Re: Securing Tomcat Applications from Reverse Engineering
Hi, Thanks for the info I shall take a look at the new licensing link you have sent. Best Regards, Kranti K K Parisa On Fri, Jan 22, 2010 at 11:17 AM, Dmitry Leskov dles...@excelsior-usa.comwrote: To list owner: I am not sure if vendors are prohibited from posting comments to this list, if they are, let me know and I won't post next time. Excelsior JET is not an IDE that every developer must have on his/her workstation. It is more like a setup generator. Typically, a team of developers working on a particular project would purchase one or two licenses. As a result, the smaller the team, the higher is the price per developer. For small companies, especially for early stage startups that do not yet have paying customers, this surely may be a deal breaker. We have therefore created a special licensing program that has been working very well for our smaller customers since mid-2008: http://www.excelsior-usa.com/store/jetmb.html Please do not hesitate to email me directly if you have any questions. Sincerely, Dmitry Leskov Excelsior LLC P.S. The main information page for Tomcat Web apps protection is http://www.excelsior-usa.com/protect-java-web-applications.html Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti (tm) K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
(tomcat 6) percent encoding problem
Hi, When I execute this command: curl -XGET -i http://localhost:8080/app/rs/system/EN/foo%2Fbar I receive a 400 BAD REQUEST. However if I deploy the app to Jetty, the command will work fine. Question: Is there a way to configure tomcat to behave like jetty with regards to percent-encodings in the URI ? Thanks François Duvalier Haiti
Re: (tomcat 6) percent encoding problem
2010/1/22 François Duvalier m.francois.duval...@gmail.com: Hi, When I execute this command: curl -XGET -i http://localhost:8080/app/rs/system/EN/foo%2Fbar I receive a 400 BAD REQUEST. However if I deploy the app to Jetty, the command will work fine. Question: Is there a way to configure tomcat to behave like jetty with regards to percent-encodings in the URI ? It is disabled by default, probably for the sake of security. See ALLOW_ENCODED_SLASH property here: http://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
problem with tomcat 5.5 and apache AJP
Hello, we are trying to get a working configuration of tomcat behind apache httpd using AJP. This has worked well, for a while. But after some time, the apache httpd server replies with one of those two message, it changes randomly but we are unable to get the tomcat pages to show: Service Temporarily Unavailable, The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. or Bad Gateway, The proxy server received an invalid response from an upstream server. What we don't understand is that it pops up and out randomly without any changes to configuration. Restarting apache httpd does not solve issue. Restarting tomcat does not either. We have no clue as why it doesn't work or why it worked in the past. Can someone telle what's wrong with this configuration? Server Version: Apache/2.2.13 (Unix) mod_jk/1.2.28 PHP/5.3.1 Server Time:Fri, 22 Jan 2010 10:05:26 UTC JK Version: mod_jk/1.2.28 note jkstatus page says everything is ok :/ thank you. The tomcat logs show this, which proves apache is connected to the right tomcat instance: INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 INFO TP-Processor3 org.apache.jk.common.HandlerRequest - Secret: MyPass WARN TP-Processor3 org.apache.jk.common.ChannelSocket - processCallbacks status 2 our access logs (which is driven by a tomcat valve) show no connection at all from any client, so it seems messages does not reach catalina. Tomcat ajp is configured as follow: Connector port=8019 protocol=AJP/1.3 request.secret=MyPass protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler redirectPort=443 /Connector and apache is configured as follow: worker.list=lbJboss,lbOld,lbTomcat,status # Define jbossBoromir # modify the host as your host IP or DNS name. worker.jbossBoromir.port=8009 worker.jbossBoromir.host=localhost worker.jbossBoromir.type=ajp13 worker.jbossBoromir.lbfactor=1 worker.jbossBoromir.prepost_timeout=1 #Not required if using ping_mode=A worker.jbossBoromir.connect_timeout=1 #Not required if using ping_mode=A worker.jbossBoromir.secret=MyPass #worker.tomcatBoromir.ping_mode=A #As of mod_jk 1.2.27 # worker.tomcatBoromir.connection_pool_size=10 (1) worker.tomcatBoromir.port=8019 worker.tomcatBoromir.host=localhost worker.tomcatBoromir.type=ajp13 worker.tomcatBoromir.lbfactor=1 worker.tomcatBoromir.prepost_timeout=1 #Not required if using ping_mode=A worker.tomcatBoromir.connect_timeout=1 #Not required if using ping_mode=A worker.tomcatBoromir.secret=MyPass #worker.tomcatBoromir.ping_mode=A #As of mod_jk 1.2.27 #worker.tomcatBoromir.connection_pool_size=10 (1) worker.tomcatIlluin.port=8019 worker.tomcatIlluin.host=illuin worker.tomcatIlluin.type=ajp13 worker.tomcatIlluin.lbfactor=1 worker.tomcatIlluin.prepost_timeout=1 #Not required if using ping_mode=A worker.tomcatIlluin.connect_timeout=1 #Not required if using ping_mode=A worker.tomcatIlluin.secret=MyPass # Load-balancing behaviour worker.lbJboss.type=lb worker.lbJboss.balance_workers=jbossBoromir worker.lbTomcat.type=lb worker.lbTomcat.balance_workers=tomcatBoromir worker.lbOld.type=lb worker.lbOld.balance_workers=tomcatIlluin # Status worker for managing load balancer worker.status.type=status -- David Delbecq ICT Institut Royal Météorologique Ext:557
6.0.24
Just a quick FYI Looks like there's some errors on the mirrors at the moment. I got a couple of 404s and a 500 from different servers. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 5.5.28 EL not evaluated
Dear All, My OS is fedora, and i have installed tomcat 5.5.28. I have web app. My jsp page has EL as follow- ${perosn.name}. I put jsp-api.jar, servlet-api.jar into /usr/java/jdk1.5.0_16/jre/lib/ext. Servlet works fine, but above EL is considered as plain text. My web.xml of web app has following lines - jsp-config jsp-property-group url-pattern*.jsp/url-pattern el-ignoredfalse/el-ignored scripting-invalid true /scripting-invalid /jsp-property-group /jsp-config Why EL is not getting evaluated after translation to .java file. Can some one please help me sort out this problem Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24
2010/1/22 Pid p...@pidster.com: Just a quick FYI Looks like there's some errors on the mirrors at the moment. I got a couple of 404s and a 500 from different servers. It might happen, though according to the mirror status monitor page, most mirrors are up-to-date and running. http://www.apache.org/mirrors/ You can choose any other mirror from the above list. The download folder for 6.0.24 is tomcat/tomcat-6/v6.0.24/ Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5.28 EL not evaluated
Check this FAQ - http://faq.javaranch.com/java/ElOrJstlNotWorkingAsExpected With best regards, Nishant Hadole Siemens IT Solutions and Services SIS PRO SI-I Tel.: +91 22 2495 7816 Fax: +91 22 6660 8521 Mailto: nishant.had...@siemens.com www.siemens.co.in -Original Message- From: sharmila punde [mailto:sharmila...@yahoo.com] Sent: Friday, 22 January, 2010 04:13 PM To: users@tomcat.apache.org Subject: Tomcat 5.5.28 EL not evaluated Dear All, My OS is fedora, and i have installed tomcat 5.5.28. I have web app. My jsp page has EL as follow- ${perosn.name}. I put jsp-api.jar, servlet-api.jar into /usr/java/jdk1.5.0_16/jre/lib/ext. Servlet works fine, but above EL is considered as plain text. My web.xml of web app has following lines - jsp-config jsp-property-group url-pattern*.jsp/url-pattern el-ignoredfalse/el-ignored scripting-invalid true /scripting-invalid /jsp-property-group /jsp-config Why EL is not getting evaluated after translation to .java file. Can some one please help me sort out this problem Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Important notice: This e-mail and any attachment there to contains corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank You.
error-page problem - nested exceptions
Hi All, I use web.xml error-page handlers, some with error-code and other with exception-type. At the end I have a catchall error-page that handles java.lang.Throwable - users never see a stack trace and the world is a good place. However, I've recently added a Hibernate security layer that throws a UnAuthorisedAccessException that gets wrapped in a Spring NestedServletException before it hits the error-page handlers. Now I understand that it tries to match the top level Exception in the stack first then uses the next nested exception after that and so on until an error-page is matched. The problem is that my catchall Throwable is matching the NestedServletException first before the wrapped UnAuthorisedAccessException hits its error-page handler. I need the users to see that they don't have the privleges rather than a generic error messge - I also need the catchall! Has anyone else dealt with this issue? I've been searchign for a couple days on this now. TIA, rotis23 -- View this message in context: http://old.nabble.com/error-page-problem---nested-exceptions-tp27272261p27272261.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Hi All, I have an existing Apache 2.0.52 installation, and a new tomcat 6.0.20 installation. They are both sitting on the same Linux box - uname -a returns the following: Linux [machine name] 2.6.9-55.ELsmp #1 SMP Fri Apr 20 16:36:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux I'd like if possible to add mod_jk to enable the two to talk to each other, without fiddling with the existing tomcat / apache versions. So far I've build mod_jk 1.2.28 from source on the destination machine, and set up the following workers: (in apache conf) IfModule mod_jk.c JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkRequestLogFormat %w %V %T JkOptions +ForwardURICompatUnparsed JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT /IfModule (in apache conf, inside a virtual host) SSLEngine on SSLCertificateFile /etc/httpd/conf/filename SSLCertificateKeyFile /etc/httpd/conf/filename SSLCACertificateFile /etc/httpd/conf/filename JkMount /* tomcatssl (in workers.properties) # # First tomcat server # worker.tomcat1.port=8009 worker.tomcat1.host=10.13.0.218 worker.tomcat1.type=ajp13 worker.tomcat1.lbfactor=50 #- # SSL tomcat server #- worker.tomcatssl.port=8443 worker.tomcatssl.host=10.13.0.218 worker.tomcatssl.type=ajp13 worker.tomcatssl.lbfactor=50 However when I kick things off and visit a URL matching the above virtual host, I get the following error message in mod_jk.log: [Thu Jan 21 18:51:07 2010] [303:2537062720] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized [Thu Jan 21 18:51:30 2010] [30428:2537062720] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1172): wrong message format 0x1503 from 10.13.0.218:8443 Looking at jk_ajp_common.c I can see the following @ line 1172: if (ae-proto == AJP13_PROTO) { if (header != AJP13_SW_HEADER) { if (header == AJP14_SW_HEADER) { jk_log(l, JK_LOG_ERROR, received AJP14 reply on an AJP13 connection from %s, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } else { jk_log(l, JK_LOG_ERROR, wrong message format 0x%04x from %s, header, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } So it seems the error has something do with AJP13 headers not being as expected. Could anyone confirm that the 3 version numbers (2.0.52, 1.2.28, 6.0.20) are compatible together ? If so - any ideas what might be going on here ? thanks, matt. _ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
I'm not an AJP expert, but I suspect: - You're telling AJP to use a secure connection between httpd and Tomcat; - The Tomcat connector on port 8443 is a SSL connector, not an AJP connector; - AJP is getting confused. I believe you should only need to configure one worker (the one on 8009); AJP is capable of passing through the information as to whether or not the data arrived securely or not at httpd. I suspect you'll get a better answer once the States wakes up, but that's my guess. - Peter 2010/1/22 Matt Turner m4tt_tur...@hotmail.com: Hi All, I have an existing Apache 2.0.52 installation, and a new tomcat 6.0.20 installation. They are both sitting on the same Linux box - uname -a returns the following: Linux [machine name] 2.6.9-55.ELsmp #1 SMP Fri Apr 20 16:36:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux I'd like if possible to add mod_jk to enable the two to talk to each other, without fiddling with the existing tomcat / apache versions. So far I've build mod_jk 1.2.28 from source on the destination machine, and set up the following workers: (in apache conf) IfModule mod_jk.c JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkRequestLogFormat %w %V %T JkOptions +ForwardURICompatUnparsed JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT /IfModule (in apache conf, inside a virtual host) SSLEngine on SSLCertificateFile /etc/httpd/conf/filename SSLCertificateKeyFile /etc/httpd/conf/filename SSLCACertificateFile /etc/httpd/conf/filename JkMount /* tomcatssl (in workers.properties) # # First tomcat server # worker.tomcat1.port=8009 worker.tomcat1.host=10.13.0.218 worker.tomcat1.type=ajp13 worker.tomcat1.lbfactor=50 #- # SSL tomcat server #- worker.tomcatssl.port=8443 worker.tomcatssl.host=10.13.0.218 worker.tomcatssl.type=ajp13 worker.tomcatssl.lbfactor=50 However when I kick things off and visit a URL matching the above virtual host, I get the following error message in mod_jk.log: [Thu Jan 21 18:51:07 2010] [303:2537062720] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized [Thu Jan 21 18:51:30 2010] [30428:2537062720] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1172): wrong message format 0x1503 from 10.13.0.218:8443 Looking at jk_ajp_common.c I can see the following @ line 1172: if (ae-proto == AJP13_PROTO) { if (header != AJP13_SW_HEADER) { if (header == AJP14_SW_HEADER) { jk_log(l, JK_LOG_ERROR, received AJP14 reply on an AJP13 connection from %s, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } else { jk_log(l, JK_LOG_ERROR, wrong message format 0x%04x from %s, header, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } So it seems the error has something do with AJP13 headers not being as expected. Could anyone confirm that the 3 version numbers (2.0.52, 1.2.28, 6.0.20) are compatible together ? If so - any ideas what might be going on here ? thanks, matt. _ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
OK - sounds likely, many thanks. I'll give that a whirl. Date: Fri, 22 Jan 2010 12:49:49 + Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52 From: peter.crowt...@melandra.com To: users@tomcat.apache.org I'm not an AJP expert, but I suspect: - You're telling AJP to use a secure connection between httpd and Tomcat; - The Tomcat connector on port 8443 is a SSL connector, not an AJP connector; - AJP is getting confused. I believe you should only need to configure one worker (the one on 8009); AJP is capable of passing through the information as to whether or not the data arrived securely or not at httpd. I suspect you'll get a better answer once the States wakes up, but that's my guess. - Peter 2010/1/22 Matt Turner m4tt_tur...@hotmail.com: Hi All, I have an existing Apache 2.0.52 installation, and a new tomcat 6.0.20 installation. They are both sitting on the same Linux box - uname -a returns the following: Linux [machine name] 2.6.9-55.ELsmp #1 SMP Fri Apr 20 16:36:54 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux I'd like if possible to add mod_jk to enable the two to talk to each other, without fiddling with the existing tomcat / apache versions. So far I've build mod_jk 1.2.28 from source on the destination machine, and set up the following workers: (in apache conf) IfModule mod_jk.c JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkRequestLogFormat %w %V %T JkOptions +ForwardURICompatUnparsed JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT /IfModule (in apache conf, inside a virtual host) SSLEngine on SSLCertificateFile /etc/httpd/conf/filename SSLCertificateKeyFile /etc/httpd/conf/filename SSLCACertificateFile /etc/httpd/conf/filename JkMount /* tomcatssl (in workers.properties) # # First tomcat server # worker.tomcat1.port=8009 worker.tomcat1.host=10.13.0.218 worker.tomcat1.type=ajp13 worker.tomcat1.lbfactor=50 #- # SSL tomcat server #- worker.tomcatssl.port=8443 worker.tomcatssl.host=10.13.0.218 worker.tomcatssl.type=ajp13 worker.tomcatssl.lbfactor=50 However when I kick things off and visit a URL matching the above virtual host, I get the following error message in mod_jk.log: [Thu Jan 21 18:51:07 2010] [303:2537062720] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized [Thu Jan 21 18:51:30 2010] [30428:2537062720] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1172): wrong message format 0x1503 from 10.13.0.218:8443 Looking at jk_ajp_common.c I can see the following @ line 1172: if (ae-proto == AJP13_PROTO) { if (header != AJP13_SW_HEADER) { if (header == AJP14_SW_HEADER) { jk_log(l, JK_LOG_ERROR, received AJP14 reply on an AJP13 connection from %s, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } else { jk_log(l, JK_LOG_ERROR, wrong message format 0x%04x from %s, header, jk_dump_hinfo(ae-worker-worker_inet_addr, buf)); } So it seems the error has something do with AJP13 headers not being as expected. Could anyone confirm that the 3 version numbers (2.0.52, 1.2.28, 6.0.20) are compatible together ? If so - any ideas what might be going on here ? thanks, matt. _ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Send us your Hotmail stories and be featured in our newsletter http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: Problem starting connection pooling
Mark Witczak wrote: I'm very new to Tomcat, connection pooling, JSP, etc. and I've been banging my head against a wall for two weeks trying to get a simple program to connect to a MySQL database. *Vital Stats:* Ubuntu 9.10, Java 1.6.0_0, Java Servelet 2.5, Java Server Pages 2.1, JSTL 1.2, Apache2, Tomcat 6.0.20, MySQL 5.1.41 5.0.67 MySQL Connector/J 5.1.11 (also 5.1.10) - in $CATALINA_HOME/lib dbcp 1.2.1 - in $CATALINA_HOME/lib (all standard Ubuntu issue) *testapp/WEB-INF/web.xml:* ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/javaee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; version=2.5 description Servlet and JSP Examples. /description display-nameServlet and JSP Examples/display-name resource-ref descriptionDB Connection/description res-ref-namejdbc/mydatabase/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref /web-app *testapp/META-INF/context.xml:* ?xml version=1.0 encoding=UTF-8? Context path=/junk docBase=junk debug=5 reloadable=true crossContext=true Resource name=jdbc/mydatabase auth=Container type=javax.sql.DataSource maxActive=100 maxIdle=30 maxWait=1 username=foo password=bar driverClassName=com.mysql.jdbc.Driver url=jdbc:mysql://test.hostname.com:3306/database_test1/ /Context *testapp/testapp.jsp:* %@ page contentType=text/html % %-- These libraries are required for the c and sql tags --% %@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core; % %@ taglib prefix=sql uri=http://java.sun.com/jsp/jstl/sql; % meta http-equiv=Content-Type content=text/html; charset=UTF-8 html head titleJNDI DBCP Test Page/title /head body h1JNDI DBCP Test Page/h1 br/Executing the query ... br/ %-- Note: Enter a query that is valid for your database here --% sql:query var=result dataSource=jdbc/mydatabase SELECT company FROM manuals /sql:query /body /html I create the WAR (jar cvf testapp.war *), undeploy the old version and redeploy the new one through Tomcat Web Application Manager. Then restart Tomcat (sudo /etc/init.d/tomcat restart). The result is: Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jan 21, 2010 9:43:06 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet jsp threw exception javax.servlet.jsp.JspException: Unable to get connection, DataSource invalid: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.) at org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.getConnection(Unknown Source) at org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.doStartTag(Unknown Source) at org.apache.jsp.test_jsp._jspx_meth_sql_005fquery_005f0(test_jsp.java:188) at org.apache.jsp.test_jsp._jspService(test_jsp.java:138) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) Blah, Blah, Blah *More info: *The connection to MySQL tested successfully using the command line 'mysql'. There are no firewalls, that I can find, between the servers. What is going on here? What am I missing? What is going on here? How do I fix it? -Do I need to create a foo user in the tomcat-users.xml? -Do I have to mess with the policy files? or security? Thanks for your help. Mark What options did you use with the mysql command to test MySQL? Be careful as the command line will use unix sockets instead of tcp/ip by default. The JDBC driver won't be able to do that. --David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: problem with tomcat 5.5 and apache AJP
David Delbecq wrote: Connector port=8019 protocol=AJP/1.3 request.secret=MyPass protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler redirectPort=443 /Connector and apache is configured as follow: worker.list=lbJboss,lbOld,lbTomcat,status # Define jbossBoromir # modify the host as your host IP or DNS name. worker.jbossBoromir.port=8009 worker.jbossBoromir.host=localhost worker.jbossBoromir.type=ajp13 worker.jbossBoromir.lbfactor=1 worker.jbossBoromir.prepost_timeout=1 #Not required if using ping_mode=A worker.jbossBoromir.connect_timeout=1 #Not required if using ping_mode=A worker.jbossBoromir.secret=MyPass #worker.tomcatBoromir.ping_mode=A #As of mod_jk 1.2.27 # worker.tomcatBoromir.connection_pool_size=10 (1) worker.tomcatBoromir.port=8019 worker.tomcatBoromir.host=localhost worker.tomcatBoromir.type=ajp13 worker.tomcatBoromir.lbfactor=1 worker.tomcatBoromir.prepost_timeout=1 #Not required if using ping_mode=A worker.tomcatBoromir.connect_timeout=1 #Not required if using ping_mode=A worker.tomcatBoromir.secret=MyPass #worker.tomcatBoromir.ping_mode=A #As of mod_jk 1.2.27 #worker.tomcatBoromir.connection_pool_size=10 (1) worker.tomcatIlluin.port=8019 worker.tomcatIlluin.host=illuin worker.tomcatIlluin.type=ajp13 worker.tomcatIlluin.lbfactor=1 worker.tomcatIlluin.prepost_timeout=1 #Not required if using ping_mode=A worker.tomcatIlluin.connect_timeout=1 #Not required if using ping_mode=A worker.tomcatIlluin.secret=MyPass # Load-balancing behaviour worker.lbJboss.type=lb worker.lbJboss.balance_workers=jbossBoromir worker.lbTomcat.type=lb worker.lbTomcat.balance_workers=tomcatBoromir worker.lbOld.type=lb worker.lbOld.balance_workers=tomcatIlluin # Status worker for managing load balancer worker.status.type=status Hi. (In the hope that solving this will help improve the weather in Belgium) About your main issue : in my own experience, whenever we get the kind of error messages which you indicate, they are right. It really means that the back-end Tomcat is for some reason not responding to Apache/mod_jk within a certain limit of time. That can be because it is really down, or because it is very busy doing something else (all threads are already processing requests, or the requested webapp is busy starting up, or something like that). Or, you may be having network connectivity problems (but that would normally not be the case if both Apache and Tomcat are on the same host). But maybe the confusion below about load balancing is the root cause of the problems. I don't know if I am understanding your quoted configuration correctly, but if I do, it puzzles me a bit. You seem to have 3 separate servlet engines : on localhost, you have a jBoss and a Tomcat and on illuin, you have a Tomcat. The jBoss on localhost has an AJP Connector listening on port 8009. The corresponding worker is named jbossBoromir. The Tomcat on localhost has an AJP Connector listening on port 8019. The corresponding worker is named tomcatBoromir. The Tomcat on illuin has an AJP Connector listening on port 8019. The corresponding worker is named tomcatIlluin. Then for each one, you have an additional load balancer worker. So each load balancer worker only balances a single Tomcat/jBoss. This seems a bit counter-intuitive. Why not have worker.list=jbossBoromir,tomcatBoromir,tomcatIlluin,status directly, and take the load balancer workers out of the equation, since they each balance only 1 back-end ? Or, if your idea is really to balance all requests between all 3 back-ends, then use one single load-balancer worker, but have it balance all 3 real workers. Like : worker.list=lb,status worker.lb.balance_workers=jbossBoromir,tomcatBoromir,tomcatIlluin The point is, in my understanding, a load balancer worker only makes sense if it balances at least 2 real workers (tomcat or jboss). Otherwise it seems pretty pointless. Or is it only in order to be able to use the status worker ? What do your JkMount lines at the Apache level look like ? That may allow us to figure out what you are trying to achieve. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
I guess that you should exchange the JkMount /* tomcatssl by JkMount /* tomcat1 provided you use a standard Tomcat-setup. For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2 virtual-hosts in Apache2. One for Port 443 with the standard-SSL-parameters Apache2 expects to integrate OpenSSL for https and another for Port 80 / plain http. The Jk-directives are the same for both virtual hosts and don't care about SSL and go to Tomcats port 8009 (= using standard configuration). 8443 is typically the http-over-ssl-port (=http) for direct SSL access via coyote-connector and has nothing to do with ajp. If your Apache2 is doing the SSL-integration Tomcat sees no SSL-traffic because Apache2 lets openssl do the conversion from SSL and is connecting to Tomcat without any SSL-traffic but simple http. You can give Tomcat some information about the SSL-session like you did with JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT but then you have to give Apache2 an advice to deliver these information by a SSLOptions +StdEnvVars +ExportCertData (http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might give you an idea about the two possibilities to setup Tomcat + SSL) On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat 6 on Solaris - nearly the same setup as under Linux. These servers run with SSL and Non-SSL parallel but without these extra Jk-SSL-indicator-parameters you are using. Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem starting connection pooling
On 1/22/2010 8:05 AM, David Smith wrote: Mark Witczak wrote: I'm very new to Tomcat, connection pooling, JSP, etc. and I've been banging my head against a wall for two weeks trying to get a simple program to connect to a MySQL database. *Vital Stats:* Ubuntu 9.10, Java 1.6.0_0, Java Servelet 2.5, Java Server Pages 2.1, JSTL 1.2, Apache2, Tomcat 6.0.20, MySQL 5.1.41 5.0.67 MySQL Connector/J 5.1.11 (also 5.1.10) - in $CATALINA_HOME/lib dbcp 1.2.1 - in $CATALINA_HOME/lib (all standard Ubuntu issue) *testapp/WEB-INF/web.xml:* ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/javaee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; version=2.5 description Servlet and JSP Examples. /description display-nameServlet and JSP Examples/display-name resource-ref descriptionDB Connection/description res-ref-namejdbc/mydatabase/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref /web-app *testapp/META-INF/context.xml:* ?xml version=1.0 encoding=UTF-8? Context path=/junk docBase=junk debug=5 reloadable=true crossContext=true Resource name=jdbc/mydatabase auth=Container type=javax.sql.DataSource maxActive=100 maxIdle=30 maxWait=1 username=foo password=bar driverClassName=com.mysql.jdbc.Driver url=jdbc:mysql://test.hostname.com:3306/database_test1/ /Context *testapp/testapp.jsp:* %@ page contentType=text/html % %-- These libraries are required for thec andsql tags --% %@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core; % %@ taglib prefix=sql uri=http://java.sun.com/jsp/jstl/sql; % meta http-equiv=Content-Type content=text/html; charset=UTF-8 html head titleJNDI DBCP Test Page/title /head body h1JNDI DBCP Test Page/h1 br/Executing the query ... br/ %-- Note: Enter a query that is valid for your database here --% sql:query var=result dataSource=jdbc/mydatabase SELECT company FROM manuals /sql:query /body /html I create the WAR (jar cvf testapp.war *), undeploy the old version and redeploy the new one through Tomcat Web Application Manager. Then restart Tomcat (sudo /etc/init.d/tomcat restart). The result is: Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jan 21, 2010 9:43:06 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet jsp threw exception javax.servlet.jsp.JspException: Unable to get connection, DataSource invalid: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.) at org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.getConnection(Unknown Source) at org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.doStartTag(Unknown Source) at org.apache.jsp.test_jsp._jspx_meth_sql_005fquery_005f0(test_jsp.java:188) at org.apache.jsp.test_jsp._jspService(test_jsp.java:138) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) Blah, Blah, Blah *More info: *The connection to MySQL tested successfully using the command line 'mysql'. There are no firewalls, that I can find, between the servers. What is going on here? What am I missing? What is going on here? How do I fix it? -Do I need to create a foo user in the tomcat-users.xml? -Do I have to mess with the policy files? or security? Thanks for your help. Mark What options did you use with the mysql command to test MySQL? Be careful as the command line will use unix sockets instead of tcp/ip by default. The JDBC driver won't be able to do that. --David I used: mysql -u foo -p -h test.hostname.com Is there a way to force the command to use TCP/IP? is there a parameter for networking that I should include in context.xml? Thanks, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
In my case sometimes I do need to pass through the SSL to Tomcat, as I'm running CAS which requires geniune SSL requests. (I do also have some SSL requests that tomcat doesn't need to see - which I will send via 8009 as has been suggested). The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly - but it sounds like that's the wrong approach. Should I just use something like.. ProxyPass /cas https://10.13.0.218:8443/cas ? Many thanks, matt. Date: Fri, 22 Jan 2010 14:24:49 +0100 From: t...@cataneo.eu To: users@tomcat.apache.org Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52 I guess that you should exchange the JkMount /* tomcatssl by JkMount /* tomcat1 provided you use a standard Tomcat-setup. For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2 virtual-hosts in Apache2. One for Port 443 with the standard-SSL-parameters Apache2 expects to integrate OpenSSL for https and another for Port 80 / plain http. The Jk-directives are the same for both virtual hosts and don't care about SSL and go to Tomcats port 8009 (= using standard configuration). 8443 is typically the http-over-ssl-port (=http) for direct SSL access via coyote-connector and has nothing to do with ajp. If your Apache2 is doing the SSL-integration Tomcat sees no SSL-traffic because Apache2 lets openssl do the conversion from SSL and is connecting to Tomcat without any SSL-traffic but simple http. You can give Tomcat some information about the SSL-session like you did with JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT but then you have to give Apache2 an advice to deliver these information by a SSLOptions +StdEnvVars +ExportCertData (http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might give you an idea about the two possibilities to setup Tomcat + SSL) On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat 6 on Solaris - nearly the same setup as under Linux. These servers run with SSL and Non-SSL parallel but without these extra Jk-SSL-indicator-parameters you are using. Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [OT] Re: Securing Tomcat Applications from Reverse Engineering
On Thu, Jan 21, 2010 at 03:02:41PM +, Peter Crowther wrote: 2010/1/21 Mark H. Wood mw...@iupui.edu Reverse engineering is not a technical problem; it is a legal problem. You need a lawyer, not a program. Mmm, yes and no. Burglary is also a legal problem, but I have locks (on / around the things I want to keep, of a cost and quality appropriate to my expected loss) as well as being able to engage a lawyer if required. The analogy is imprecise. If you lease a house to someone, you have no feasible technical means to control who enters your house -- the lessee possesses a key and can let in anyone he pleases. But you could write a lease which constrains the set of people lessee is permitted to allow in. (Dunno why, but you could.) The house would be useless to lessee without a key. Similarly a program, distributed to a user, would be useless unless an intelligible version can be loaded or derived by the user's equipment. But if the user's equipment can load or derive an intelligible version of the program, the program can be reverse-engineered. That's why software licenses almost always contain specific language about reverse engineering. In both cases the owner has *necessarily* given up technical control of the property, and can only exert control through legal means. You can't stop people abusing property that you hand over to them, but you may be able to punish them if they do. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpQk69NLchSH.pgp Description: PGP signature
Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Am Fri, 22 Jan 2010 14:25:11 + schrieb Matt Turner m4tt_tur...@hotmail.com: The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly - but it sounds like that's the wrong approach. If it isn't possible to move the SSL-certificate and -keys to the Apache2 (and change the Tomcat to service ajp- or plain-http-requests) the only possibility to do a pass-through will be a NAT-machine / firewall with port-forwarding (e.g. port 443 - 8443). There is another approach to passthrough https (=443) to 8443 by using xinetd: http://tp.its.yale.edu/pipermail/cas/2008-April/008083.html Should I just use something like.. ProxyPass /cas https://10.13.0.218:8443/cas ? I doubt that this will work. A https-client (alias webbrowser) is transmitting SSL-traffic and ProxyPass is configuring a http-proxy which expects http - no matter what kind of traffic it use to connect to the real webserver. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Polling and session timeout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 1/21/2010 5:07 PM, Pid wrote: On 21/01/2010 15:26, Christopher Schultz wrote: Pid, On 1/21/2010 3:32 AM, Pid wrote: On 21/01/2010 04:45, grailcattt wrote: That is exactly what I ended up doing and it is working well. I was hoping for a solution that used tomcat session management rather than managing my own session timeouts, but it works well. If you put the poll servlet in a separate app and are NOT using the single sign on valve, you could set a separate session timeout in that servlet/app. I think. If you access the session at all, it counts as a touch, thereby extending the life of the session. It's not possible to peek at the session without touching it AFAICT. There's probably a way to do this with a replacement for either the session manager or a valve, but I think the code would need to divine the intent of the calling code to work properly. :( True - the poll servlet would have to be stateless and couldn't use any login credentials without an independant login, which would probably be counter productive. But, the session would be separate and so this would meet the initial criteria of allowing the main app to time out 'naturally'. I think. An interesting idea. Certainly, if the servlet were to call request.getSession(), then the session would be touched. On the other hand, for form-based logins, an HttpSession is precisely equal to a login, so I would bet that Tomcat updates the session last-used date when any request comes in with a valid session id, rather than requiring the servlet itself to specifically request it. Spelunking into Tomcat's code for this kind of thing will take a long time, so I'm not willing to do it right now :) I suppose it could be demonstrated empirically, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZyMcACgkQ9CaO5/Lv0PB6jwCfagGQ9nYPySWbpsPUjSdupJp5 r88An3AZqRfIs/oLIjB4ffGSo9YPqzX2 =3l2B -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Polling and session timeout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bob, On 1/21/2010 8:36 PM, Bob Hall wrote: --- On Thu, 1/21/10 at 7:26 AM, Christopher Schultz ch...@christopherschultz.net wrote: If you access the session at all, it counts as a touch, thereby extending the life of the session. It's not possible to peek at the session without touching it AFAICT. The Session timeout can be set when the response is being delivered via Session's setMaxInactiveInterval() method without extending the life of the Session. In a JSP: % session.setMaxInactiveInterval(inactiveTimeSecs); % Are you sure about that? In order to get the local 'session' variable, the JSP must call request.getSession(), which ought to extend the life of the session. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZyQcACgkQ9CaO5/Lv0PBFywCcDaq0QyP1f5vJer1soNrPq8Uj LxwAnRIiodOhqbTtlkw0OiZV34yJRztV =Bdyt -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 1/21/2010 6:35 PM, André Warnier wrote: Basically, I would tend to say that if the server knows who the clients are and vice-versa, you should be free to use any encoding you want, with the limitation that what is exchanged on the wire conforms to HTTP (because there may be proxies on the way which are not so tolerant). +1 What the client is sending is already (in a way) conformant to HTTP, because it is base64 encoded and so, on the surface, it does not contain non-ascii characters. +1 But the problem is that the standard Tomcat code which decodes the Basic Authorization header does not work in the way you want, for these illegal headers. And this code should preferably not be changed in a way which breaks the conformance with standard HTTP. Because if you do that, then your Tomcat becomes useless for anything else than your special client. +1 Another possibility would be to use something like SecurityFilter, which allows you to (more easily) write your own authenticator and realm implementations, and you could write a BasicAuthenticator that reads these specially-formatted credentials. I checked the sf source, and it looks like we might have a bug: private String decodeBasicAuthorizationString(String authorization) { if (authorization == null || !authorization.toLowerCase().startsWith(basic )) { return null; } else { authorization = authorization.substring(6).trim(); // Decode and parse the authorization credentials return new String(Base64.decodeBase64(authorization.getBytes())); } } That authorization.getBytes() is just asking for trouble, because it uses the platform default encoding to convert characters to bytes. It should be using US-ASCII, ISO-8859-1, or something like that. It also calls the String constructor with a byte array without specifying the encoding, therefore using the platform default. Finally, this method is private, which means it cannot be overridden by a subclass, which would be a nice feature. Maybe I'll fix all that. :) Or, you drop the container-managed security, and you use something like the SecurityFilter (http://securityfilter.sourceforge.net/), but read the homepage carefully first. Note that the warning about BASIC authentication is waaay outdated: sf definitely does support BASIC auth. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZy68ACgkQ9CaO5/Lv0PAdMACfVnkkBJRIo8Gt1LcsegO/JhPD Tl0AoLcI5QP0XoCa8kgy5zFJnkKBvL6Y =CBKO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TLS+SSLv3 but no SSLv2
Dear all, on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the SSLProtocol: Protocol which may be used for communicating with clients. The default is all, with other acceptable values being SSLv2, SSLv3, TLSv1, and SSLv2+SSLv3. Does this really mean that I can not allow a TLSv1+SSLv3 setting while forbidding SSLv2? It seems so to me, since setting SSLProtocol to this obvioulsy defaults to ALL :-( regards Jens Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de www.biotronik.com BIOTRONIK SE Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
RMI reaper thread prevents JVM from exiting
Hi, I have a problem with a webapp using RMI. When I try to shutdown Tomcat instance, the JVM doesn't exit. I have called jstack to see the thread dump : http://pastebin.com/fa55647 There is a non-daemon thread : RMI Reaper. I've tried to add a servlet context listener to force RMI Object unexport on shutdown, but it has no effect : http://pastebin.com/f324201e2 I'm using Tomcat 6.0.18 on a Red Hat Enterprise Linux Server release 5.3. The JVM is a 64 bit JVM, version 1.6.0_07-b06 on a Intel Xeon E5420 CPU. What can I do to force this RMI reaper thread to stop ? Thanks in advance for your help. Thomas Ce message est protégé par les règles relatives au secret des correspondances. Il est donc établi à destination exclusive de son destinataire. Celui-ci peut donc contenir des informations confidentielles. La divulgation de ces informations est à ce titre rigoureusement interdite. Si vous avez reçu ce message par erreur, merci de le renvoyer à l'expéditeur dont l'adresse e-mail figure ci-dessus et de détruire le message ainsi que toute pièce jointe. This message is protected by the secrecy of correspondence rules. Therefore, this message is intended solely for the attention of the addressee. This message may contain privileged or confidential information, as such the disclosure of these informations is strictly forbidden. If, by mistake, you have received this message, please return this message to the addressser whose e-mail address is written above and destroy this message and all files attached. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS+SSLv3 but no SSLv2
From: Jens Neu [mailto:jens@biotronik.com] Subject: TLS+SSLv3 but no SSLv2 Does this really mean that I can not allow a TLSv1+SSLv3 setting while forbidding SSLv2? I was under the impression that specifying TLSv1 would include SSLv3, since there are provisions within TLS to handle SSLv3. Note that TLSv1.0 - TLVv1.2 and SSLv3 all have the same major version number. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: error-page problem - nested exceptions
You could have your error handler check if the exception is a NestedServletException and its getRootCause() is a UnAuthorisedAccessException, and display the nested exception's error message in that case. You might want to use a separate error-page for NestedServletException. -- Len On Fri, Jan 22, 2010 at 07:06, rotis23 roti...@yahoo.com wrote: Hi All, I use web.xml error-page handlers, some with error-code and other with exception-type. At the end I have a catchall error-page that handles java.lang.Throwable - users never see a stack trace and the world is a good place. However, I've recently added a Hibernate security layer that throws a UnAuthorisedAccessException that gets wrapped in a Spring NestedServletException before it hits the error-page handlers. Now I understand that it tries to match the top level Exception in the stack first then uses the next nested exception after that and so on until an error-page is matched. The problem is that my catchall Throwable is matching the NestedServletException first before the wrapped UnAuthorisedAccessException hits its error-page handler. I need the users to see that they don't have the privleges rather than a generic error messge - I also need the catchall! Has anyone else dealt with this issue? I've been searchign for a couple days on this now. TIA, rotis23 -- View this message in context: http://old.nabble.com/error-page-problem---nested-exceptions-tp27272261p27272261.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS+SSLv3 but no SSLv2
unfortunately the behaviour for SSLProtocol=TLSv1 is: j...@eluveitie:~ openssl s_client -ssl3 -connect server:8443 CONNECTED(0003) 9167:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40 9167:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: while openssl s_client -tls1 -connect server:8443 works just fine. On top I also could not get IE 6.x to work with this, even with checking the TLS 1.0 setting in the Internet Options. -Jens Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de Caldarale, Charles R chuck.caldar...@unisys.com 01/22/2010 05:42 PM Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject RE: TLS+SSLv3 but no SSLv2 From: Jens Neu [mailto:jens@biotronik.com] Subject: TLS+SSLv3 but no SSLv2 Does this really mean that I can not allow a TLSv1+SSLv3 setting while forbidding SSLv2? I was under the impression that specifying TLSv1 would include SSLv3, since there are provisions within TLS to handle SSLv3. Note that TLSv1.0 - TLVv1.2 and SSLv3 all have the same major version number. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org www.biotronik.com BIOTRONIK SE Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Re: RMI reaper thread prevents JVM from exiting
2010/1/22 Thomas Chabaud ext_chabaud.tho...@agora.msa.fr: I have a problem with a webapp using RMI. When I try to shutdown Tomcat instance, the JVM doesn't exit. I have called jstack to see the thread dump : http://pastebin.com/fa55647 There is a non-daemon thread : RMI Reaper. I've tried to add a servlet context listener to force RMI Object unexport on shutdown, but it has no effect : http://pastebin.com/f324201e2 I'm using Tomcat 6.0.18 on a Red Hat Enterprise Linux Server release 5.3. The JVM is a 64 bit JVM, version 1.6.0_07-b06 on a Intel Xeon E5420 CPU. What can I do to force this RMI reaper thread to stop ? If you know you're about to exit the process, then one nasty trick would be to find the thread in your context listener and *set* it to be a daemon thread. An ugly hack, but it might just work! - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS+SSLv3 but no SSLv2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 1/22/2010 11:10 AM, Jens Neu wrote: on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the SSLProtocol: Protocol which may be used for communicating with clients. The default is all, with other acceptable values being SSLv2, SSLv3, TLSv1, and SSLv2+SSLv3. Does this really mean that I can not allow a TLSv1+SSLv3 setting while forbidding SSLv2? It seems so to me, since setting SSLProtocol to this obvioulsy defaults to ALL :-( I agree with Chuck: TLSv1 ~= SSLv3. Although the protocol attribute has a limited set of values you can choose, you can always set the ciphers you will allow using the ciphers attribute. This will allow you to pick and choose the ciphers regardless of the overall protocol that you choose. The ciphers available depend upon your environment, but these are the ones I can see in mine: java version 1.6.0_12 Java(TM) SE Runtime Environment (build 1.6.0_12-b04) Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode) Default Cipher * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA * SSL_DHE_DSS_WITH_DES_CBC_SHA * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA * SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 * SSL_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA * SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ2ncACgkQ9CaO5/Lv0PCMJACfTyFfj8zJS7tkGRewU0h2gkct fxkAn320dKYKKYrJ/jPyXOtMXy0I9fGE =NL0x -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RMI reaper thread prevents JVM from exiting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thomas, On 1/22/2010 11:25 AM, Thomas Chabaud wrote: There is a non-daemon thread : RMI Reaper. I've tried to add a servlet context listener to force RMI Object unexport on shutdown, but it has no effect : http://pastebin.com/f324201e2 This thread over on the Sun forums (http://forums.sun.com/thread.jspa?threadID=169975) says that you can either unexport all your objects or call System.exit(). :( Are there some objects that you may have forgotten to unexport? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ3LoACgkQ9CaO5/Lv0PDSvwCgkC++5oDypir/RV3GcpsCha5m rL0AniMx1E6klW0QrbkETWgcUefXt1b6 =AR7b -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: error-page problem - nested exceptions
Hi Len, Thanks for your message. I don't have my 'own' error handler - I just use the error-page elements in web.xml. If I add an error-page for NestedServletException will the exception be available to the corresponding jsp [in the request]? Has anyone extended tomcats error-page implementation to find nested exceptions? Cheers, rotis23 -- View this message in context: http://old.nabble.com/error-page-problem---nested-exceptions-tp27272261p27276806.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Adding/removing hosts dynamically?
Thanks Chuck, I was able to find it and play with it a little bit. Pretty self-explanatory once I figured out how to modify the tomcat-users.xml file to get access to it. It's a real bummer that it's not persistent, but it's still a great app. Thanks for your help! -Jordan Caldarale, Charles R wrote: From: Jordan Michaels [mailto:jor...@viviotech.net] Subject: Re: Adding/removing hosts dynamically? I'm extremely interested in this. Any chance anyone who has used this before could provide some direction (example implementation)? Try the HTML version of host-manager to get familiar with it: http://localhost:8080/host-manager/html Note that the updates made by the HTML and plain text servlets are not persistent, so will be lost upon Tomcat restart. You'll need some additional means to preserve the added hosts. From the org/apache/catalina/manager/host/HostManagerServlet.java source code: * Servlet that enables remote management of the virtual hosts installed * on the server. Normally, this functionality will be protected by * a security constraint in the web application deployment descriptor. * However, this requirement can be relaxed during testing. * p * This servlet examines the value returned by codegetPathInfo()/code * and related query parameters to determine what action is being requested. * The following actions and parameters (starting after the servlet path) * are supported: * ul * lib/add?name={host-name}aliases={host-aliases}manager={manager}/b - * Create and add a new virtual host. The codehost-name/code attribute * indicates the name of the new host. The codehost-aliases/code * attribute is a comma separated list of the host alias names. * The codemanager/code attribute is a boolean value indicating if the * webapp manager will be installed in the newly created host (optional, * false by default)./li * lib/remove?name={host-name}/b - Remove a virtual host. * The codehost-name/code attribute indicates the name of the host. * /li * lib/list/b - List the virtual hosts installed on the server. * Each host will be listed with the following format * codehost-name#host-aliases/code./li * lib/start?name={host-name}/b - Start the virtual host./li * lib/stop?name={host-name}/b - Stop the virtual host./li * /ul * p * bNOTE/b - Attempting to stop or remove the host containing * this servlet itself will not succeed. Therefore, this servlet should * generally be deployed in a separate virtual host. * p Seems like the javadocs aren't currently installed on tomcat.apache.org, or I would have directed you there. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS+SSLv3 but no SSLv2
Christopher, my Problem is that I have a requirement that SSLv2 shall be forbidden, but not SSLv3 and TLS. On top, also forbidden are ciphers =128bit. I was hoping to tackle this with SSLProtocol=TLSv1+SSLv3 SSLCipher=-ALL:+HIGH:+MEDIUM without manually selecting all ciphers. Since I'm on apr/openssl, I assume that my available ciphers are what gives me openssl ciphers? So this leaves me with no other option than crawling through all the ciphers? Certainly looking forward to it ;-) regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de Christopher Schultz ch...@christopherschultz.net 01/22/2010 06:05 PM Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: TLS+SSLv3 but no SSLv2 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 1/22/2010 11:10 AM, Jens Neu wrote: on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the SSLProtocol: Protocol which may be used for communicating with clients. The default is all, with other acceptable values being SSLv2, SSLv3, TLSv1, and SSLv2+SSLv3. Does this really mean that I can not allow a TLSv1+SSLv3 setting while forbidding SSLv2? It seems so to me, since setting SSLProtocol to this obvioulsy defaults to ALL :-( I agree with Chuck: TLSv1 ~= SSLv3. Although the protocol attribute has a limited set of values you can choose, you can always set the ciphers you will allow using the ciphers attribute. This will allow you to pick and choose the ciphers regardless of the overall protocol that you choose. The ciphers available depend upon your environment, but these are the ones I can see in mine: java version 1.6.0_12 Java(TM) SE Runtime Environment (build 1.6.0_12-b04) Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode) Default Cipher * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA * SSL_DHE_DSS_WITH_DES_CBC_SHA * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA * SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 * SSL_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA * SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ2ncACgkQ9CaO5/Lv0PCMJACfTyFfj8zJS7tkGRewU0h2gkct fxkAn320dKYKKYrJ/jPyXOtMXy0I9fGE =NL0x -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org www.biotronik.com BIOTRONIK SE Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Re: TLS+SSLv3 but no SSLv2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 1/22/2010 12:30 PM, Jens Neu wrote: Christopher, my Problem is that I have a requirement that SSLv2 shall be forbidden, but not SSLv3 and TLS. On top, also forbidden are ciphers =128bit. I was hoping to tackle this with SSLProtocol=TLSv1+SSLv3 SSLCipher=-ALL:+HIGH:+MEDIUM without manually selecting all ciphers. Since I'm on apr/openssl, I assume that my available ciphers are what gives me openssl ciphers? So this leaves me with no other option than crawling through all the ciphers? Certainly looking forward to it ;-) How about SSLCipher=-ALL:+HIGH:+MEDIUM:!SSLv2? The APR documentation points you to the openssl documentation for reference. The above SSLCipher yields: $ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g' ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 Are those acceptable? You don't have to list all the ciphers if you don't want to. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM =mFDc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS+SSLv3 but no SSLv2
Christopher, yes, thats it! Merci bien :-) I was reading http://www.openssl.org/docs/apps/ciphers.html for reference, thats where I got scared that I had to check all of them for 128bit. Didn't know that SSLCipher= is actually understood by openssl. Its Friday finally :) Jens Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de Christopher Schultz ch...@christopherschultz.net 01/22/2010 06:36 PM Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: TLS+SSLv3 but no SSLv2 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 1/22/2010 12:30 PM, Jens Neu wrote: Christopher, my Problem is that I have a requirement that SSLv2 shall be forbidden, but not SSLv3 and TLS. On top, also forbidden are ciphers =128bit. I was hoping to tackle this with SSLProtocol=TLSv1+SSLv3 SSLCipher=-ALL:+HIGH:+MEDIUM without manually selecting all ciphers. Since I'm on apr/openssl, I assume that my available ciphers are what gives me openssl ciphers? So this leaves me with no other option than crawling through all the ciphers? Certainly looking forward to it ;-) How about SSLCipher=-ALL:+HIGH:+MEDIUM:!SSLv2? The APR documentation points you to the openssl documentation for reference. The above SSLCipher yields: $ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g' ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 Are those acceptable? You don't have to list all the ciphers if you don't want to. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM =mFDc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org www.biotronik.com BIOTRONIK SE Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Re: TLS+SSLv3 but no SSLv2
Christopher, maybe that was a bit premature, running with SSLCipher=-ALL:+HIGH:+MEDIUM:!SSLv2: openssl s_client -ssl2 -connect server:8443 CONNECTED(0003) ... --- Ciphers common between both SSL endpoints: RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 --- SSL handshake has read 1135 bytes and written 236 bytes --- New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 Cipher: DES-CBC3-MD5 Session-ID: 21D7302FAF313F61DF24661249FCF7FD Session-ID-ctx: Master-Key: 3CAC5F9B8889222FFF7E1106232BFE34FC7A2CBD078833E0 Key-Arg : 448CA2E3F880EF06 Start Time: 1264182312 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de www.biotronik.com BIOTRONIK SE Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
RE: newbie: multiple ports for same tomcat server 5.0
Chuck, I am now confused. I stated I am using port 8082 from the outside and need to use port 80 on the inside. So I am using different ports. So the port conflick that you talked about orignal would never happen (is this correct?). If I am going to have a port conflick, how would Impliment what you stated? n828cl wrote: From: Anurag Kapur [mailto:anuragka...@gmail.com] Subject: Re: newbie: multiple ports for same tomcat server 5.0 You mentioned that adding the address attribute is recommended to prevent port conflicts. I didn't say it was recommended, just that it was one way to avoid port conflicts, especially if you wanted both Connector elements to use a standard port, such as 80. The other way, of course, is to simply use different ports. In the case being discussed in the thread, the OP wanted to segregate external users and internal ones, and typically that's done by using separate IP addresses for each group. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/newbie%3A-multiple-ports-for-same-tomcat-server-5.0-tp27262778p27277458.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: newbie: multiple ports for same tomcat server 5.0
From: Chart [mailto:ccha...@hotmail.com] Subject: RE: newbie: multiple ports for same tomcat server 5.0 I stated I am using port 8082 from the outside and need to use port 80 on the inside. If your front-end is on the same machine, you will have a port conflict, since it's already got port 80 assigned. If the front-end is on a different machine, you shouldn't have a conflict. However, if port 8082 is open to the outside world, is there anything that stops the outside world from using the public IP address and accessing Tomcat on port 80? Perhaps your firewall settings are such that you've taken care of that, but it's not clear. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.28 EL not evaluated
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sharmila, On 1/22/2010 5:43 AM, sharmila punde wrote: My OS is fedora, and i have installed tomcat 5.5.28. I have web app. My jsp page has EL as follow- ${perosn.name}. Did you mean ${person.name}? Could that be the problem? I put jsp-api.jar, servlet-api.jar into /usr/java/jdk1.5.0_16/jre/lib/ext. Why did you put those files into the system-wide library folder? If you're using Tomcat, they should be available to any webapp that needs them. Servlet works fine, but above EL is considered as plain text. My web.xml of web app has following lines - jsp-config jsp-property-group url-pattern*.jsp/url-pattern el-ignoredfalse/el-ignored scripting-invalid true /scripting-invalid /jsp-property-group /jsp-config Why EL is not getting evaluated after translation to .java file. Can some one please help me sort out this problem Are other EL and/or scripting elements working as expected on this page? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ6uwACgkQ9CaO5/Lv0PDg4gCeMi93eiwdqbPB/ZKXtU7SHcCw Ic8An0zEyXhY+KsqZUXHu/HiwY7jrhUF =PtlP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Solved Tomcat 5.5.28 EL not evaluated
Thanks Nishant, Thank you very much. It was very helpful. Regards --- On Fri, 22/1/10, Hadole, Nishant IN BOM SISL nishant.had...@siemens.com wrote: From: Hadole, Nishant IN BOM SISL nishant.had...@siemens.com Subject: RE: Tomcat 5.5.28 EL not evaluated To: 'Tomcat Users List' users@tomcat.apache.org Date: Friday, 22 January, 2010, 17:24 Check this FAQ - http://faq.javaranch.com/java/ElOrJstlNotWorkingAsExpected With best regards, Nishant Hadole Siemens IT Solutions and Services SIS PRO SI-I Tel.: +91 22 2495 7816 Fax: +91 22 6660 8521 Mailto: nishant.had...@siemens.com www.siemens.co.in -Original Message- From: sharmila punde [mailto:sharmila...@yahoo.com] Sent: Friday, 22 January, 2010 04:13 PM To: users@tomcat.apache.org Subject: Tomcat 5.5.28 EL not evaluated Dear All, My OS is fedora, and i have installed tomcat 5.5.28. I have web app. My jsp page has EL as follow- ${perosn.name}. I put jsp-api.jar, servlet-api.jar into /usr/java/jdk1.5.0_16/jre/lib/ext. Servlet works fine, but above EL is considered as plain text. My web.xml of web app has following lines - jsp-config jsp-property-group url-pattern*.jsp/url-pattern el-ignoredfalse/el-ignored scripting-invalid true /scripting-invalid /jsp-property-group /jsp-config Why EL is not getting evaluated after translation to .java file. Can some one please help me sort out this problem Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Important notice: This e-mail and any attachment there to contains corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank You. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: newbie: multiple ports for same tomcat server 5.0
Chuck, Yes we have a firewall that does not allow traffic from the IIS server to the tomcat server on port 80. Just for learning purposes. Could you take the line out of my original file and add information like you had stated in your original update? thanks, n828cl wrote: From: Chart [mailto:ccha...@hotmail.com] Subject: RE: newbie: multiple ports for same tomcat server 5.0 I stated I am using port 8082 from the outside and need to use port 80 on the inside. If your front-end is on the same machine, you will have a port conflict, since it's already got port 80 assigned. If the front-end is on a different machine, you shouldn't have a conflict. However, if port 8082 is open to the outside world, is there anything that stops the outside world from using the public IP address and accessing Tomcat on port 80? Perhaps your firewall settings are such that you've taken care of that, but it's not clear. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/newbie%3A-multiple-ports-for-same-tomcat-server-5.0-tp27262778p27277828.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: newbie: multiple ports for same tomcat server 5.0
From: Chart [mailto:ccha...@hotmail.com] Subject: RE: newbie: multiple ports for same tomcat server 5.0 Just for learning purposes. Could you take the line out of my original file and add information like you had stated in your original update? Sorry, I don't understand what you're asking for. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS+SSLv3 but no SSLv2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 1/22/2010 12:51 PM, Jens Neu wrote: Christopher, maybe that was a bit premature, running with SSLCipher=-ALL:+HIGH:+MEDIUM:!SSLv2: openssl s_client -ssl2 -connect server:8443 CONNECTED(0003) --- SSL handshake has read 1135 bytes and written 236 bytes --- New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 Cipher: DES-CBC3-MD5 Session-ID: 21D7302FAF313F61DF24661249FCF7FD Session-ID-ctx: Master-Key: 3CAC5F9B8889222FFF7E1106232BFE34FC7A2CBD078833E0 Key-Arg : 448CA2E3F880EF06 Start Time: 1264182312 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- :( --- Ciphers common between both SSL endpoints: RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 In my environment, openssl reports: $ openssl ciphers 'SSLv2'| sed -e 's/:/\n/g' DES-CBC3-MD5 - you got this one DES-CBC-MD5 EXP-RC2-CBC-MD5 RC2-CBC-MD5 EXP-RC4-MD5 RC4-MD5 Looks like all those are the same ones, meaning that 100% of the openssl SSLv2 ciphers are available from Tomcat. Stupid question: did you re-start Tomcat after making the SSLCipher change? Again, here's what I get for the cipher string we've been trying: $ openssl ciphers 'ALL:!SSLv2:+HIGH:+MEDIUM'| sed -e 's/:/\n/g' ADH-DES-CBC-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EDH-RSA-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 I don't see any of the SSLv2 ciphers in there except for RC4-MD5, which I suppose would still allow you to connect. One thing I noticed is that your cipher string is not valid: $ openssl ciphers '-ALL:+HIGH:+MEDIUM:!SSLv2'| sed -e 's/:/\n/g' Error in cipher list 16374:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1185: You have to have something without - or + prefixing it. Apparently, you have to start with a list before you start modifying it :) Try the string I have above and see if that works. RC4-MD5 might still work, though. You should take a look at this guy's tool, here: http://www.unspecific.com/2009/02/16/ssl-cipher-check Our production server's httpd is configured to use HIGH:MEDIUM:-SSLv2 and the results of the above script confirm that only decent ciphers are available: $ ./ssl-cipher-check.pl [mysite] Testing [mysite]:443 SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:RC4-SHA - ENABLED - STRONG 128 bits SSLv3:DHE-RSA-AES256-SHA - ENABLED - STRONG 256 bits SSLv3:AES128-SHA - ENABLED - STRONG 128 bits SSLv3:AES256-SHA - ENABLED - STRONG 256 bits TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:RC4-SHA - ENABLED - STRONG 128 bits TLSv1:DHE-RSA-AES256-SHA - ENABLED - STRONG 256 bits TLSv1:AES128-SHA - ENABLED - STRONG 128 bits TLSv1:AES256-SHA - ENABLED - STRONG 256 bits *WARNING* 6 WEAK Ciphers Enabled. Total Ciphers Enabled: 22 I was unable to verify that any WEAK ciphers were enabled, and I cound 16 enabled ciphers, not 22. So, maybe this script isn't the greatest thing around :) With HIGH:MEDIUM:-SSLv2, I cannot connect using openssl s_client - -ssl2, which is a good thing. Try a different/better cipher string. Always check against openssl cipher to make sure that it's kosher before enabling it in your server. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ8nkACgkQ9CaO5/Lv0PBLDwCfa3ESeJCygI42yQ2jGQ0YUoZO IPsAnju+4lL4lNWuF6TnG6B5cW8EzPNe =9+YO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: newbie: multiple ports for same tomcat server 5.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chart, On 1/21/2010 1:53 PM, Chart wrote: There is a SSI server on the outside that sends request to 8009 for this tomcat server (from what I have been told). The tomcat server is running on port 8082. You mean that Tomcat is accepting requests on port 8082. What kind of requests, HTTP? I have been tasked to change this tomcat server to accept request from 8082 when they are coming from the outside and port 80 if you are inside the network. If Tomcat is already listening to port 8082, then it will continue to do so. There should be no need to change anything, unless you have instructed Tomcat to listen only on a certain interface (like localhost). The outisde goes from an address that accepts the request on port 80 and then sends it to tomcat on port 8082. Okay, this sounds like your setup already does exactly what your requirements state. Congratulations: you're done! The inside I would set DHCP to send directly to the tomcat server and by pass the SSI server. Uh, wait... what? Therefore I need to allow this tomcat server to listen on port 80 and port 8082. Where is the SSI server? Same machine, or someplace else? Is it okay if remote users go directly to port 80 on the Tomcat machine, or do you need to prohibit them from doing so? Connector ... port=8082 ... This accepts HTTP requests on port 8082, and listens on interface 0.0.0.0 which means it will respond to requests from anywhere. Connector ... port=8009 protocol=AJP/1.3 ... This accepts AJP requests on port 8009, and listens on interface 0.0.0.0 which means it will respond to requests from anywhere. If all you want to do is add another port number, that's easy in theory (as Andre' pointed out): Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=80 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector That's your original HTTP Connector with just the port number changed. Now, if your SSI server (btw: never heard that term before) is running on the local machine and already listening to port 80, then you'll have to do as Chuck suggests and have Tomcat bind to localhost (or some other interface) as to avoid conflicts with the aforementioned server who already owns port 80. Also, if you're running on *NIX, port 80 is considered privileged and you therefore must make arrangements to be able to bind to that port. If this is the case, please let us know and we can help you do that. If you ever move up to 5.5 or (even better) 6.0, you might want to consider using an Executor that allows all your Connectors to share a single thread pool. That way, you won't run the risk of having lots of threads sitting around doing nothing because one of the Connectors is under-used. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ9ekACgkQ9CaO5/Lv0PDiTQCgteVJ5u57pedwpVFPRX/TVcXR 2Y4An3+hNFRqaxpzCRlrJHC9tIxgjkr8 =XntN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem starting connection pooling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 1/22/2010 8:44 AM, Mark Witczak wrote: I used: mysql -u foo -p -h test.hostname.com Is there a way to force the command to use TCP/IP? is there a parameter for networking that I should include in context.xml? What you did ought to be fine. The MySQL command line client only uses named pipes (not UNIX domain sockets) for communication when you use localhost (the default hostname) from the command line. I'm not sure what the problem, but I can tell you what the problem is NOT: 1. You have your mysql-connector.jar file in the right place, otherwise you'd be getting a different error. 2. Your username/password appear to be correct, otherwise you would have gotten a different error. Other than the error you posted, are there other errors in any log files? Specifically, catalina.out and friends? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktaAHUACgkQ9CaO5/Lv0PDdywCguhM3lilCqCDpDSlmua4U3kQI R2gAoIniLq9pzlVHO4hv2W8OBd+79tVr =p84t -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter, On 1/22/2010 7:49 AM, Peter Crowther wrote: - You're telling AJP to use a secure connection between httpd and Tomcat; AJP doesn't recognize any secure connection capability for its own communication. As you've said, AJP /does/ forward SSL information through the AJP connection to Tomcat. - The Tomcat connector on port 8443 is a SSL connector, not an AJP connector; Almost certainly, though Matt didn't post his server.xml for verification. - AJP is getting confused. Absolutely! I believe you should only need to configure one worker (the one on 8009); AJP is capable of passing through the information as to whether or not the data arrived securely or not at httpd. +1 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktaAY8ACgkQ9CaO5/Lv0PBqsACfUUO1yKeUrFqKR0dh+oCQxtey 2ycAnRlvfeJZ0dt+48sKFmU35jou9M6d =xcqk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt, On 1/22/2010 9:25 AM, Matt Turner wrote: In my case sometimes I do need to pass through the SSL to Tomcat, as I'm running CAS which requires geniune SSL requests. mod_jk ought to be able to forward all SSL information to Tomcat. Specifically, what does CAS require? (I do also have some SSL requests that tomcat doesn't need to see - which I will send via 8009 as has been suggested). The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly - but it sounds like that's the wrong approach. Unless something specific is actually not working, you ought to be able to use a vanilla AJP connection for both secure and non-secure HTTP (even via the same worker/Connector). Should I just use something like.. ProxyPass /cas https://10.13.0.218:8443/cas ? Now, you're switching from mod_jk to mod_proxy_http(s). Can CAS really not function properly with an AJP connection? If you proxy HTTPS you are likely to get in all kinds of trouble because the client is no longer your user... it's your web server. And the server is no longer the web server... it's Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktaAjEACgkQ9CaO5/Lv0PAV6ACfYlbK3Kws26nq7xPYICSlucmC JqMAoLyACwFx0JxEBozCMWt81KvGmq+B =Br3o -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 1/21/2010 6:35 PM, André Warnier wrote: Basically, I would tend to say that if the server knows who the clients are and vice-versa, you should be free to use any encoding you want, with the limitation that what is exchanged on the wire conforms to HTTP (because there may be proxies on the way which are not so tolerant). +1 What the client is sending is already (in a way) conformant to HTTP, because it is base64 encoded and so, on the surface, it does not contain non-ascii characters. +1 But the problem is that the standard Tomcat code which decodes the Basic Authorization header does not work in the way you want, for these illegal headers. And this code should preferably not be changed in a way which breaks the conformance with standard HTTP. Because if you do that, then your Tomcat becomes useless for anything else than your special client. +1 Another possibility would be to use something like SecurityFilter, which allows you to (more easily) write your own authenticator and realm implementations, and you could write a BasicAuthenticator that reads these specially-formatted credentials. I checked the sf source, and it looks like we might have a bug: private String decodeBasicAuthorizationString(String authorization) { if (authorization == null || !authorization.toLowerCase().startsWith(basic )) { return null; } else { authorization = authorization.substring(6).trim(); // Decode and parse the authorization credentials return new String(Base64.decodeBase64(authorization.getBytes())); } } That authorization.getBytes() is just asking for trouble, because it uses the platform default encoding to convert characters to bytes. It should be using US-ASCII, ISO-8859-1, or something like that. -1 I don't think you have a problem there, because what you are decoding into bytes there IS bytes (it is base64-encoded). It also calls the String constructor with a byte array without specifying the encoding, therefore using the platform default. +1 That is indeed where you have a problem. There you SHOULD always decode it as US-ASCII (or maybe iso-8859-1, I'm not quite sure what the spec says exactly). Let's say that the spec is clear and says that the header value is *TEXT, and that *TEXT is always US-ASCII (or ISO-8859-1) by default. Let's take it from the browser side first. If the userid:password is indeed composed only of us-ascii characters, then the browser base64-encodes this directly and it is trivial.(*) But let's say that userid:password is something else than us-ascii. Another part of the spec says that then, you have to encode it according to RFC2047. My contention is then that the browser should first RFC2047-encode userid:password, and then base64-encode the result. Back on the server side. The server base64-decodes the authorization token, into an ascii string. It can do that always, because either the string was ascii to start with, or else it was not, but then it has been RFC2047-encoded, yelding a result that is ascii. (like : =?iso-8859-2?B?base64-encoded stuff...?= ) Then the server must do another round of decoding via RFC2047. That consists of a double decoding again : base64-decode the string between the ?? into bytes, and then decode those bytes into Unicode, using the charset indicated at the beginning of the rfc2047-encoded sequence. The above, I believe, would be totally consistent with the current RFCs. But there is a major catch : I don't believe that there is a browser on the market today, which properly encodes the userid:password string via rfc2047 when it isn't ascii. And the OP's special client sends UTF-8, but also does not rfc2047-encode it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: error-page problem - nested exceptions
Yes, in the error page you can get the exception as a request attribute, either javax.servlet.jsp.jspException or javax.servlet.error.exception (sometimes it's one, sometimes the other). In my app, I found that this exception has already been unwrapped - it's the original exception, not a ServletException. I'm not sure it works the same way with Spring's NestedServletException - you'll have to try it out. -- Len On Fri, Jan 22, 2010 at 12:15, rotis23 roti...@yahoo.com wrote: Hi Len, Thanks for your message. I don't have my 'own' error handler - I just use the error-page elements in web.xml. If I add an error-page for NestedServletException will the exception be available to the corresponding jsp [in the request]? Has anyone extended tomcats error-page implementation to find nested exceptions? Cheers, rotis23 -- View this message in context: http://old.nabble.com/error-page-problem---nested-exceptions-tp27272261p27276806.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: newbie: multiple ports for same tomcat server 5.0
Now here we have a case where I, the dummy on this forum, spend hours creating a work of ascii art explaining clearly and precisely to the OP what he needs to change, and where subsequently the two gurus manage, in just a couple of posts, to totally confuse the OP. t. (And, by the way, it appears that SSI, mentioned by the OP in the initial post, and which somewhat puzzled me too but which I decided to just copy along, should in reality have been noted IIS. Which makes it a lot clearer for everyone now.) So, Chart, bear with me. Go back to the picture. In the first version, there was your current configuration, with the IIS server, which in all likelihood is currently listening on port 80. In your original post, you indicated your intention of turning it off, and having (internal) users access Tomcat directly on port 80. For that, you need Tomcat to listen on port 80, which it doesn't yet do currently. So I tried to show you what you need to do to Tomat, so that it will listen on port 80 (essentially, add a Connector, similar to the one you have for port 8082, but this new one listening on port 80). Unfortunately, in version 2 of the picture, where I represented this additional Connector, I also left in the IIS server (which also listens on port 80). If both IIS and Tomcat are running on the same host, that does not work. You cannot have IIS and Tomcat both listen, at the same time, on all IP addresses of the same host, and on port 80. There is a conflict : only one of them can be doing that at any one time. So, - if the IIS server is on another host than Tomcat, then it is fine, there is no conflict, and what I showed in version 2 is fine. - if the IIS server and Tomcat are on the same host, then in principle only one of them can be listening on port 80. So you have to start /either/ IIS /or/ Tomcat, but not both at the same time. Which is OK if as you mentioned, you are going to eliminate IIS anyway. (If you try to start Tomcat that way while IIS is running, Tomcat will not start, because it will be unable to open port 80; it is already taken). IF however, IIS and Tomcat being on the same host, AND for some reason you still want to leave IIS running, then there is still a way to avoid the conflict. But it involves the fact that your host has at least 2 distinct IP addresses, and a bit more configuration. Which we will then explain to you if that is your case. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Comet Connection Writeable?
Hi I'd like to try it. However I am not accustomed to building tomcat. Do you have this compiled somewhere? Best regards, Steffen -Ursprüngliche Nachricht- Von: Filip Hanik - Dev Lists [mailto:devli...@hanik.com] Gesendet: Dienstag, 19. Januar 2010 15:50 An: Tomcat Users List Betreff: Re: Comet Connection Writeable? Hi Steffen, At http://svn.apache.org/viewvc/tomcat/sandbox/gdev6x/ I implemented the feature you are looking for. Where you would do CometEvent.interestOps(CometEvent.CometOperation.OP_WRITE); and you will receive a CometEvent.EventType.WRITE When I tried to write sample applications against this, it turned out to be very complex programming. You can check out that branch and build it and see if its something we should still pursue Filip On 01/18/2010 09:06 AM, Steffen Heil wrote: Hi I am using comet connections for some time now in a server push manner: Whenever the server needs to inform the client about some event, it sends a packet to the client and waits for a reply in the same connection. As soon, as a READ event is triggered, that reply is read and the next message can be sent. Now, this requires a round-trip-time between the client and the server and is inappropriate for larger amounts of data especially on high latency connections. I am seeking for a way to determine (from a comet servlets point of view) if a connection is writeable - this is, if output buffers are empty and I can send additional data. Note, that sending a huge amount of data at once is not an option, I need to send distinct parts... So here are my questions: - How can I detect if a connection is writeable? - That is, how can I detect if the output buffers are empty? - Is there a way to use comet connection for something like a selector? Regards, Steffen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
Re: [OT] Basic Authentication Failed with multibyte username
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, (Marking OT because, well... just because). On 1/22/2010 2:59 PM, Warnier wrote: Christopher Schultz wrote: That authorization.getBytes() is just asking for trouble, because it uses the platform default encoding to convert characters to bytes. It should be using US-ASCII, ISO-8859-1, or something like that. -1 I don't think you have a problem there, because what you are decoding into bytes there IS bytes (it is base64-encoded). Maybe all character sets have bytes 0-127 the same as US-ASCII, but I don't know about some of those I never see myself: Shift-JS and all those Asian encodings, etc. It would be better to be explicit. It also calls the String constructor with a byte array without specifying the encoding, therefore using the platform default. +1 That is indeed where you have a problem. There you SHOULD always decode it as US-ASCII (or maybe iso-8859-1, I'm not quite sure what the spec says exactly). - From my reading, the spec is silent but one can draw the conclusion that US-ASCII is basically all that is supported. I should all the capability of configuring this encoding to override the (soon to be) default of US-ASCII: if the user knows the client will use UTF-8, they should be allowed to force that encoding to be used. Let's say that the spec is clear and says that the header value is *TEXT, and that *TEXT is always US-ASCII (or ISO-8859-1) by default. Let's take it from the browser side first. If the userid:password is indeed composed only of us-ascii characters, then the browser base64-encodes this directly and it is trivial.(*) But let's say that userid:password is something else than us-ascii. Another part of the spec says that then, you have to encode it according to RFC2047. No, I don't think this is correct: the spec says that the HTTP header values must be in US-ASCII, and may be encoded using RFC2047 in order to achieve that. Since Base64 encoding always results in a US-ASCII-compatible value, there is no reason to involve RFC2047. My contention is then that the browser should first RFC2047-encode userid:password, and then base64-encode the result. While that sounds like a good idea, it's almost certainly never done that way. Back on the server side. The server base64-decodes the authorization token, into an ascii string. It can do that always, because either the string was ascii to start with, or else it was not, but then it has been RFC2047-encoded, yelding a result that is ascii. (like : =?iso-8859-2?B?base64-encoded stuff...?= ) This would be a decent configurable setting for a BASIC authenticator... something like allow-rfc2047 or whatever. What about those people who really want to have a username like =?whatever and a password like whatever?=? They can't login? :) The above, I believe, would be totally consistent with the current RFCs. Yes, but for whatever reason, nobody ever fully implements the RFCs :) There are standards and there are practices. In this case, I think practices outweigh the standards :) But there is a major catch : I don't believe that there is a browser on the market today, which properly encodes the userid:password string via rfc2047 when it isn't ascii. Nor would it be appropriate to do so, because base64 encoding is /always/ used and will therefore /always/ result in a valid HTTP Authenticate header value. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktaFaQACgkQ9CaO5/Lv0PBMcACgpSL6QcBn6C2thQash4W/LIhg 5VgAn2hmTLmwdgk1HkhDxOshDDyZkBr0 =xBQs -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Thanks for the responses. In between times I tried the ProxyPass which seems to work fine, but I'd much rather use plain AJP so I'll try that next. I've had problems previously getting CAS working where the SSL is handled by the webserver - however from what everyone has said and having read around the issue a bit more, it does sound like using AJP ought to work, so long as Apache is configured to pass through all the relevant SSL and cert. info to tomcat (presumably so that isSecure() can work, plus I think CAS validates certificates too). Date: Fri, 22 Jan 2010 14:53:21 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt, On 1/22/2010 9:25 AM, Matt Turner wrote: In my case sometimes I do need to pass through the SSL to Tomcat, as I'm running CAS which requires geniune SSL requests. mod_jk ought to be able to forward all SSL information to Tomcat. Specifically, what does CAS require? (I do also have some SSL requests that tomcat doesn't need to see - which I will send via 8009 as has been suggested). The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly - but it sounds like that's the wrong approach. Unless something specific is actually not working, you ought to be able to use a vanilla AJP connection for both secure and non-secure HTTP (even via the same worker/Connector). Should I just use something like.. ProxyPass /cas https://10.13.0.218:8443/cas ? Now, you're switching from mod_jk to mod_proxy_http(s). Can CAS really not function properly with an AJP connection? If you proxy HTTPS you are likely to get in all kinds of trouble because the client is no longer your user... it's your web server. And the server is no longer the web server... it's Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktaAjEACgkQ9CaO5/Lv0PAV6ACfYlbK3Kws26nq7xPYICSlucmC JqMAoLyACwFx0JxEBozCMWt81KvGmq+B =Br3o -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/
Windows Installer with support for 32 bit JVM on 64 bit OS
Will there be an WIndows installer that will install and use a 32 bit JVM on a 64 bit OS (Like 6.0.20 did)? I have some 32 bit native extensions (dlls) and have some time before I see a 64 bit version of the dll. Thanks -p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows Installer with support for 32 bit JVM on 64 bit OS
From: Patrick Flaherty [mailto:pflah...@rampageinc.com] Subject: Windows Installer with support for 32 bit JVM on 64 bit OS Will there be an WIndows installer that will install and use a 32 bit JVM on a 64 bit OS (Like 6.0.20 did)? Don't know, but you can use the *-x86.zip download and use the service.bat script to install the service. The architecture-specific zip files are here: http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.24/bin/ - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Installer with support for 32 bit JVM on 64 bit OS
Perfect, that works ! Thanks Charles. -P -- From: Caldarale, Charles R chuck.caldar...@unisys.com Sent: Friday, January 22, 2010 7:19 PM To: Tomcat Users List users@tomcat.apache.org Subject: RE: Windows Installer with support for 32 bit JVM on 64 bit OS From: Patrick Flaherty [mailto:pflah...@rampageinc.com] Subject: Windows Installer with support for 32 bit JVM on 64 bit OS Will there be an WIndows installer that will install and use a 32 bit JVM on a 64 bit OS (Like 6.0.20 did)? Don't know, but you can use the *-x86.zip download and use the service.bat script to install the service. The architecture-specific zip files are here: http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.24/bin/ - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: newbie: multiple ports for same tomcat server 5.0
I have everything working from the first post. Per the last update the problem looks like I confused chuck on my original post when I thought I stated the that IIS was running on a different box. There are two distinct boxes (one of the outside running IIS and one on the inside running Tomcat). Therefore everything that Chuck stated in the post confused me and everyone else that has read the updates, because he thought everything was running on one box. I appreciate everyone help and everything is working. awarnier wrote: Now here we have a case where I, the dummy on this forum, spend hours creating a work of ascii art explaining clearly and precisely to the OP what he needs to change, and where subsequently the two gurus manage, in just a couple of posts, to totally confuse the OP. t. (And, by the way, it appears that SSI, mentioned by the OP in the initial post, and which somewhat puzzled me too but which I decided to just copy along, should in reality have been noted IIS. Which makes it a lot clearer for everyone now.) So, Chart, bear with me. Go back to the picture. In the first version, there was your current configuration, with the IIS server, which in all likelihood is currently listening on port 80. In your original post, you indicated your intention of turning it off, and having (internal) users access Tomcat directly on port 80. For that, you need Tomcat to listen on port 80, which it doesn't yet do currently. So I tried to show you what you need to do to Tomat, so that it will listen on port 80 (essentially, add a Connector, similar to the one you have for port 8082, but this new one listening on port 80). Unfortunately, in version 2 of the picture, where I represented this additional Connector, I also left in the IIS server (which also listens on port 80). If both IIS and Tomcat are running on the same host, that does not work. You cannot have IIS and Tomcat both listen, at the same time, on all IP addresses of the same host, and on port 80. There is a conflict : only one of them can be doing that at any one time. So, - if the IIS server is on another host than Tomcat, then it is fine, there is no conflict, and what I showed in version 2 is fine. - if the IIS server and Tomcat are on the same host, then in principle only one of them can be listening on port 80. So you have to start /either/ IIS /or/ Tomcat, but not both at the same time. Which is OK if as you mentioned, you are going to eliminate IIS anyway. (If you try to start Tomcat that way while IIS is running, Tomcat will not start, because it will be unable to open port 80; it is already taken). IF however, IIS and Tomcat being on the same host, AND for some reason you still want to leave IIS running, then there is still a way to avoid the conflict. But it involves the fact that your host has at least 2 distinct IP addresses, and a bit more configuration. Which we will then explain to you if that is your case. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/newbie%3A-multiple-ports-for-same-tomcat-server-5.0-tp27262778p27282311.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
question for deploystartup forROOT.war on tomcat cluster
Hi I have my application packaged as ROOT.war file. I can auto-deploy this war file on single tomcat instance whenever I restart tomcat or put a new war file into webapps. However, if I put the same war file into tomcat cluster and restart tomcat, tomcat does not redeploy this war file. In tomcat cluster [6.0.20/Redhat 5(linux)] , I tested as follows: A. tomcat fresh startup [succeeded to run ROOT application] 1. shutdown tomcat 2. confirmed only webapps/ROOT.war existed and no [Catalina_home]/conf/ROOT.xml and no webapps/ROOT 3. start tomcat [node1 of cluster] 4. confirmed that ROOT.war was deployed B. restarting tomcat [failed to run ROOT application] 1. shutdown tomcat 3. confirmed that [Catalina_home]/conf/ROOT.xml and webapps/ROOT and webapps/ROOT.war existed 2. simply restarting tomcat by executing shartup.sh 3. other applications under webapps including host-manager etc deployed and running properly 4. confirmed that only ROOT.war was not deployed C. test autodeploly [succeeded to run ROOT application] 1. confirmed that tomcat is running 2. moved ROOT.war out of webapps 3. confirmed that tomcat removed [Catalina_home]/conf/ROOT.xml and webapps/ROOT 4. copied ROOT.war backed to webapps 5. confirmed that tomcat created [Catalina_home]/conf/ROOT.xml and webapps/ROOT and the application packaged in ROOT.war is running Is there any trick to make case B work? Thanks, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Including a file into server.xml
I have an Java based XML DB that keeps track of different configurations for various sites we host and it is trivial to have it spit out a Host entery compatible with server.xml for each site... the only problem we have is how to insert the output into server.xml without garbaging and/or having to parse the file... the solution I want to use is include file X here but I can not find any way of coding that into server.xml If it is compatible with standard XML inclusion tag's just let me know and I will figure out the rest if not is there a special tag or something? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Including a file into server.xml
I don't know of any inclusion tag. I had a similar problem with context.xml, I used an XSLT transformation to add new Resources entries during installation time depending on the number of databases a user wanted to configure. I used a dummy Resource entry and used XSLT to make a copy of it replacing a set of attributes with values provided by the user. At the end, I used another XSLT to remove the dummy Resource. On Fri, Jan 22, 2010 at 11:31 PM, Aryeh M. Friedman aryeh.fried...@gmail.com wrote: I have an Java based XML DB that keeps track of different configurations for various sites we host and it is trivial to have it spit out a Host entery compatible with server.xml for each site... the only problem we have is how to insert the output into server.xml without garbaging and/or having to parse the file... the solution I want to use is include file X here but I can not find any way of coding that into server.xml If it is compatible with standard XML inclusion tag's just let me know and I will figure out the rest if not is there a special tag or something? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Please Validate this Question
Hi Please Validate this Question SPEC : JDK1.5 TOMCAT 6.0.20 O/s 1, 2 Windows 2000 Server Apache Http - 2.x 1) A Custom built web application uses Quartz process ( Kron job) every 20 minutes to DB (JNDI based Connection pool ) to process some data on when deployed on single system, 2) The same is deployed on a Apache 2x - tomcat CLUSTER mode as 2 instances on 2 different independent System. Question: Does each instance of the application be connection to DB every 20 minute based on the Kron -Job Configuration. If so Is there any way within the Cluster Configuration to prevent this issue? With regards karthik