem is that I have a requirement that SSLv2 shall be forbidden, 
but not SSLv3 and TLS. On top, also forbidden are ciphers =128bit. I was 
hoping to tackle this with

SSLProtocol=TLSv1+SSLv3
SSLCipher=-ALL:+HIGH:+MEDIUM

without manually selecting all ciphers. Since I'm on apr/openssl, I assume 
that my available ciphers are what gives me openssl ciphers?
So this leaves me with no other option than crawling through all the 
ciphers? Certainly looking forward to it ;-)

regards

Jens Neu
Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens@biotronik.de



Christopher Schultz ch...@christopherschultz.net 
01/22/2010 06:05 PM
Please respond to
Tomcat Users List users@tomcat.apache.org


To
Tomcat Users List users@tomcat.apache.org
cc

Subject
Re: TLS+SSLv3 but no SSLv2






-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jens,

On 1/22/2010 11:10 AM, Jens Neu wrote:
 on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the 
 SSLProtocol:
 
 Protocol which may be used for communicating with clients. The default 
is 
 all, with other acceptable values being SSLv2, SSLv3, TLSv1, and 

 SSLv2+SSLv3.
 
 Does this really mean that I can not allow a TLSv1+SSLv3 setting while 

 forbidding SSLv2? It seems so to me, since setting SSLProtocol to this 
 obvioulsy defaults to ALL :-(

I agree with Chuck: TLSv1 ~= SSLv3.

Although the protocol attribute has a limited set of values you can
choose, you can always set the ciphers you will allow using the
ciphers attribute. This will allow you to pick and choose the ciphers
regardless of the overall protocol that you choose.

The ciphers available depend upon your environment, but these are the
ones I can see in mine:

java version 1.6.0_12
Java(TM) SE Runtime Environment (build 1.6.0_12-b04)
Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode)

Default Cipher
*   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
*   SSL_DHE_DSS_WITH_DES_CBC_SHA
*   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*   SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
*   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_RSA_EXPORT_WITH_RC4_40_MD5
*   SSL_RSA_WITH_3DES_EDE_CBC_SHA
*   SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
*   SSL_RSA_WITH_RC4_128_MD5
*   SSL_RSA_WITH_RC4_128_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_RC4_128_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ2ncACgkQ9CaO5/Lv0PCMJACfTyFfj8zJS7tkGRewU0h2gkct
fxkAn320dKYKKYrJ/jPyXOtMXy0I9fGE
=NL0x
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





www.biotronik.com

BIOTRONIK SE  Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

Re: TLS+SSLv3 but no SSLv2

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jens,

On 1/22/2010 12:30 PM, Jens Neu wrote:
 Christopher,
 
 my Problem is that I have a requirement that SSLv2 shall be forbidden, 
 but not SSLv3 and TLS. On top, also forbidden are ciphers =128bit. I was 
 hoping to tackle this with
 
 SSLProtocol=TLSv1+SSLv3
 SSLCipher=-ALL:+HIGH:+MEDIUM
 
 without manually selecting all ciphers. Since I'm on apr/openssl, I assume 
 that my available ciphers are what gives me openssl ciphers?
 So this leaves me with no other option than crawling through all the 
 ciphers? Certainly looking forward to it ;-)

How about SSLCipher=-ALL:+HIGH:+MEDIUM:!SSLv2?

The APR documentation points you to the openssl documentation for
reference. The above SSLCipher yields:

$ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g'
ADH-AES256-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
ADH-AES128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
ADH-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
ADH-RC4-MD5
RC4-SHA
RC4-MD5

Are those acceptable? You don't have to list all the ciphers if you
don't want to.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M
Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM
=mFDc
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS+SSLv3 but no SSLv2

Christopher,

yes, thats it! Merci bien :-)
I was reading http://www.openssl.org/docs/apps/ciphers.html for 
reference, thats where I got scared that I had to check all of them for 
128bit. Didn't know that SSLCipher= is actually understood by openssl.

Its Friday finally :)
Jens

Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens@biotronik.de



Christopher Schultz ch...@christopherschultz.net 
01/22/2010 06:36 PM
Please respond to
Tomcat Users List users@tomcat.apache.org


To
Tomcat Users List users@tomcat.apache.org
cc

Subject
Re: TLS+SSLv3 but no SSLv2






-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jens,

On 1/22/2010 12:30 PM, Jens Neu wrote:
 Christopher,
 
 my Problem is that I have a requirement that SSLv2 shall be forbidden, 

 but not SSLv3 and TLS. On top, also forbidden are ciphers =128bit. I 
was 
 hoping to tackle this with
 
 SSLProtocol=TLSv1+SSLv3
 SSLCipher=-ALL:+HIGH:+MEDIUM
 
 without manually selecting all ciphers. Since I'm on apr/openssl, I 
assume 
 that my available ciphers are what gives me openssl ciphers?
 So this leaves me with no other option than crawling through all the 
 ciphers? Certainly looking forward to it ;-)

How about SSLCipher=-ALL:+HIGH:+MEDIUM:!SSLv2?

The APR documentation points you to the openssl documentation for
reference. The above SSLCipher yields:

$ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g'
ADH-AES256-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
ADH-AES128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
ADH-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
ADH-RC4-MD5
RC4-SHA
RC4-MD5

Are those acceptable? You don't have to list all the ciphers if you
don't want to.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M
Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM
=mFDc
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





www.biotronik.com

BIOTRONIK SE  Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

Re: TLS+SSLv3 but no SSLv2

Christopher,

maybe that was a bit premature, running with 
SSLCipher=-ALL:+HIGH:+MEDIUM:!SSLv2:

openssl s_client -ssl2 -connect server:8443
CONNECTED(0003)

...

---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1135 bytes and written 236 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : SSLv2
Cipher: DES-CBC3-MD5
Session-ID: 21D7302FAF313F61DF24661249FCF7FD
Session-ID-ctx: 
Master-Key: 3CAC5F9B8889222FFF7E1106232BFE34FC7A2CBD078833E0
Key-Arg   : 448CA2E3F880EF06
Start Time: 1264182312
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---

Jens Neu
Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens@biotronik.de



www.biotronik.com

BIOTRONIK SE  Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

RE: newbie: multiple ports for same tomcat server 5.0

2010-01-22 Thread Chart

Chuck,

I am now confused. I stated I am using port 8082 from the outside and need
to use port 80 on the inside. So I am using different ports. So the port
conflick that you talked about orignal would never happen (is this
correct?). If I am going to have a port conflick, how would Impliment what
you stated?

n828cl wrote:

From: Anurag Kapur [mailto:anuragka...@gmail.com]
Subject: Re: newbie: multiple ports for same tomcat server 5.0

You mentioned that adding the address attribute is recommended
to prevent port conflicts.

I didn't say it was recommended, just that it was one way to avoid port
conflicts, especially if you wanted both Connector elements to use a
standard port, such as 80. The other way, of course, is to simply use
different ports. In the case being discussed in the thread, the OP wanted
to segregate external users and internal ones, and typically that's done
by using separate IP addresses for each group.

- Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

--
View this message in context:
http://old.nabble.com/newbie%3A-multiple-ports-for-same-tomcat-server-5.0-tp27262778p27277458.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: newbie: multiple ports for same tomcat server 5.0

 From: Chart [mailto:ccha...@hotmail.com]
 Subject: RE: newbie: multiple ports for same tomcat server 5.0

 I stated I am using port 8082 from the outside and
 need to use port 80 on the inside.

If your front-end is on the same machine, you will have a port conflict, since 
it's already got port 80 assigned.  If the front-end is on a different machine, 
you shouldn't have a conflict.  However, if port 8082 is open to the outside 
world, is there anything that stops the outside world from using the public IP 
address and accessing Tomcat on port 80?

Perhaps your firewall settings are such that you've taken care of that, but 
it's not clear.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 5.5.28 EL not evaluated

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sharmila,

On 1/22/2010 5:43 AM, sharmila punde wrote:
 My OS is fedora, and i have installed tomcat 5.5.28. I have web app.
 My jsp page has EL as follow- ${perosn.name}.

Did you mean ${person.name}? Could that be the problem?

 I put jsp-api.jar, servlet-api.jar into /usr/java/jdk1.5.0_16/jre/lib/ext.

Why did you put those files into the system-wide library folder? If
you're using Tomcat, they should be available to any webapp that needs them.

 Servlet works fine, but above EL is considered as plain text. My
 web.xml of web app has following lines -
 
 jsp-config
 jsp-property-group
 url-pattern*.jsp/url-pattern
   el-ignoredfalse/el-ignored
 scripting-invalid
 true
 /scripting-invalid
 /jsp-property-group
 /jsp-config

 Why EL is not getting evaluated after translation to .java file.
 Can some one please help me sort out this problem

Are other EL and/or scripting elements working as expected on this page?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ6uwACgkQ9CaO5/Lv0PDg4gCeMi93eiwdqbPB/ZKXtU7SHcCw
Ic8An0zEyXhY+KsqZUXHu/HiwY7jrhUF
=PtlP
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Solved Tomcat 5.5.28 EL not evaluated

2010-01-22 Thread sharmila punde

Thanks Nishant,
  Thank you very much. It was very helpful. 
Regards

--- On Fri, 22/1/10, Hadole, Nishant IN BOM SISL nishant.had...@siemens.com 
wrote:

 From: Hadole, Nishant IN BOM SISL nishant.had...@siemens.com
 Subject: RE: Tomcat 5.5.28 EL not evaluated
 To: 'Tomcat Users List' users@tomcat.apache.org
 Date: Friday, 22 January, 2010, 17:24
 Check this FAQ - http://faq.javaranch.com/java/ElOrJstlNotWorkingAsExpected

 With best regards,
 Nishant Hadole

 Siemens IT Solutions and Services
 SIS PRO SI-I
 Tel.: +91 22 2495 7816
 Fax: +91 22 6660 8521
 Mailto: nishant.had...@siemens.com
 www.siemens.co.in
 -Original Message-
 From: sharmila punde [mailto:sharmila...@yahoo.com]
 Sent: Friday, 22 January, 2010 04:13 PM
 To: users@tomcat.apache.org
 Subject: Tomcat 5.5.28 EL not evaluated

 Dear All,
 My OS is fedora, and i have installed tomcat
 5.5.28. I have web app.  My jsp page has EL as follow-
 ${perosn.name}.

 I put jsp-api.jar, servlet-api.jar into
 /usr/java/jdk1.5.0_16/jre/lib/ext.
 Servlet works fine, but above EL is considered as plain
 text. My web.xml of web app has following lines -

 jsp-config
 jsp-property-group

 url-pattern*.jsp/url-pattern

 el-ignoredfalse/el-ignored

 scripting-invalid

 true

 /scripting-invalid
 /jsp-property-group
 /jsp-config
 Why EL is not getting evaluated after translation to .java
 file.
 Can some one please help me sort out this problem
 Regards

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

 Important notice: This e-mail and any attachment there to
 contains corporate proprietary information. If you have
 received it by mistake, please notify us immediately by
 reply e-mail and delete this e-mail and its attachments from
 your system.
 Thank You.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: newbie: multiple ports for same tomcat server 5.0

2010-01-22 Thread Chart


Chuck,

Yes we have a firewall that does not allow traffic from the IIS server to
the tomcat server on port 80.

Just for learning purposes.  Could you take the line out of my original file
and add information like you had stated in your original update?

thanks,


n828cl wrote:
 
 From: Chart [mailto:ccha...@hotmail.com]
 Subject: RE: newbie: multiple ports for same tomcat server 5.0
 
 I stated I am using port 8082 from the outside and
 need to use port 80 on the inside.
 
 If your front-end is on the same machine, you will have a port conflict,
 since it's already got port 80 assigned.  If the front-end is on a
 different machine, you shouldn't have a conflict.  However, if port 8082
 is open to the outside world, is there anything that stops the outside
 world from using the public IP address and accessing Tomcat on port 80?
 
 Perhaps your firewall settings are such that you've taken care of that,
 but it's not clear.
 
  - Chuck
 
 
 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.
 
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/newbie%3A-multiple-ports-for-same-tomcat-server-5.0-tp27262778p27277828.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: newbie: multiple ports for same tomcat server 5.0

 From: Chart [mailto:ccha...@hotmail.com]
 Subject: RE: newbie: multiple ports for same tomcat server 5.0

 Just for learning purposes.  Could you take the line out of my
 original file and add information like you had stated in your
 original update?

Sorry, I don't understand what you're asking for.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS+SSLv3 but no SSLv2

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jens,

On 1/22/2010 12:51 PM, Jens Neu wrote:
 Christopher,
 
 maybe that was a bit premature, running with 
 SSLCipher=-ALL:+HIGH:+MEDIUM:!SSLv2:
 
 openssl s_client -ssl2 -connect server:8443
 CONNECTED(0003)
 ---
 SSL handshake has read 1135 bytes and written 236 bytes
 ---
 New, SSLv2, Cipher is DES-CBC3-MD5
 Server public key is 1024 bit
 Compression: NONE
 Expansion: NONE
 SSL-Session:
 Protocol  : SSLv2
 Cipher: DES-CBC3-MD5
 Session-ID: 21D7302FAF313F61DF24661249FCF7FD
 Session-ID-ctx:
 Master-Key: 3CAC5F9B8889222FFF7E1106232BFE34FC7A2CBD078833E0
 Key-Arg   : 448CA2E3F880EF06
 Start Time: 1264182312
 Timeout   : 300 (sec)
 Verify return code: 18 (self signed certificate)
 ---

:(

 ---
 Ciphers common between both SSL endpoints:
 RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 
 EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5

In my environment, openssl reports:

$ openssl ciphers 'SSLv2'| sed -e 's/:/\n/g'
DES-CBC3-MD5 - you got this one
DES-CBC-MD5
EXP-RC2-CBC-MD5
RC2-CBC-MD5
EXP-RC4-MD5
RC4-MD5

Looks like all those are the same ones, meaning that 100% of the openssl
SSLv2 ciphers are available from Tomcat.

Stupid question: did you re-start Tomcat after making the SSLCipher change?

Again, here's what I get for the cipher string we've been trying:

$ openssl ciphers 'ALL:!SSLv2:+HIGH:+MEDIUM'| sed -e 's/:/\n/g'
 ADH-DES-CBC-SHA
 EXP-ADH-DES-CBC-SHA
 EXP-ADH-RC4-MD5
 EDH-RSA-DES-CBC-SHA
 EXP-EDH-RSA-DES-CBC-SHA
 EDH-DSS-DES-CBC-SHA
 EXP-EDH-DSS-DES-CBC-SHA
 DES-CBC-SHA
 EXP-DES-CBC-SHA
 EXP-RC2-CBC-MD5
 EXP-RC4-MD5
 ADH-AES256-SHA
 DHE-RSA-AES256-SHA
 DHE-DSS-AES256-SHA
 AES256-SHA
 ADH-AES128-SHA
 DHE-RSA-AES128-SHA
 DHE-DSS-AES128-SHA
 AES128-SHA
 ADH-DES-CBC3-SHA
 EDH-RSA-DES-CBC3-SHA
 EDH-DSS-DES-CBC3-SHA
 DES-CBC3-SHA
 ADH-RC4-MD5
 RC4-SHA
 RC4-MD5

I don't see any of the SSLv2 ciphers in there except for RC4-MD5, which
I suppose would still allow you to connect.

One thing I noticed is that your cipher string is not valid:

$ openssl ciphers '-ALL:+HIGH:+MEDIUM:!SSLv2'| sed -e 's/:/\n/g'
Error in cipher list
16374:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
match:ssl_lib.c:1185:

You have to have something without - or + prefixing it. Apparently, you
have to start with a list before you start modifying it :)

Try the string I have above and see if that works. RC4-MD5 might still
work, though.

You should take a look at this guy's tool, here:
http://www.unspecific.com/2009/02/16/ssl-cipher-check

Our production server's httpd is configured to use HIGH:MEDIUM:-SSLv2
and the results of the above script confirm that only decent ciphers are
available:

$ ./ssl-cipher-check.pl [mysite]
Testing [mysite]:443
   SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
   SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits
   SSLv3:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits
   SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
   SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
   SSLv3:DHE-RSA-AES256-SHA - ENABLED - STRONG 256 bits
   SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
   SSLv3:AES256-SHA - ENABLED - STRONG 256 bits

   TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
   TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits
   TLSv1:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits
   TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
   TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
   TLSv1:DHE-RSA-AES256-SHA - ENABLED - STRONG 256 bits
   TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
   TLSv1:AES256-SHA - ENABLED - STRONG 256 bits


*WARNING* 6 WEAK Ciphers Enabled.
Total Ciphers Enabled: 22

I was unable to verify that any WEAK ciphers were enabled, and I cound
16 enabled ciphers, not 22. So, maybe this script isn't the greatest
thing around :)

With HIGH:MEDIUM:-SSLv2, I cannot connect using openssl s_client
- -ssl2, which is a good thing.

Try a different/better cipher string. Always check against openssl
cipher to make sure that it's kosher before enabling it in your server.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ8nkACgkQ9CaO5/Lv0PBLDwCfa3ESeJCygI42yQ2jGQ0YUoZO
IPsAnju+4lL4lNWuF6TnG6B5cW8EzPNe
=9+YO
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: newbie: multiple ports for same tomcat server 5.0

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chart,

On 1/21/2010 1:53 PM, Chart wrote:
 There is a SSI server on the outside that sends request to
 8009 for this tomcat server (from what I have been told). The tomcat
 server is running on port 8082.

You mean that Tomcat is accepting requests on port 8082. What kind of
requests, HTTP?

 I have been tasked to change this tomcat
 server to accept request from 8082 when they are coming from the outside and
 port 80 if you are inside the network.

If Tomcat is already listening to port 8082, then it will continue to do
so. There should be no need to change anything, unless you have
instructed Tomcat to listen only on a certain interface (like localhost).

 The outisde goes from an address
 that accepts the request on port 80 and then sends it to tomcat on port
 8082.

Okay, this sounds like your setup already does exactly what your
requirements state. Congratulations: you're done!

 The inside I would set DHCP to send directly to the tomcat server
 and by pass the SSI server.

Uh, wait... what?

 Therefore I need to allow this tomcat server
 to listen on port 80 and port 8082.

Where is the SSI server? Same machine, or someplace else? Is it okay if
remote users go directly to port 80 on the Tomcat machine, or do you
need to prohibit them from doing so?

 Connector ... port=8082 ...

This accepts HTTP requests on port 8082, and listens on interface
0.0.0.0 which means it will respond to requests from anywhere.

 Connector ... port=8009 protocol=AJP/1.3 ...

This accepts AJP requests on port 8009, and listens on interface
0.0.0.0 which means it will respond to requests from anywhere.

If all you want to do is add another port number, that's easy in theory
(as Andre' pointed out):

Connector URIEncoding=UTF-8 acceptCount=100
connectionTimeout=2 disableUploadTimeout=true port=80
redirectPort=8443 maxSpareThreads=75 maxThreads=150
minSpareThreads=25
/Connector

That's your original HTTP Connector with just the port number changed.

Now, if your SSI server (btw: never heard that term before) is running
on the local machine and already listening to port 80, then you'll have
to do as Chuck suggests and have Tomcat bind to localhost (or some other
interface) as to avoid conflicts with the aforementioned server who
already owns port 80.

Also, if you're running on *NIX, port 80 is considered privileged and
you therefore must make arrangements to be able to bind to that port. If
this is the case, please let us know and we can help you do that.

If you ever move up to 5.5 or (even better) 6.0, you might want to
consider using an Executor that allows all your Connectors to share
a single thread pool. That way, you won't run the risk of having lots of
threads sitting around doing nothing because one of the Connectors is
under-used.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ9ekACgkQ9CaO5/Lv0PDiTQCgteVJ5u57pedwpVFPRX/TVcXR
2Y4An3+hNFRqaxpzCRlrJHC9tIxgjkr8
=XntN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problem starting connection pooling

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 1/22/2010 8:44 AM, Mark Witczak wrote:
 I used: mysql -u foo -p -h test.hostname.com
 
 Is there a way to force the command to use TCP/IP? is there a parameter
 for networking that I should include in context.xml?

What you did ought to be fine. The MySQL command line client only uses
named pipes (not UNIX domain sockets) for communication when you use
localhost (the default hostname) from the command line.

I'm not sure what the problem, but I can tell you what the problem is NOT:

1. You have your mysql-connector.jar file in the right place, otherwise
you'd be getting a different error.

2. Your username/password appear to be correct, otherwise you would have
gotten a different error.

Other than the error you posted, are there other errors in any log
files? Specifically, catalina.out and friends?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktaAHUACgkQ9CaO5/Lv0PDdywCguhM3lilCqCDpDSlmua4U3kQI
R2gAoIniLq9pzlVHO4hv2W8OBd+79tVr
=p84t
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Peter,

On 1/22/2010 7:49 AM, Peter Crowther wrote:
 - You're telling AJP to use a secure connection between httpd and Tomcat;

AJP doesn't recognize any secure connection capability for its own
communication. As you've said, AJP /does/ forward SSL information
through the AJP connection to Tomcat.

 - The Tomcat connector on port 8443 is a SSL connector, not an AJP connector;

Almost certainly, though Matt didn't post his server.xml for verification.

 - AJP is getting confused.

Absolutely!

 I believe you should only need to configure one worker (the one on
 8009); AJP is capable of passing through the information as to whether
 or not the data arrived securely or not at httpd.

+1

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktaAY8ACgkQ9CaO5/Lv0PBqsACfUUO1yKeUrFqKR0dh+oCQxtey
2ycAnRlvfeJZ0dt+48sKFmU35jou9M6d
=xcqk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt,

On 1/22/2010 9:25 AM, Matt Turner wrote:
 In my case sometimes I do need to pass through the SSL to Tomcat, as
 I'm running CAS which requires geniune SSL requests.

mod_jk ought to be able to forward all SSL information to Tomcat.
Specifically, what does CAS require?

 (I do also have some SSL requests that tomcat doesn't need to see -
 which I will send via 8009 as has been suggested).
 
 The SSL pass-through requirement explains why I was attempting to
 pass through to :8443 directly - but it sounds like that's the wrong
 approach.

Unless something specific is actually not working, you ought to be able
to use a vanilla AJP connection for both secure and non-secure HTTP
(even via the same worker/Connector).

 Should I just use something like..
 
 ProxyPass /cas https://10.13.0.218:8443/cas ?

Now, you're switching from mod_jk to mod_proxy_http(s). Can CAS really
not function properly with an AJP connection?

If you proxy HTTPS you are likely to get in all kinds of trouble because
the client is no longer your user... it's your web server. And the
server is no longer the web server... it's Tomcat.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktaAjEACgkQ9CaO5/Lv0PAV6ACfYlbK3Kws26nq7xPYICSlucmC
JqMAoLyACwFx0JxEBozCMWt81KvGmq+B
=Br3o
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic Authentication Failed with multibyte username

2010-01-22 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

André,

On 1/21/2010 6:35 PM, André Warnier wrote:

Basically, I would tend to say that if the server knows who the clients
are and vice-versa, you should be free to use any encoding you want,
with the limitation that what is exchanged on the wire conforms to HTTP
(because there may be proxies on the way which are not so tolerant).


+1


What the client is sending is already (in a way) conformant to HTTP,
because it is base64 encoded and so, on the surface, it does not contain
non-ascii characters.


+1


But the problem is that the standard Tomcat code which decodes the Basic
Authorization header does not work in the way you want, for these
illegal headers.
And this code should preferably not be changed in a way which breaks the
conformance with standard HTTP.
Because if you do that, then your Tomcat becomes useless for anything
else than your special client.


+1

Another possibility would be to use something like SecurityFilter, which
allows you to (more easily) write your own authenticator and realm
implementations, and you could write a BasicAuthenticator that reads
these specially-formatted credentials.

I checked the sf source, and it looks like we might have a bug:

   private String decodeBasicAuthorizationString(String authorization) {
  if (authorization == null ||
!authorization.toLowerCase().startsWith(basic )) {
 return null;
  } else {
 authorization = authorization.substring(6).trim();
 // Decode and parse the authorization credentials
 return new String(Base64.decodeBase64(authorization.getBytes()));
  }
   }

That authorization.getBytes() is just asking for trouble, because it
uses the platform default encoding to convert characters to bytes. It
should be using US-ASCII, ISO-8859-1, or something like that.


-1
I don't think you have a problem there, because what you are decoding 
into bytes there IS bytes (it is base64-encoded).




It also calls the String constructor with a byte array without
specifying the encoding, therefore using the platform default.


+1
That is indeed where you have a problem.  There you SHOULD always decode 
it as US-ASCII (or maybe iso-8859-1, I'm not quite sure what the spec 
says exactly).



Let's say that the spec is clear and says that the header value is 
*TEXT, and that *TEXT is always US-ASCII (or ISO-8859-1) by default.


Let's take it from the browser side first.
If the userid:password is indeed composed only of us-ascii characters, 
then the browser base64-encodes this directly and it is trivial.(*)


But let's say that userid:password is something else than us-ascii.
Another part of the spec says that then, you have to encode it according 
to RFC2047.
My contention is then that the browser should first RFC2047-encode 
userid:password, and then base64-encode the result.


Back on the server side.
The server base64-decodes the authorization token, into an ascii string.
It can do that always, because either the string was ascii to start 
with, or else it was not, but then it has been RFC2047-encoded, yelding 
a result that is ascii.

(like : =?iso-8859-2?B?base64-encoded stuff...?= )

Then the server must do another round of decoding via RFC2047.
That consists of a double decoding again : base64-decode the string 
between the ?? into bytes, and then decode those bytes into Unicode, 
using the charset indicated at the beginning of the rfc2047-encoded 
sequence.



The above, I believe, would be totally consistent with the current RFCs.

But there is a major catch : I don't believe that there is a browser on 
the market today, which properly encodes the userid:password string 
via rfc2047 when it isn't ascii.


And the OP's special client sends UTF-8, but also does not 
rfc2047-encode it.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: error-page problem - nested exceptions

2010-01-22 Thread Len Popp

Yes, in the error page you can get the exception as a request
attribute, either javax.servlet.jsp.jspException or
javax.servlet.error.exception (sometimes it's one, sometimes the
other). In my app, I found that this exception has already been
unwrapped - it's the original exception, not a ServletException. I'm
not sure it works the same way with Spring's NestedServletException -
you'll have to try it out.
-- 
Len



On Fri, Jan 22, 2010 at 12:15, rotis23 roti...@yahoo.com wrote:

 Hi Len,

 Thanks for your message.

 I don't have my 'own' error handler - I just use the error-page elements in
 web.xml.

 If I add an error-page for NestedServletException will the exception be
 available to the corresponding jsp [in the request]?

 Has anyone extended tomcats error-page implementation to find nested
 exceptions?

 Cheers, rotis23
 --
 View this message in context: 
 http://old.nabble.com/error-page-problem---nested-exceptions-tp27272261p27276806.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: newbie: multiple ports for same tomcat server 5.0

2010-01-22 Thread André Warnier

Now here we have a case where I, the dummy on this forum, spend hours 
creating a work of ascii art explaining clearly and precisely to the OP 
what he needs to change, and where subsequently the two gurus manage, in 
just a couple of posts, to totally confuse the OP.

t.


(And, by the way, it appears that SSI, mentioned by the OP in the 
initial post, and which somewhat puzzled me too but which I decided to 
just copy along, should in reality have been noted IIS.  Which makes 
it a lot clearer for everyone now.)



So, Chart, bear with me.

Go back to the picture.

In the first version, there was your current configuration, with the IIS 
server, which in all likelihood is currently listening on port 80.


In your original post, you indicated your intention of turning it off, 
and having (internal) users access Tomcat directly on port 80.


For that, you need Tomcat to listen on port 80, which it doesn't yet do 
currently.
So I tried to show you what you need to do to Tomat, so that it will 
listen on port 80 (essentially, add a Connector, similar to the one 
you have for port 8082, but this new one listening on port 80).


Unfortunately, in version 2 of the picture, where I represented this 
additional Connector, I also left in the IIS server (which also listens 
on port 80).

If both IIS and Tomcat are running on the same host, that does not work.
You cannot have IIS and Tomcat both listen, at the same time, on all IP 
addresses of the same host, and on port 80.

There is a conflict : only one of them can be doing that at any one time.

So,

- if the IIS server is on another host than Tomcat, then it is fine, 
there is no conflict, and what I showed in version 2 is fine.


- if the IIS server and Tomcat are on the same host, then in principle 
only one of them can be listening on port 80.  So you have to start 
/either/ IIS /or/ Tomcat, but not both at the same time.

Which is OK if as you mentioned, you are going to eliminate IIS anyway.
(If you try to start Tomcat that way while IIS is running, Tomcat will 
not start, because it will be unable to open port 80; it is already taken).


IF however, IIS and Tomcat being on the same host, AND for some reason 
you still want to leave IIS running, then there is still a way to avoid 
the conflict. But it involves the fact that your host has at least 2 
distinct IP addresses, and a bit more configuration.

Which we will then explain to you if that is your case.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Comet Connection Writeable?

2010-01-22 Thread Steffen Heil

Hi

I'd like to try it.
However I am not accustomed to building tomcat.

Do you have this compiled somewhere?

Best regards,
  Steffen


-Ursprüngliche Nachricht-
Von: Filip Hanik - Dev Lists [mailto:devli...@hanik.com] 
Gesendet: Dienstag, 19. Januar 2010 15:50
An: Tomcat Users List
Betreff: Re: Comet Connection Writeable?

Hi Steffen,
At http://svn.apache.org/viewvc/tomcat/sandbox/gdev6x/
I implemented the feature you are looking for.

Where you would do

CometEvent.interestOps(CometEvent.CometOperation.OP_WRITE);

and you will receive a

CometEvent.EventType.WRITE

When I tried to write sample applications against this, it turned out to 
be very complex programming.
You can check out that branch and build it and see if its something we 
should still pursue

Filip

On 01/18/2010 09:06 AM, Steffen Heil wrote:
 Hi

 I am using comet connections for some time now in a server push manner:
 Whenever the server needs to inform the client about some event, it sends
a
 packet to the client and waits for a reply in the same connection.
 As soon, as a READ event is triggered, that reply is read and the next
 message can be sent.

 Now, this requires a round-trip-time between the client and the server and
 is inappropriate for larger amounts of data especially on high latency
 connections.

 I am seeking for a way to determine (from a comet servlets point of view)
if
 a connection is writeable - this is, if output buffers are empty and I can
 send additional data.

 Note, that sending a huge amount of data at once is not an option, I need
to
 send distinct parts...


 So here are my questions:

 - How can I detect if a connection is writeable?
 - That is, how can I detect if the output buffers are empty?
 - Is there a way to use comet connection for something like a selector?

 Regards,
Steffen




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


smime.p7s
Description: S/MIME cryptographic signature

Re: [OT] Basic Authentication Failed with multibyte username

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

André,

(Marking OT because, well... just because).

On 1/22/2010 2:59 PM, Warnier wrote:
 Christopher Schultz wrote:
 That authorization.getBytes() is just asking for trouble, because it
 uses the platform default encoding to convert characters to bytes. It
 should be using US-ASCII, ISO-8859-1, or something like that.
 
 -1
 I don't think you have a problem there, because what you are decoding
 into bytes there IS bytes (it is base64-encoded).

Maybe all character sets have bytes 0-127 the same as US-ASCII, but I
don't know about some of those I never see myself: Shift-JS and all
those Asian encodings, etc. It would be better to be explicit.

 It also calls the String constructor with a byte array without
 specifying the encoding, therefore using the platform default.
 
 +1
 That is indeed where you have a problem.  There you SHOULD always decode
 it as US-ASCII (or maybe iso-8859-1, I'm not quite sure what the spec
 says exactly).

- From my reading, the spec is silent but one can draw the conclusion that
US-ASCII is basically all that is supported. I should all the capability
of configuring this encoding to override the (soon to be) default of
US-ASCII: if the user knows the client will use UTF-8, they should be
allowed to force that encoding to be used.

 Let's say that the spec is clear and says that the header value is
 *TEXT, and that *TEXT is always US-ASCII (or ISO-8859-1) by default.
 
 Let's take it from the browser side first.
 If the userid:password is indeed composed only of us-ascii characters,
 then the browser base64-encodes this directly and it is trivial.(*)
 
 But let's say that userid:password is something else than us-ascii.
 Another part of the spec says that then, you have to encode it according
 to RFC2047.

No, I don't think this is correct: the spec says that the HTTP header
values must be in US-ASCII, and may be encoded using RFC2047 in order to
achieve that. Since Base64 encoding always results in a
US-ASCII-compatible value, there is no reason to involve RFC2047.

 My contention is then that the browser should first RFC2047-encode
 userid:password, and then base64-encode the result.

While that sounds like a good idea, it's almost certainly never done
that way.

 Back on the server side.
 The server base64-decodes the authorization token, into an ascii string.
 It can do that always, because either the string was ascii to start
 with, or else it was not, but then it has been RFC2047-encoded, yelding
 a result that is ascii.
 (like : =?iso-8859-2?B?base64-encoded stuff...?= )

This would be a decent configurable setting for a BASIC authenticator...
something like allow-rfc2047 or whatever. What about those people who
really want to have a username like =?whatever and a password like
whatever?=? They can't login? :)

 The above, I believe, would be totally consistent with the current RFCs.

Yes, but for whatever reason, nobody ever fully implements the RFCs :)
There are standards and there are practices. In this case, I think
practices outweigh the standards :)

 But there is a major catch : I don't believe that there is a browser on
 the market today, which properly encodes the userid:password string
 via rfc2047 when it isn't ascii.

Nor would it be appropriate to do so, because base64 encoding is
/always/ used and will therefore /always/ result in a valid HTTP
Authenticate header value.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktaFaQACgkQ9CaO5/Lv0PBMcACgpSL6QcBn6C2thQash4W/LIhg
5VgAn2hmTLmwdgk1HkhDxOshDDyZkBr0
=xBQs
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52


Thanks for the responses.

In between times I tried the ProxyPass which seems to work fine, but I'd much 
rather use plain AJP so I'll try that next.
I've had problems previously getting CAS working where the SSL is handled by 
the webserver - however from what everyone has said and having read around the 
issue a bit more, it does sound like using AJP ought to work, so long as Apache 
is configured to pass through all the relevant SSL and cert. info to tomcat 
(presumably so that isSecure() can work, plus I think CAS validates 
certificates too).

 Date: Fri, 22 Jan 2010 14:53:21 -0500
 From: ch...@christopherschultz.net
 To: users@tomcat.apache.org
 Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Matt,
 
 On 1/22/2010 9:25 AM, Matt Turner wrote:
  In my case sometimes I do need to pass through the SSL to Tomcat, as
  I'm running CAS which requires geniune SSL requests.
 
 mod_jk ought to be able to forward all SSL information to Tomcat.
 Specifically, what does CAS require?
 
  (I do also have some SSL requests that tomcat doesn't need to see -
  which I will send via 8009 as has been suggested).
  
  The SSL pass-through requirement explains why I was attempting to
  pass through to :8443 directly - but it sounds like that's the wrong
  approach.
 
 Unless something specific is actually not working, you ought to be able
 to use a vanilla AJP connection for both secure and non-secure HTTP
 (even via the same worker/Connector).
 
  Should I just use something like..
  
  ProxyPass /cas https://10.13.0.218:8443/cas ?
 
 Now, you're switching from mod_jk to mod_proxy_http(s). Can CAS really
 not function properly with an AJP connection?
 
 If you proxy HTTPS you are likely to get in all kinds of trouble because
 the client is no longer your user... it's your web server. And the
 server is no longer the web server... it's Tomcat.
 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAktaAjEACgkQ9CaO5/Lv0PAV6ACfYlbK3Kws26nq7xPYICSlucmC
 JqMAoLyACwFx0JxEBozCMWt81KvGmq+B
 =Br3o
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  
_
Tell us your greatest, weirdest and funniest Hotmail stories
http://clk.atdmt.com/UKM/go/195013117/direct/01/

Windows Installer with support for 32 bit JVM on 64 bit OS

2010-01-22 Thread Patrick Flaherty

Will there be an WIndows installer that will install and use a 32 bit  
JVM on a 64 bit OS (Like 6.0.20 did)?


I have some 32 bit native extensions (dlls) and have some time before  
I see a 64 bit version of the dll.


Thanks
-p

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Windows Installer with support for 32 bit JVM on 64 bit OS