Re: Tomcat Thread issue
-Christopher Schultz ch...@christopherschultz.net wrote: - To: Tomcat Users List users@tomcat.apache.org From: Christopher Schultz ch...@christopherschultz.net Date: 04/24/2015 07:14PM Subject: Re: Tomcat Thread issue -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Felix, On 4/24/15 3:19 AM, Felix Schumacher wrote: Am 24. April 2015 09:08:08 MESZ, schrieb Subhro Paul subhro.p...@tcs.com: -Subhro Paul subhro.p...@tcs.com wrote: - To: users@tomcat.apache.org From: Subhro Paul subhro.p...@tcs.com Date: 04/23/2015 06:20PM Subject: Re: Tomcat Thread issue -Daniel Mikusa dmik...@pivotal.io wrote: - To: Tomcat Users List users@tomcat.apache.org From: Daniel Mikusa dmik...@pivotal.io Date: 04/23/2015 05:01PM Subject: Re: Tomcat Thread issue On Thu, Apr 23, 2015 at 7:15 AM, Subhro Paul subhro.p...@tcs.com wrote: Dear Team, One of our client's website stopped working yesterday. We observed that Tomcat servers were not working properly during that time. We have checked the memory usage of the server was fine but in the Catalina.out log we found it was already reached to max thread which is 512 though the number of connections to the server was normal. We took a thread dump from the server using VisualVM and we got the below message from threaddump: Since a thread dump is a point in time snapshot, you should always take multiple thread dumps, with a few seconds in between each one. This gives you additional perspective as to what's happening with the threads over a period of time. http-8080-1 - Thread t@22 java.lang.Thread.State: BLOCKED at java.util.Vector$1.nextElement(Vector.java:320) - waiting to lock 37749687 (a java.util.Vector) owned by http-8080-116 t@161 at org.apache.jsp.includes.header_jsp.isExcludePath(header_jsp.java:116 ) at org.apache.jsp.includes.header_jsp._jspService(header_jsp.java:314) Look at what header.jsp is doing. It seems to be doing something with the Vector class which is causing the thread to block. at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper .java:377) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3 13) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDisp atcher.java:646) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationD ispatcher.java:551) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDis patcher.java:488) at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary .java:968) at org.apache.jsp.home.customer_005fservice.bill.my_005fbill_jsp._jspSer vice(my_005fbill_jsp.java:126) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper .java:377) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3 13) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:102) at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterVa lve.java:269) at org.apache.catalina.valves.RemoteHostValve.invoke(RemoteHostValve.jav a:81) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: 555) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce ss(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:48 9)
Apache Tomcat Patching Requirements
Hi All *What is the frequency of patches/updates required for the Tomcat Web Browser? *What type of Patches does it require? i.e. security patch updates *How critical is the patches required? i.e. Critical, Important, Moderate or Low Thanks in advance, Janette Janette Isiguzo Service Delivery Architect Defence National Security Fujitsu Jays Close, Basingstoke, RG22 4BY Mob: +44 (0) 7867825881 or Internal 28892/42916 Email: janette.isig...@uk.fujitsu.commailto:janette.isig...@uk.fujitsu.com Web: uk.fujitsu.comhttp://uk.fujitsu.com/ [cid:image001.jpg@01D0827F.ABF545E0]http://www.youtube.com/user/fujitsuUK [cid:image002.jpg@01D0827F.ABF545E0] http://www.facebook.com/fujitsuuk [cid:image003.jpg@01D0827F.ABF545E0] http://twitter.com/#!/fujitsu_uk [cid:image004.jpg@01D0827F.ABF545E0] http://www.linkedin.com/company/fujitsu-uk-and-ireland [cid:image005.jpg@01D0827F.ABF545E0] http://blog.uk.fujitsu.com/ [cid:image006.jpg@01D0827F.ABF545E0] https://plus.google.com/103287532874520008913/ Fujitsu is proud to partner with Action for Childrenhttp://www.actionforchildren.org.uk/ I-CIOhttp://www.i-cio.com/: Global Intelligence for the CIO. Fujitsu's online resource for ICT leaders Reshaping ICT, Reshaping Business in partnership with FT.comhttp://reshaping-ict.ft.com/ P Please consider the environment - do you really need to print this email? [cid:image007.jpg@01D0827F.ABF545E0]https://www.youtube.com/playlist?list=PLV493J-pTITeSWLKa-cxQ0QMLYy3h1dOT Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or from Fujitsu Telecommunications Europe Limited, together Fujitsu. This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free. Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U 3BW. Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U 3BW. PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE. Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull Parkway, Birmingham Business Park, Birmingham, B37 7YU.
Re: Apache Tomcat Patching Requirements
On 29/04/2015 13:23, Isiguzo Janette wrote: Hi All What is the frequency of patches/updates required for the Tomcat Web Browser? Apache Tomcat isn't a web browser. Assuming that you did mean Apache Tomcat, the web container that implements the Servlet, JSP, WebSocket and EL specifications... Required is something that you define. Every release works. Whether it works for you is a completely different question that only you can answer. What type of Patches does it require? i.e. security patch updates The Tomcat community does not produce patches. Bugs (including security bugs) are fixed by a new release. And there is that word required again... How critical is the patches required? i.e. Critical, Important, Moderate or Low Again, only you can answer that. The impact of a particular bug or security vulnerability in your environment is something only you can determine. Mark Thanks in advance, Janette *Janette Isiguzo * Service Delivery Architect Defence National Security *Fujitsu* * *Jays Close, Basingstoke, RG22 4BY Mob: +44 (0) 7867825881 or Internal 28892/42916 Email: janette.isig...@uk.fujitsu.com mailto:janette.isig...@uk.fujitsu.com_ _Web: uk.fujitsu.com http://uk.fujitsu.com/ // *youtube-icon.gif* http://www.youtube.com/user/fujitsuUK* **Facebook-icon.gif* http://www.facebook.com/fujitsuuk* **twitter-icon.gif* http://twitter.com/#!/fujitsu_uk* **linkedin-icon.gif* http://www.linkedin.com/company/fujitsu-uk-and-ireland* **blogger.png* http://blog.uk.fujitsu.com/* **google-plus-icon.gif* https://plus.google.com/103287532874520008913/* * Fujitsu is proud to partner withAction for Children http://www.actionforchildren.org.uk/ I-CIO http://www.i-cio.com/:Global Intelligence for the CIO.Fujitsu’s online resource for ICT leaders Reshaping ICT, Reshaping Business in partnership with FT.com http://reshaping-ict.ft.com/ ** PPlease consider the environment - do you really need to print this email? * * cid:image001.jpg@01D05A55.B5225330 https://www.youtube.com/playlist?list=PLV493J-pTITeSWLKa-cxQ0QMLYy3h1dOT** Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or from Fujitsu Telecommunications Europe Limited, together Fujitsu. This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free. Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U 3BW. Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U 3BW. PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE. Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull Parkway, Birmingham Business Park, Birmingham, B37 7YU. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JNDI realm Global Catalog question
-Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Tuesday, April 28, 2015 10:18 AM To: Tomcat Users List Subject: Re: JNDI realm Global Catalog question Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neil, On 4/28/15 9:48 AM, Lazarow, Neil wrote: I have multiple domain controllers, all of which are set to function as global catalog servers. Is it possible to put multiple alternateURL entires into your JNDIRealm confiugration (see example below)? Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5 -- Realm className=org.apache.catalina.realm.JNDIRealm adCompat=true connectionURL=ldaps://ldap1.my.domainname.com:3269 alternateURL=ldaps://ldap2.my.domainname.com:3269 alternateURL=ldaps://ldap3.my.domainname.com:3269 connectionName=u...@my.domain.com connectionPassword=password referrals=follow userBase=CN=Users,dc=my,dc=domainname,dc=com userSearch=(sAMAccountName={0}) userSubtree=true userRoleName=memberOf roleBase=CN=Users,dc=my,dc=domainname,dc=com roleName=CN roleSearch=(member={0}) roleNested=true / I don't think this is currently supported, but it would be a nice enhancement. Could you make a request in Bugzilla? http://bz.apache.org/ In the meantime, you might be able to get away with a configuration like this: Realm className=org.apache.catalina.realm.CombinedRealm Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldaps://server-1 ... / Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldaps://server-2 ... / Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldaps://server-3 ... / /Realm You could even try to set connectionURL to all servers at once separated by space. I believe jndi supports this. That would be something like connectionURL=ldaps://one ldaps://two ldaps://three I haven't tested it, though. Regards Felix The timeouts you'll experience to fail-over from one server to the other might not be acceptable for you, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org Felix, Tomcat appears to accept the list of connectionURL entries separated by spaces. Neil Confidentiality: This transmission, including any attachments, is solely for the use of the intended recipient(s). This transmission may contain information that is confidential or otherwise protected from disclosure. The use or disclosure of the information contained in this transmission, including any attachments, for any purpose other than that intended by its transmittal is strictly prohibited. Unauthorized interception of this email is a violation of federal criminal law. If you are not an intended recipient of this transmission, please immediately destroy all copies received and notify the sender.
Need Help in configuring a Custom Class loader in Tomcat - 8
All, I wanted to gather some help and feedbacks in configuring a custom class loader with tomcat –8. We were using a custom class loader with Tomcat 6 7 successfully which is used to load custom jars from some common locations outside tomcat in our case. APIs being used for this seems to be removed with tomcat 8 as part of restructure in this area , and we need some guidance/examples/pointers here to move further. Please note with Tomcat 6 7 we were able to override WebappLoader.setContainer(Container container) method to add new jars , we need some pointers to achieve the equivalent with tomcat 8. Thanks for your attention! Regards, Ashish Kumar Singh Mobile: +91-9972045095 Skype: toashi...@gmail.com
Re: Finding the Apache httpd IP address when AJP is used
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Paul, On 4/29/15 11:17 AM, Paul Klinkenberg wrote: The reason I want to add the IP restriction in the valve, is to make 100% sure that the request (for creating a new Tomcat context) is indeed coming from the frontend webserver. I think there are better ways to do this. Among them: 1. Firewall rule that only allows access to the AJP port from a certain IP address/range. 2. Use of the secret configuration parameter for mod_jk/AJP connector In production, we tunnel AJP from our web servers to our application servers using stunnel, and stunnel connections are only allowed from the range of IPs used by our web servers. Then, we actually have the AJP connector listen on ::1 so nobody from the outside can connect to us, except through such a tunnel. This valve is a setup not just for me, where I could tweak server settings and such, but for anyone who uses the mod_cfml connector. It is installed by default by the Railo/Lucee installers (getrailo.org http://getrailo.org/ / lucee.org http://lucee.org/) It seems a little fragile, because it requires configuration beyond what an installer can auto-configure for you (i.e. it has no idea what the IP address of the web server(s) is(are)). Therefor, I cannot rely on an incoming header, as it could originate from anywhere. Also, a remote system could call the AJP endpoint on the Tomcat server, with this JkEnvVar set to a spoofed value. (if the port is not firewalled off course) So the problem with both options is, that they cannot be fully trusted. If you are that paranoid, you also can't trust the source IP address in the IP header, so you are back to square 1: you can't trust anything, so don't build your security around this lack-of-trust. If I am able to find out where the AJP request came from, then I can validate the caller. The only way to check the caller would be to get ahold of the Socket that Tomcat is using to communicate. That's not easily done, since Tomcat wants to protect its sockets from code messing-around with the state of those Sockets. If you don't trust mod_jk to send you the right values, then you also can't trust the REMOTE_ADDR value that is pointing to the real client. Basically, it comes down to this: you either trust mod_jk or not. If you don't, then all bets are off. If you *can* trust mod_jk, then just forward an environment variable using JkEnvVar: that technique can't be modified by the client injecting an HTTP header or anything like that. But of course, you still have to trust mod_jk and the connection the request came from. This is what the firewall should be used for, IMO. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQP1VAAoJEBzwKT+lPKRYkcwQAKEJ4L4xqd7h2TRoA0TaAZYk MsnpJy9fKSOB+18jAgN8d1vcctV9+zabgRqT+BhK6rArc3RcaO4puLgNe2k3IduH AMHXQARLyYFSH42q7cAFyiRV5jVhDdTKr+pEhKTNbXdwdoOxPQMknTpfK01ESPkA kVAKWnT2GdLq9eo3nSGlTXyKJrBLNPa2LhHHQXmc/VaSIO6wFR3pEP/DkoOdU430 QVmDinvruNEvSSNf0ef8UTeBhLOYFb099GfIOFq57r46B5s63469yQCwRrCKK7c9 g89Xm8j44TI445nj1J7BpbHfwLZxFsKRVwln2MZ0RKxX7ow/Zs/teQj7FpG6pbr2 7RGPi7jn0bo5GVe15S8cQMhPt7144FwuO97dhzPPUD+Dqv6hXuuNO92uJbDjllCl GW5pzhHqKZ7BJ54q6RZsreArz/PRE+Cih/fs+MhjmHy6W/Aj5HeOVF8aJmn4/KvZ T+Ran+gsMCP6yJoT/kBUgUEF0UG2tCgMhS30x3g2y/aGokbeqOX4QND2PtEyz2Mh 9sX9wAfCDNmAtgZU5tGOVh4rKvA0CvZz8JUteOTL/ohgNBwUfkc4zYpYHbX6qwoV N1BxwxRWA+gC931vmJFSrmwwBjbmaBoCVYwpyi+Yh6HPhOKWU+78S63qgXE15sqw OCfKtYQalTmKga46o2gI =Ee12 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need Help in configuring a Custom Class loader in Tomcat - 8
On 29/04/2015 17:50, Ashish Kumar Singh wrote: All, I wanted to gather some help and feedbacks in configuring a custom class loader with tomcat –8. We were using a custom class loader with Tomcat 6 7 successfully which is used to load custom jars from some common locations outside tomcat in our case. APIs being used for this seems to be removed with tomcat 8 as part of restructure in this area , and we need some guidance/examples/pointers here to move further. Please note with Tomcat 6 7 we were able to override WebappLoader.setContainer(Container container) method to add new jars , we need some pointers to achieve the equivalent with tomcat 8. Thanks for your attention! Use the new WebResources implementation to map those external JARs to JARs in WEB-INF/lib. You can either map a directory of JARs to WEB-INF/lib or individual JARs to WEB-INF/lib/name-of-jar.jar Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FW: tomcat7 in chroot environment
Avanzando es la unica forma de dejar atras lo que no necesitamos. Andrea From: solange_...@hotmail.com To: users@tomcat.apache.org Subject: tomcat7 in chroot environment Date: Wed, 29 Apr 2015 15:09:07 -0500 Hi, excuse me I have a little problem with the tomcat7 installation. The tomcat7 install with apt-get for a opengeosuite-server installer in a chroot with ubuntu environment, the problem is when I want to start the service in the chroot console it throws me a message: * tomcat7 is not installed I change the /var/lib/tomcat7 an /usr/share/tomcat7 folders owner to tomcat7 because there was with root as owner in the folders in the chroot environment in the past this resolve the problem in a tipical installing and change the CATALINA_BASE an CATALINA_HOME in the start script in the /etc/init.d/tomcat7 with the folders in the chroot environment. In the beginning the message when I execute the command service tomcat7 start doesn't throws me nothing, all was normal but I can´t see the web page or the service running from another machine. I see that the link to the folder /var/lib/tomcat7 in the chroot environment doesn´t go to a file inside the chroot I change that to the ubication inside the chroot then began with the problem. Regards, Andrea Freire Avanzando es la unica forma de dejar atras lo que no necesitamos. Andrea
Re: Need Help in configuring a Custom Class loader in Tomcat - 8
Thanks Mark! We are going to try this out and update you! Regards, Ashish On 29/04/15 10:26 pm, Mark Thomas ma...@apache.org wrote: On 29/04/2015 17:50, Ashish Kumar Singh wrote: All, I wanted to gather some help and feedbacks in configuring a custom class loader with tomcat –8. We were using a custom class loader with Tomcat 6 7 successfully which is used to load custom jars from some common locations outside tomcat in our case. APIs being used for this seems to be removed with tomcat 8 as part of restructure in this area , and we need some guidance/examples/pointers here to move further. Please note with Tomcat 6 7 we were able to override WebappLoader.setContainer(Container container) method to add new jars , we need some pointers to achieve the equivalent with tomcat 8. Thanks for your attention! Use the new WebResources implementation to map those external JARs to JARs in WEB-INF/lib. You can either map a directory of JARs to WEB-INF/lib or individual JARs to WEB-INF/lib/name-of-jar.jar Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI realm Global Catalog question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neil, On 4/29/15 12:01 PM, Lazarow, Neil wrote: -Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Tuesday, April 28, 2015 10:18 AM To: Tomcat Users List Subject: Re: JNDI realm Global Catalog question Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neil, On 4/28/15 9:48 AM, Lazarow, Neil wrote: I have multiple domain controllers, all of which are set to function as global catalog servers. Is it possible to put multiple alternateURL entires into your JNDIRealm confiugration (see example below)? Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5 -- Realm className=org.apache.catalina.realm.JNDIRealm adCompat=true connectionURL=ldaps://ldap1.my.domainname.com:3269 alternateURL=ldaps://ldap2.my.domainname.com:3269 alternateURL=ldaps://ldap3.my.domainname.com:3269 connectionName=u...@my.domain.com connectionPassword=password referrals=follow userBase=CN=Users,dc=my,dc=domainname,dc=com userSearch=(sAMAccountName={0}) userSubtree=true userRoleName=memberOf roleBase=CN=Users,dc=my,dc=domainname,dc=com roleName=CN roleSearch=(member={0}) roleNested=true / I don't think this is currently supported, but it would be a nice enhancement. Could you make a request in Bugzilla? http://bz.apache.org/ In the meantime, you might be able to get away with a configuration like this: Realm className=org.apache.catalina.realm.CombinedRealm Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldaps://server-1 ... / Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldaps://server-2 ... / Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldaps://server-3 ... / /Realm You could even try to set connectionURL to all servers at once separated by space. I believe jndi supports this. That would be something like connectionURL=ldaps://one ldaps://two ldaps://three I haven't tested it, though. Regards Felix The timeouts you'll experience to fail-over from one server to the other might not be acceptable for you, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org Tomcat appears to accept the list of connectionURL entries separated by spaces. Great, thanks for testing that. Looks like the documentation could use a tweak. Care to give us a docs patch and get yourself in the Changelog? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQSeoAAoJEBzwKT+lPKRYrigQALPoA3EAcGdV1ZjxkYBfZu3J m6fLoDvgRbr9O1WHK9TvyDyhGQEtcgDQvRzv9oI5gAK0Ao99OT1Up5ye36jVDZxw BHPKBBLSBYaRB6hKUTHaoDEyADbHZ9hW+w5ykpwAs3Jloaph5RbSYM5+rVLx+8LJ eGm61qNFaJftY5nawkgK7WrI1BwYLOdJbnbENw7j7le4Q0rJflp6Odng2FwbfQ+8 Y57aJxcfc0/lNXd52/jJhhGMNL+9up4xIBo7CRF4QnTOzHUMy/DdxoCXVaw+uN+D ixHdffGG3DY5YeLvKusQro20FxQeIaTQc4XJSAF+zz1dz8jDnTf77XUhSkqdjOds lqefW/HXls6oHjf8zNOa97TMD7/ewwbJJMn4Nvmxwyh2msl89Sf6+ua5BSy0IT7G g/2IQTQ7AGs7FDsnqy4BLtRGFBpZRM41ecxrHoK52/cJMjqr+GNpWFlDu5lyHfKc qZ0DOOVjLcCifR50e419pKCVzT4Ru7/mP0/r0hUn7kiEaKMKfgH/Xxh+4j8jau5v 3ag8uUOPY6O6EGq9ID9k0c+Zo0ZahPQ8mAYitIa57CLoq8/sRyaYrrWYaIZA8cPP X/EQdhXDcWFo8tUPYjQHvCEplLTjBgFYOlz8H+q+UVG1R9axLw5zQvB8m3hRrFty os74yx2VxZ710EUOynGO =+gdD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FW: tomcat7 in chroot environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andrea, On 4/29/15 4:14 PM, Andrea Freire wrote: excuse me I have a little problem with the tomcat7 installation. The tomcat7 install with apt-get for a opengeosuite-server installer in a chroot with ubuntu environment, the problem is when I want to start the service in the chroot console it throws me a message: * tomcat7 is not installed I change the /var/lib/tomcat7 an /usr/share/tomcat7 folders owner to tomcat7 because there was with root as owner in the folders in the chroot environment in the past this resolve the problem in a tipical installing and change the CATALINA_BASE an CATALINA_HOME in the start script in the /etc/init.d/tomcat7 with the folders in the chroot environment. In the beginning the message when I execute the command service tomcat7 start doesn't throws me nothing, all was normal but I can´t see the web page or the service running from another machine. I see that the link to the folder /var/lib/tomcat7 in the chroot environment doesn´t go to a file inside the chroot I change that to the ubication inside the chroot then began with the problem. What you have to understand about chroot is that 100% of what you need to launch your process needs to be available *inside* the chroot'd environment. So, if you need to chroot to /var/tomcat/chroot, then you are going to need a directory at /var/tomcat/chroot/var/lib/tomcat7 containing whatever files you expected to be there. Have you had Tomcat working in a chroot'd environment in the past? I've had a nightmare of a time trying to get a JVM to launch within a chroot'd environment because it needs to many support libraries, etc. available just to start. Once the JVM can launch within the chroot'd environment, getting Tomcat to work should be trivial: just move everything Tomcat needs into the chroot root-dir (likely a subdirectory of this, actually) and you should be fine. As for launching Tomcat within the chroot'd environment from a service script, your service script needs to execute the chroot command and then give a command to run once the chroot() system call has completed. Presumably, that command will be /path/to/tomcat/bin/catalina.sh start. The /path/to/tomcat should be relative to the chroot's root, and both CATALINA_BASE and CATALINA_HOME should also be relative to the chroot's root directory. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQUDZAAoJEBzwKT+lPKRYBKEP+wZWznBPfG4fFuMFd0P55AHm ecSgmOeAqxQLFzvZpQdA2nr8QUBLSU+rcjvaFw6H+5lP1BR/2iJl3IxBiof5xBkp YFsdII/0E4n9Nq1wgntKU3KdywbxAtKuDdjMbD1mxqUttdT2RjpclNubZLMZek5o Wdh/6Bx/mnPhEQE08dTupsQ4xBXNL4KKc3yNHkNSewiFqQZxvMxPCXd1hf+kCRVk uN9QBzr5mCEazNk1wr4fZLGaNVur1YaKHOYDuDN4+KbzvCwrblYnWbbg+ScWDl5T 2P1khdJL7/w8CBmRXK+c8mCC/PbtkLvZMqD2UV8+6zUWYyWAkBy1p3yilxxDVcNL 7G05Fqpj6RnnDFzZvjpdcDILPQOirL89YyDKGHs6oh0G2ShOWxUYc6wX4seODTt9 K4icj9lz/msmnM2bQEI1OdQ5oMOTg+LGys+RnVAIX/S6hXQEj4JMUUUiSWQKxeHg 5ql8ZW/6kXeFDIs5TwTAbHRSCcP3ff89C/nPgLnQ1myk4O2rqfHt7RNUm3slFBQI 668bUS0bRX1pXGAaxq0GERkehsTAb4EIuZG2xU8iG1ZxK/YZJsIdXumTZUUR0M6K 5voG1VJ3s+pCit6xbPxHKvT4OZzITPWE5j8cmlEUp0b/1wt0HBx2bM7NggpJBGnj o+NhNGWEKxIYvZOh+SM4 =Ga4k -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat Patching Requirements
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Janette, On 4/29/15 8:23 AM, Isiguzo Janette wrote: Hi all, ·What is the frequency of patches/updates required for the Tomcat Web Browser? ·What type of Patches does it require? i.e. security patch updates ·How critical is the patches required? i.e. Critical, Important, Moderate or Low Thanks in advance, Janette Number of words above: 44 Number of words below: 239 SNR: 18.4% (or, if you prefer, -16.9db) Please consider removing all the following useless cruft when posting to mailing lists. - -chris *Janette Isiguzo * Service Delivery Architect Defence National Security *Fujitsu* * *Jays Close, Basingstoke, RG22 4BY Mob: +44 (0) 7867825881 or Internal 28892/42916 Email: janette.isig...@uk.fujitsu.com mailto:janette.isig...@uk.fujitsu.com_ _Web: uk.fujitsu.com http://uk.fujitsu.com/ // *youtube-icon.gif* http://www.youtube.com/user/fujitsuUK* **Facebook-icon.gif* http://www.facebook.com/fujitsuuk* **twitter-icon.gif* http://twitter.com/#!/fujitsu_uk* **linkedin-icon.gif* http://www.linkedin.com/company/fujitsu-uk-and-ireland* **blogger.png* http://blog.uk.fujitsu.com/* **google-plus-icon.gif* https://plus.google.com/103287532874520008913/* * Fujitsu is proud to partner withAction for Children http://www.actionforchildren.org.uk/ I-CIO http://www.i-cio.com/:Global Intelligence for the CIO.Fujitsu’s online resource for ICT leaders Reshaping ICT, Reshaping Business in partnership with FT.com http://reshaping-ict.ft.com/ ** PPlease consider the environment - do you really need to print this email? * * cid:image001.jpg@01D05A55.B5225330 https://www.youtube.com/playlist?list=PLV493J-pTITeSWLKa-cxQ0QMLYy3h1 dOT** Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or from Fujitsu Telecommunications Europe Limited, together Fujitsu. This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free. Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U 3BW. Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U 3BW. PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE. Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull Parkway, Birmingham Business Park, Birmingham, B37 7YU. -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQUPRAAoJEBzwKT+lPKRY/zYQAIWWTJFqSnn8Ie0hWyIKRf+Y gn54I8qBq7FmUuw7M3kwBe7/badUwEtfpAnhfMjVhoTZFfy6fxZDUmKb9YTIclXG aYWK/FYfs67iMw8pYGlrc2jPDrv1k5oHNuxvdFI4tjfi4lZHaEMnX2B7BvKzLYd2 pjAYbZv1A1G1c5wnPr42D7t+2yUWBYbXOsIlalWdKvkQxRuWXudV8cr94aqTNA7y 5MG+JLIJxZRH8vtkXmIwfIsNDxwfrmhqzlPi9Bqwr2hk+c8Clg0uO/wSxXkPqsVj 6lzPmSyMfY6XAjzjmjyM5OFYh53WznRglnFZpJlQgsNre5g7vMqmvAUTOiwg6iRy 74nz+UdyF3Tha/Jpw9dR6zYugrsOlSA4u80H8LcG33XH/P2F5aAMuAsJREDfNsWw 9PXGIqoAAtXECpV4Ljr9Oqnzq78RdlXp0w6/tJ0B1OCVl8xN4716kDyvs58wfUVN btV5oyU/rWKCb/dlGMT2BLITWezd2D0l3APUPPiyGQPRrIaCrulIHUYYGeDbZ0SC gr9GOXPm1Ibxe3ztt16retIKHrV3/mCJiLxwLhr2e17J1BcG9IQSjc36wceCAeWC Az1udVRkeZ6Qw1eRkeil+ohSKovoKXPYeIGo2D+GyGrrE2kh1iFXEvC09vHjbXE9 SDS5CzGlUGaDDeLlaQUn =hWnG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: File descriptors peaks with latest stable build of Tomcat 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thomas, On 4/25/15 4:25 AM, Thomas Boniface wrote: When talking about the strategy for our next test on the release we checked at the tomcat connector configuration but we are unsure how to applies your advices: 1. Check the nginx configuration. Specifically, the keep-alive and timeout associated with the proxy configuration. 2. Make sure that Tomcat's timeouts are appropriate for those matching settings in nginx. It seems were have 100 connections max keept alive at nginx level ( keepalive), a timeout to connect to tomcat of 2s (proxy_connect_timeout) and a timeout to read from tomcat of 10s (proxy_read_timeout). On tomcat side we have a connector like follows: Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol selectorTimeout=1000 maxThreads=200 maxHttpHeaderSize=16384 address=127.0.0.1 redirectPort=8443/ It sounds like you need to add this to your Connector configuration: connectionTimeout=1 This matches your value for proxy_read_timeout. You should probably also set keepAliveTimeout if you think it needs to be different from connectionTimeout (keepAliveTimeout defaults to connectionTimeout). I'm not sure if Nginx's proxy_read_timeout is the same timeout used to terminate a connection to Tomcat if Nginx hasn't tried to send a request over that connection for a while, but if so, the connectionTimeout/keepAliveTimeout is what you want to set. I'm not sure that setting selectorTimeout to something other than the default helps you at all (1000ms is the default). The goal is to get both Nginx and Tomcat to close their connections at the same time when they decide that the connection is no loner necessary. If Nginx times-out more quickly than Tomcat, then re-opens a new connection to Tomcat, it will make Tomcat artificially run out of connections (and file descriptors) even though Tomcat is largely idle . - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQUnhAAoJEBzwKT+lPKRYzZwQAIgYxw6OuCgPeks/1S8x7bVP MdBdLddY9ruDNCRq9kLzKxEouo/WD5zuQW3kMRyTlX9I36HVRRcE6boaIwFBjiws LhoEMy6f5cZQj0FzRfstmyiyOFmZKtvAxwMVa8p1ykqkAhysDTU4fDKxmsKDk1fM fakJkqj4nRYP86ekFq/kIb/TNdMbzq+qx32QlevB/z+p0t7frR1DXadRK5KGXGVu dOHclY3Z29nzIGe+hdZULkZgpmAUDtk+Y7/bePeWv7ln6IBBoka7hYZGLj1+shdy PHrWs0ikTKTB9+kgS7OaipZD8r8x0yvtYYTEjZt3Jcsno0W2kKW600oTFI9YFJ2M XDu87+TUvb+E/NYLjJIPQICtDK71b0JpPt8ijQCx+91RFiFRYS8tuWNABcWbtRBb C2WlHmNilI/i+kAc7Syvao9gKO594jpao4nlPWhOXJK75QDw5K1szgo/ONgwujtU YRtpyZCVVB8UCUk8QIESL8WQT7zlP4MDlEpmeyRzhEGRcelCMoXEq22rZ4HVygAP iZg8KbkwUN/Ul7FMcwBbxoWOVE9iTBEj2nHuriAH5oKPnSJbuI2lfxOpxKSVMQaI NKV8Zb+yNby11UWWQxxI0QaStZB9IMVnCTLEMXT/M/okwd12xZKuChhh6RFaXKxL WIZLFHnxc4C5yWay7OPx =tLMj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat7 in chroot environment
Just a little question the apt-get command when you execute inside the chroot doesn't install all the dependencies. Date: Wed, 29 Apr 2015 16:36:41 -0400 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: FW: tomcat7 in chroot environment -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andrea, On 4/29/15 4:14 PM, Andrea Freire wrote: excuse me I have a little problem with the tomcat7 installation. The tomcat7 install with apt-get for a opengeosuite-server installer in a chroot with ubuntu environment, the problem is when I want to start the service in the chroot console it throws me a message: * tomcat7 is not installed I change the /var/lib/tomcat7 an /usr/share/tomcat7 folders owner to tomcat7 because there was with root as owner in the folders in the chroot environment in the past this resolve the problem in a tipical installing and change the CATALINA_BASE an CATALINA_HOME in the start script in the /etc/init.d/tomcat7 with the folders in the chroot environment. In the beginning the message when I execute the command service tomcat7 start doesn't throws me nothing, all was normal but I can´t see the web page or the service running from another machine. I see that the link to the folder /var/lib/tomcat7 in the chroot environment doesn´t go to a file inside the chroot I change that to the ubication inside the chroot then began with the problem. What you have to understand about chroot is that 100% of what you need to launch your process needs to be available *inside* the chroot'd environment. So, if you need to chroot to /var/tomcat/chroot, then you are going to need a directory at /var/tomcat/chroot/var/lib/tomcat7 containing whatever files you expected to be there. Have you had Tomcat working in a chroot'd environment in the past? I've had a nightmare of a time trying to get a JVM to launch within a chroot'd environment because it needs to many support libraries, etc. available just to start. Once the JVM can launch within the chroot'd environment, getting Tomcat to work should be trivial: just move everything Tomcat needs into the chroot root-dir (likely a subdirectory of this, actually) and you should be fine. As for launching Tomcat within the chroot'd environment from a service script, your service script needs to execute the chroot command and then give a command to run once the chroot() system call has completed. Presumably, that command will be /path/to/tomcat/bin/catalina.sh start. The /path/to/tomcat should be relative to the chroot's root, and both CATALINA_BASE and CATALINA_HOME should also be relative to the chroot's root directory. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQUDZAAoJEBzwKT+lPKRYBKEP+wZWznBPfG4fFuMFd0P55AHm ecSgmOeAqxQLFzvZpQdA2nr8QUBLSU+rcjvaFw6H+5lP1BR/2iJl3IxBiof5xBkp YFsdII/0E4n9Nq1wgntKU3KdywbxAtKuDdjMbD1mxqUttdT2RjpclNubZLMZek5o Wdh/6Bx/mnPhEQE08dTupsQ4xBXNL4KKc3yNHkNSewiFqQZxvMxPCXd1hf+kCRVk uN9QBzr5mCEazNk1wr4fZLGaNVur1YaKHOYDuDN4+KbzvCwrblYnWbbg+ScWDl5T 2P1khdJL7/w8CBmRXK+c8mCC/PbtkLvZMqD2UV8+6zUWYyWAkBy1p3yilxxDVcNL 7G05Fqpj6RnnDFzZvjpdcDILPQOirL89YyDKGHs6oh0G2ShOWxUYc6wX4seODTt9 K4icj9lz/msmnM2bQEI1OdQ5oMOTg+LGys+RnVAIX/S6hXQEj4JMUUUiSWQKxeHg 5ql8ZW/6kXeFDIs5TwTAbHRSCcP3ff89C/nPgLnQ1myk4O2rqfHt7RNUm3slFBQI 668bUS0bRX1pXGAaxq0GERkehsTAb4EIuZG2xU8iG1ZxK/YZJsIdXumTZUUR0M6K 5voG1VJ3s+pCit6xbPxHKvT4OZzITPWE5j8cmlEUp0b/1wt0HBx2bM7NggpJBGnj o+NhNGWEKxIYvZOh+SM4 =Ga4k -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Exception in Tomcat7 when closing stream, server crashes
On 4/29/15, 4:39 PM, Christopher Schultz ch...@christopherschultz.net wrote: When you say that Tomcat crashes, are you saying that the JVM halts with an hs_err_[pid] file, or do you mean you get the above stack traces (which are errors, I would not call them crashes). What exact version of tcnative are you using? APR? What OS are you using ? Can you switch to the NIO connector temporarily to see if those problems go away? It's possible that this is only a problem with the APR connector. - -chris Thanks for the response Chris, Yes, eventually it crashes with a hs_err file and has to be restarted. The errors do not show up when we use NIO so I am pretty sure it¹s a problem in the APR connector somewhere. APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.1. OS is Centos 6.4. Thanks smime.p7s Description: S/MIME cryptographic signature
Re: Exception in Tomcat7 when closing stream, server crashes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Osman, On 4/29/15 10:52 AM, Osman Ullah | Ntrepid Corp wrote: Hello, We are using Tomcat 7.0.61 and we are seeing the following error in catalina.out: Apr 29, 2015 2:23:14 PM org.apache.coyote.AbstractProcessor setErrorState INFO: An error occurred in processing while on a non-container thread. The connection will be closed immediately java.io.IOException at rg.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAp rOutp utBuffer.java:205) at org.apache.coyote.http11.InternalAprOutputBuffer.flush(InternalAprOutp utBuf fer.java:109) at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11 Proce ssor.java:801) at org.apache.coyote.Response.action(Response.java:172) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:3 63) at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:331 ) at org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStr eam.j ava:101) at org.granite.gravity.AbstractChannel.runReceived(AbstractChannel.java:2 64) at org.granite.gravity.AbstractChannel.runReceive(AbstractChannel.java:19 9) at org.granite.gravity.AsyncReceiver.doRun(AsyncReceiver.java:34) at org.granite.gravity.AsyncChannelRunner.run(AsyncChannelRunner.java:52) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j ava:1 145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. java: 615) at java.lang.Thread.run(Thread.java:745) Apr 29, 2015 2:23:14 PM org.apache.coyote.AbstractProcessor setErrorState INFO: An error occurred in processing while on a non-container thread. The connection will be closed immediately java.io.IOException at org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalA prOut putBuffer.java:205) at org.apache.coyote.http11.InternalAprOutputBuffer.endRequest(InternalAp rOutp utBuffer.java:150) at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11 Proce ssor.java:762) at org.apache.coyote.Response.action(Response.java:174) at org.apache.coyote.Response.finish(Response.java:274) at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:319 ) at org.apache.catalina.connector.CoyoteOutputStream.close(CoyoteOutputStr eam.j ava:108) at org.granite.gravity.AbstractChannel.runReceived(AbstractChannel.java:3 08) at org.granite.gravity.AbstractChannel.runReceive(AbstractChannel.java:19 9) at org.granite.gravity.AsyncReceiver.doRun(AsyncReceiver.java:34) at org.granite.gravity.AsyncChannelRunner.run(AsyncChannelRunner.java:52) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j ava:1 145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. java: 615) at java.lang.Thread.run(Thread.java:745) Apr 29, 2015 2:23:14 PM org.apache.tomcat.util.net.AprEndpoint processSocketAsync SEVERE: Error allocating socket processor java.lang.NullPointerException at org.apache.tomcat.util.net.AprEndpoint.processSocketAsync(AprEndpoint. java: 885) at org.apache.coyote.AbstractProcessor.setErrorState(AbstractProcessor.ja va:84 ) at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11 Proce ssor.java:764) at org.apache.coyote.Response.action(Response.java:174) at org.apache.coyote.Response.finish(Response.java:274) at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:319 ) at org.apache.catalina.connector.CoyoteOutputStream.close(CoyoteOutputStr eam.j ava:108) at org.granite.gravity.AbstractChannel.runReceived(AbstractChannel.java:3 08) at org.granite.gravity.AbstractChannel.runReceive(AbstractChannel.java:19 9) at org.granite.gravity.AsyncReceiver.doRun(AsyncReceiver.java:34) at org.granite.gravity.AsyncChannelRunner.run(AsyncChannelRunner.java:52) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j ava:1 145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. java: 615) at java.lang.Thread.run(Thread.java:745) We are also seeing this, which also happens with stream.close() around the same time: Exception in thread pool-4-thread-3 java.lang.Error: org.apache.tomcat.jni.Error: 20005: An invalid socket was returned at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j ava:1 151) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. java: 615) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.tomcat.jni.Error: 20005: An invalid socket was returned at org.apache.tomcat.jni.Socket.sendbb(Native Method) at org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalA prOut putBuffer.java:204) at org.apache.coyote.http11.InternalAprOutputBuffer.endRequest(InternalAp rOutp utBuffer.java:150) at
Re: Help with overriding default cookie name
Chris, Thanks for getting back to me. I did end up solving the problem, and it was not a bug or related in any way to what Tomcat is doing. It ended up being a (very buried) property setting of the application that is not documented anywhere. A lot of grep-ing lead me to the realization. After setting the property, Tomcat behaves as expected and obeys the application's desired cookie name. Thanks again for letting me bounce my ideas off you, much appreciated! Cheers, Brian Jones Programmer/Analyst Information Technology Services Support Services Building, Suite 4300 Western University (519) 661-2111 x86969 bjone...@uwo.ca On 2015-04-29 05:18 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, On 4/21/15 3:21 PM, Brian Jones wrote: Chris, thanks for getting back to me! I'm trying to override the default cookie name (JSESSIONID) for one of my Tomcat7 instances. I put the following in $catalina_home/conf/context.xml: Context sessionCookieName=MyCookie That will change the session cookie name for all applications deployed on the server, and not just one web application. Is that what you wanted ? Yes, this is what I'm after. I'm working on an enterprise application which is comprised of over 70 webapps all working together. I need to change it for everything, as they all obey a single cookie. However, after restarting Tomcat, the setting isn't being applied; the cookie always remains as JSESSIONID rather than MyCookie. My environment is: tomcat 7.0.39, java 1.7.0_79, kubuntu 14.10. Can anyone shed some light on how/where $catalina_home/conf/context.xml is loaded? Or any ideas, suggestions, etc are appreciated. I would have expected what you did to work. Do you have a separate CATALINA_BASE as well as a CATALINA_HOME? If so, the CATALINA_BASE/conf/context.xml will *completely override* the one in CATALINA_HOME/conf/context.xml. I don't believe so, output from ./shutdown.sh: Using CATALINA_BASE: /opt/apache-tomcat-7.0.39 Using CATALINA_OWL: /opt/apache-tomcat-7.0.39 Using CATALINA_TMPDIR: /opt/apache-tomcat-7.0.39/temp Using JRE_HOME: /usr/lib/jvm/java-7-openjdk-amd64 Using CLASSPATH: /opt/apache-tomcat-7.0.39/bin/bootstrap.jar:/opt/apache-tomcat-7.0.39/ bin/tomcat-juli.jar It would probably be better to set the configuration in your web application's META-INF/context.xml file. Give that a try and see if it gives you the desired effect. The problem with doing this, is that as the application is open source, modifying each subtool's context.xml would fork me from the community. The only reason I'm trying to accomplish this, is because I have two versions of the application running in two different Tomcats; one is the community version, one is my institution's localized/modifyied version. I need to be able to run both simultaneously for comparison purposes. However, because both Tomcats/applications are using the same JSESSIONID as the cookie name, if I start a session on one Tomcat, it invalidates the session on the other. Anything else you can think of? Do you perhaps know how/where Tomcat is loading up the $catalina_home/conf/context.xml file? If that is known, I can perhaps modify (hack) it to point explicitly to the context.xml file that I have the sessionCookieName set. Sorry for the delayed response. I just wanted you to try to configure using META-INF/context.xml to see if that made the difference. That test will determine whether this is a bug in Tomcat (the feature doesn't work) or if Tomcat does not allow certain things to be overridden locally (e.g. the cookie name) and therefore this is an enhancement. I rather think that your expectations are reasonable, so assuming it's not a bug, I'm +1 for supporting site-wide cookie-name changes. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQUq/AAoJEBzwKT+lPKRYYroP/Ao8Vdb2eL5ExJruAZdS/xKt dzd2pVn4UTFXc1Pl8j7ShmlnBgm9VK6ls8NyGQTtshsNjO0/NaYof6mrBgiwZdAU cnZci10Oz1er3qLHY5kBC1gnWajba3pg37hMPYWvwLTNvypnPwpCotBAnzHRbDDO rU+MoGwxyi54YgAF26ewC2WUd9dy8kbLZdBis3PfE+bVNt8Ao/iA+8u9vjFzOfRv nYaY0HxnV8VbiE54kLTdmbBQtfA3YpTyzxNZCEb5XP0AZvhQazqUQSmw773UBW2c p9ovKirJ1axahdMfqYQ12HWE7ajeiONU9Q3PatVjC5fy+/uNMiGKm77cq9gr6MGG JDe+PTcNNpsKVwyz+h5RzjnJALrW1GuUaxMb5NhgRMEHK6Vgo37lmkN2Db4f494Q WkFkdjV03+ylQ88M8M+s+ubDKNVmZ0WalJsQrhePa9Q3LjTD8W71jSe5IMJT2MwP 8SEP4o4MPORaH9BlJJVYHBVYHgfuFnhXV2zqaOKph1fTvuczKjuL9LXmOlpalNsv N0FPo/1X4NkMGf2tNAO1UzF5xc/FMSllH6wuFKC3cmTHvxaqwUdcZeV0vWxbIo1c HLwhCxCPaYDuA5xgIS3JCr1HXlXY1bAQHsCWCFwbcc1C73me5qAsF0UliEC9h5mZ Sh0kPbkRrI0bJA6Kcm0v =jK03 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For
Re: Help with overriding default cookie name
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, On 4/21/15 3:21 PM, Brian Jones wrote: Chris, thanks for getting back to me! I'm trying to override the default cookie name (JSESSIONID) for one of my Tomcat7 instances. I put the following in $catalina_home/conf/context.xml: Context sessionCookieName=MyCookie That will change the session cookie name for all applications deployed on the server, and not just one web application. Is that what you wanted ? Yes, this is what I'm after. I'm working on an enterprise application which is comprised of over 70 webapps all working together. I need to change it for everything, as they all obey a single cookie. However, after restarting Tomcat, the setting isn't being applied; the cookie always remains as JSESSIONID rather than MyCookie. My environment is: tomcat 7.0.39, java 1.7.0_79, kubuntu 14.10. Can anyone shed some light on how/where $catalina_home/conf/context.xml is loaded? Or any ideas, suggestions, etc are appreciated. I would have expected what you did to work. Do you have a separate CATALINA_BASE as well as a CATALINA_HOME? If so, the CATALINA_BASE/conf/context.xml will *completely override* the one in CATALINA_HOME/conf/context.xml. I don't believe so, output from ./shutdown.sh: Using CATALINA_BASE: /opt/apache-tomcat-7.0.39 Using CATALINA_OWL: /opt/apache-tomcat-7.0.39 Using CATALINA_TMPDIR: /opt/apache-tomcat-7.0.39/temp Using JRE_HOME: /usr/lib/jvm/java-7-openjdk-amd64 Using CLASSPATH: /opt/apache-tomcat-7.0.39/bin/bootstrap.jar:/opt/apache-tomcat-7.0.39/ bin/tomcat-juli.jar It would probably be better to set the configuration in your web application's META-INF/context.xml file. Give that a try and see if it gives you the desired effect. The problem with doing this, is that as the application is open source, modifying each subtool's context.xml would fork me from the community. The only reason I'm trying to accomplish this, is because I have two versions of the application running in two different Tomcats; one is the community version, one is my institution's localized/modifyied version. I need to be able to run both simultaneously for comparison purposes. However, because both Tomcats/applications are using the same JSESSIONID as the cookie name, if I start a session on one Tomcat, it invalidates the session on the other. Anything else you can think of? Do you perhaps know how/where Tomcat is loading up the $catalina_home/conf/context.xml file? If that is known, I can perhaps modify (hack) it to point explicitly to the context.xml file that I have the sessionCookieName set. Sorry for the delayed response. I just wanted you to try to configure using META-INF/context.xml to see if that made the difference. That test will determine whether this is a bug in Tomcat (the feature doesn't work) or if Tomcat does not allow certain things to be overridden locally (e.g. the cookie name) and therefore this is an enhancement. I rather think that your expectations are reasonable, so assuming it's not a bug, I'm +1 for supporting site-wide cookie-name changes. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQUq/AAoJEBzwKT+lPKRYYroP/Ao8Vdb2eL5ExJruAZdS/xKt dzd2pVn4UTFXc1Pl8j7ShmlnBgm9VK6ls8NyGQTtshsNjO0/NaYof6mrBgiwZdAU cnZci10Oz1er3qLHY5kBC1gnWajba3pg37hMPYWvwLTNvypnPwpCotBAnzHRbDDO rU+MoGwxyi54YgAF26ewC2WUd9dy8kbLZdBis3PfE+bVNt8Ao/iA+8u9vjFzOfRv nYaY0HxnV8VbiE54kLTdmbBQtfA3YpTyzxNZCEb5XP0AZvhQazqUQSmw773UBW2c p9ovKirJ1axahdMfqYQ12HWE7ajeiONU9Q3PatVjC5fy+/uNMiGKm77cq9gr6MGG JDe+PTcNNpsKVwyz+h5RzjnJALrW1GuUaxMb5NhgRMEHK6Vgo37lmkN2Db4f494Q WkFkdjV03+ylQ88M8M+s+ubDKNVmZ0WalJsQrhePa9Q3LjTD8W71jSe5IMJT2MwP 8SEP4o4MPORaH9BlJJVYHBVYHgfuFnhXV2zqaOKph1fTvuczKjuL9LXmOlpalNsv N0FPo/1X4NkMGf2tNAO1UzF5xc/FMSllH6wuFKC3cmTHvxaqwUdcZeV0vWxbIo1c HLwhCxCPaYDuA5xgIS3JCr1HXlXY1bAQHsCWCFwbcc1C73me5qAsF0UliEC9h5mZ Sh0kPbkRrI0bJA6Kcm0v =jK03 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help with overriding default cookie name
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, On 4/29/15 5:42 PM, Brian Jones wrote: Thanks for getting back to me. I did end up solving the problem, and it was not a bug or related in any way to what Tomcat is doing. It ended up being a (very buried) property setting of the application that is not documented anywhere. A lot of grep-ing lead me to the realization. After setting the property, Tomcat behaves as expected and obeys the application's desired cookie name. Those are always the most fun features (the undocumented ones). Thanks again for letting me bounce my ideas off you, much appreciated! No problem. Now you can focus on upgrading to Tomcat 8 ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQVOuAAoJEBzwKT+lPKRYbEwP/Auasoyu/I3L1tIcEwO8SxNr AzM9jUakad+RbvHDm6j7/0gptT330mPRA4m6QKrFEGrVzNBOplYeZg2czgFf2gSo keE5Yvwu80H1LpI0DHfmGyyn5k0GDJC1KWSeC4gRWLoWYIuNCpck4zvVOON0Pfa+ 5QyXPItMLGV/XfZaZF+aSyFestEHW69Ia6yWNDKukHNyZEe+XfeMZHSsPa00Jet5 ulOQ1HD+BNTc+omNKb/sExYSZoXJLBce4NBrTfc2GF8v62OsJRJM//C6dVV5kOuu WsGP/e7BR8zU1YketcUG4Y/CgTGVxwSMynYi3O24cHnEnEBxGaO8ddPr5w+TwYmp azer2a1xkz6ABTcswJTjZTA/EjAKVQheVkTOBWDafMXzhhmXTeWrpNo2UJbZeNrG z7lWK7ia0ed4gRa/2We5heNNLSB8lzlgbHdhqx1+E0HG+VVYB8/iy5ZK83tSVw3V l9u3T1pf91MzYglrJeQ5nI1e1bHbyOP0PEB3mwx2GFSDbRJRQCRu+7009u4Vmb+S s6TZBPTLw2LOZmgxLAcvw33HOSxPbxqFAkSr8nfjWc6rVnG+vAhfsAO0adLi6XR7 U2sx445t+Uu0BTwAYAyewsQTeQg/+e123n1XK7QHO1lTUwRYWcFEGRil2GRwJrAD jJiGct+Ky/2VQObhdCcs =jO9l -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Finding the Apache httpd IP address when AJP is used
Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml https://github.com/utdream/mod_cfml One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.startup.VersionLoggerListener / Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=mod_cfml.core loggingEnabled=true waitForContext=10 maxContexts= timeBetweenContexts=0 scanClassPaths=false allowedIPs=127.0.0.1,192.168.1.52 / /Host /Engine /Service /Server Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com http://sackoverflow.com/ as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp
Re: Finding the Apache httpd IP address when AJP is used
Paul Klinkenberg wrote: Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml https://github.com/utdream/mod_cfml One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.startup.VersionLoggerListener / Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=mod_cfml.core loggingEnabled=true waitForContext=10 maxContexts= timeBetweenContexts=0 scanClassPaths=false allowedIPs=127.0.0.1,192.168.1.52 / /Host /Engine /Service /Server Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com http://sackoverflow.com/ as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp Hi. With Apache httpd and mod_jk as front-end, you have (at least) 2 options : - set an additional HTTP request header at the Apache httpd level, before the request is proxied to the back-end Tomcat - set a JkEnvVar value at the at the Apache httpd level, before the request is proxied to Tomcat You can then retrieve these set values at the Tomcat level, either by parsing the request headers, or by retrieving a request attribute corresponding to the JkEnvVar. The JkEnvVar/attribute method is probably more efficient in a mod_jk context; the HTTP header solution is more portable, since it does not depend on specifically mod_jk being used as a connector. Presumably, when at the Apache httpd level you decide to proxy a request to a back-end Tomcat, you know through which interface you'll do it, and what its IP address is, and you can put it into one of the things above. Is that enough info to get you started ? Caveat : one part I am not quite sure of, is what things you do have easy access to, at the level of a Valve. The above is what you'd do at a webapp level, I hope it is also accessible at your Valve level. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Finding the Apache httpd IP address when AJP is used
As a P.S. : Maybe you should also look at this, to see if it would fit your needs : http://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html André Warnier wrote: Paul Klinkenberg wrote: Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml https://github.com/utdream/mod_cfml One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.startup.VersionLoggerListener / Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=mod_cfml.core loggingEnabled=true waitForContext=10 maxContexts= timeBetweenContexts=0 scanClassPaths=false allowedIPs=127.0.0.1,192.168.1.52 / /Host /Engine /Service /Server Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com http://sackoverflow.com/ as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp Hi. With Apache httpd and mod_jk as front-end, you have (at least) 2 options : - set an additional HTTP request header at the Apache httpd level, before the request is proxied to the back-end Tomcat - set a JkEnvVar value at the at the Apache httpd level, before the request is proxied to Tomcat You can then retrieve these set values at the Tomcat level, either by parsing the request headers, or by retrieving a request attribute corresponding to the JkEnvVar. The JkEnvVar/attribute method is probably more efficient in a mod_jk context; the HTTP header solution is more portable, since it does not depend on specifically mod_jk being used as a connector. Presumably, when at the Apache httpd level you decide to proxy a request to a back-end Tomcat, you know through which interface you'll do it, and what its IP address is, and you can put it into one of the things above. Is that enough info to get you started ? Caveat : one part I am not quite sure of, is what things you do have easy access to, at the level of a Valve. The above is what you'd do at a webapp level, I hope it is also accessible at your Valve level. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Exception in Tomcat7 when closing stream, server crashes
Hello, We are using Tomcat 7.0.61 and we are seeing the following error in catalina.out: Apr 29, 2015 2:23:14 PM org.apache.coyote.AbstractProcessor setErrorState INFO: An error occurred in processing while on a non-container thread. The connection will be closed immediately java.io.IOException at rg.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAprOutp utBuffer.java:205) at org.apache.coyote.http11.InternalAprOutputBuffer.flush(InternalAprOutputBuf fer.java:109) at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Proce ssor.java:801) at org.apache.coyote.Response.action(Response.java:172) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:363) at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:331) at org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStream.j ava:101) at org.granite.gravity.AbstractChannel.runReceived(AbstractChannel.java:264) at org.granite.gravity.AbstractChannel.runReceive(AbstractChannel.java:199) at org.granite.gravity.AsyncReceiver.doRun(AsyncReceiver.java:34) at org.granite.gravity.AsyncChannelRunner.run(AsyncChannelRunner.java:52) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1 145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java: 615) at java.lang.Thread.run(Thread.java:745) Apr 29, 2015 2:23:14 PM org.apache.coyote.AbstractProcessor setErrorState INFO: An error occurred in processing while on a non-container thread. The connection will be closed immediately java.io.IOException at org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAprOut putBuffer.java:205) at org.apache.coyote.http11.InternalAprOutputBuffer.endRequest(InternalAprOutp utBuffer.java:150) at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Proce ssor.java:762) at org.apache.coyote.Response.action(Response.java:174) at org.apache.coyote.Response.finish(Response.java:274) at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:319) at org.apache.catalina.connector.CoyoteOutputStream.close(CoyoteOutputStream.j ava:108) at org.granite.gravity.AbstractChannel.runReceived(AbstractChannel.java:308) at org.granite.gravity.AbstractChannel.runReceive(AbstractChannel.java:199) at org.granite.gravity.AsyncReceiver.doRun(AsyncReceiver.java:34) at org.granite.gravity.AsyncChannelRunner.run(AsyncChannelRunner.java:52) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1 145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java: 615) at java.lang.Thread.run(Thread.java:745) Apr 29, 2015 2:23:14 PM org.apache.tomcat.util.net.AprEndpoint processSocketAsync SEVERE: Error allocating socket processor java.lang.NullPointerException at org.apache.tomcat.util.net.AprEndpoint.processSocketAsync(AprEndpoint.java: 885) at org.apache.coyote.AbstractProcessor.setErrorState(AbstractProcessor.java:84 ) at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Proce ssor.java:764) at org.apache.coyote.Response.action(Response.java:174) at org.apache.coyote.Response.finish(Response.java:274) at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:319) at org.apache.catalina.connector.CoyoteOutputStream.close(CoyoteOutputStream.j ava:108) at org.granite.gravity.AbstractChannel.runReceived(AbstractChannel.java:308) at org.granite.gravity.AbstractChannel.runReceive(AbstractChannel.java:199) at org.granite.gravity.AsyncReceiver.doRun(AsyncReceiver.java:34) at org.granite.gravity.AsyncChannelRunner.run(AsyncChannelRunner.java:52) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1 145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java: 615) at java.lang.Thread.run(Thread.java:745) We are also seeing this, which also happens with stream.close() around the same time: Exception in thread pool-4-thread-3 java.lang.Error: org.apache.tomcat.jni.Error: 20005: An invalid socket was returned at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1 151) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java: 615) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.tomcat.jni.Error: 20005: An invalid socket was returned at org.apache.tomcat.jni.Socket.sendbb(Native Method) at org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAprOut putBuffer.java:204) at org.apache.coyote.http11.InternalAprOutputBuffer.endRequest(InternalAprOutp utBuffer.java:150) at
Re: Finding the Apache httpd IP address when AJP is used
Hi,Nice to meet you. l...@bsoft.com.cn From: Paul Klinkenberg Date: 2015-04-29 21:54 To: users@tomcat.apache.org Subject: Finding the Apache httpd IP address when AJP is used Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml https://github.com/utdream/mod_cfml One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.startup.VersionLoggerListener / Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=mod_cfml.core loggingEnabled=true waitForContext=10 maxContexts= timeBetweenContexts=0 scanClassPaths=false allowedIPs=127.0.0.1,192.168.1.52 / /Host /Engine /Service /Server Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com http://sackoverflow.com/ as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp
Re: Re: Finding the Apache httpd IP address when AJP is used
Paul Klinkenberg wrote: Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml https://github.com/utdream/mod_cfml One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.startup.VersionLoggerListener / Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=mod_cfml.core loggingEnabled=true waitForContext=10 maxContexts= timeBetweenContexts=0 scanClassPaths=false allowedIPs=127.0.0.1,192.168.1.52 / /Host /Engine /Service /Server Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com http://sackoverflow.com/ as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp Hi. With Apache httpd and mod_jk as front-end, you have (at least) 2 options : - set an additional HTTP request header at the Apache httpd level, before the request is proxied to the back-end Tomcat - set a JkEnvVar value at the at the Apache httpd level, before the request is proxied to Tomcat You can then retrieve these set values at the Tomcat level, either by parsing the request headers, or by retrieving a request attribute corresponding to the JkEnvVar. The JkEnvVar/attribute method is probably more efficient in a mod_jk context; the HTTP header solution is more portable, since it does not depend on specifically mod_jk being used as a connector. Presumably, when at the Apache httpd level you decide to proxy a request to a back-end Tomcat, you know through which interface you'll do it, and what its IP address is, and you can put it into one of the things above. Is that enough info to get you started ? Caveat : one part I am not quite sure of, is what things you do have easy access to, at the level of a Valve. The above is what you'd do at a webapp level, I hope it is also accessible at your Valve level. Hi André, Thanks for the response, much appreciated. The reason I want to add the IP restriction in the valve, is to make 100% sure that the request (for creating a new Tomcat context) is indeed coming from the frontend webserver. This valve is a setup not just for me, where I could tweak server settings and such, but for anyone who uses the mod_cfml connector. It is installed by default by the Railo/Lucee installers (getrailo.org http://getrailo.org/ / lucee.org http://lucee.org/) Therefor, I cannot rely on an incoming header, as it could originate from anywhere. Also, a remote system could call the AJP endpoint on the Tomcat server, with this JkEnvVar set to a spoofed value. (if the port is not
Re: Finding the Apache httpd IP address when AJP is used
Paul Klinkenberg wrote: Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml https://github.com/utdream/mod_cfml One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.startup.VersionLoggerListener / Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=mod_cfml.core loggingEnabled=true waitForContext=10 maxContexts= timeBetweenContexts=0 scanClassPaths=false allowedIPs=127.0.0.1,192.168.1.52 / /Host /Engine /Service /Server Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com http://sackoverflow.com/ as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp Hi. With Apache httpd and mod_jk as front-end, you have (at least) 2 options : - set an additional HTTP request header at the Apache httpd level, before the request is proxied to the back-end Tomcat - set a JkEnvVar value at the at the Apache httpd level, before the request is proxied to Tomcat You can then retrieve these set values at the Tomcat level, either by parsing the request headers, or by retrieving a request attribute corresponding to the JkEnvVar. The JkEnvVar/attribute method is probably more efficient in a mod_jk context; the HTTP header solution is more portable, since it does not depend on specifically mod_jk being used as a connector. Presumably, when at the Apache httpd level you decide to proxy a request to a back-end Tomcat, you know through which interface you'll do it, and what its IP address is, and you can put it into one of the things above. Is that enough info to get you started ? Caveat : one part I am not quite sure of, is what things you do have easy access to, at the level of a Valve. The above is what you'd do at a webapp level, I hope it is also accessible at your Valve level. Hi André, Thanks for the response, much appreciated. The reason I want to add the IP restriction in the valve, is to make 100% sure that the request (for creating a new Tomcat context) is indeed coming from the frontend webserver. This valve is a setup not just for me, where I could tweak server settings and such, but for anyone who uses the mod_cfml connector. It is installed by default by the Railo/Lucee installers (getrailo.org http://getrailo.org/ / lucee.org http://lucee.org/) Therefor, I cannot rely on an incoming header, as it could originate from anywhere. Also, a remote system could call the AJP endpoint on the Tomcat server, with this JkEnvVar set to a spoofed value. (if the port is not
Re: Tomcat Thread issue
Am 29. April 2015 14:54:36 MESZ, schrieb Subhro Paul subhro.p...@tcs.com: -Christopher Schultz ch...@christopherschultz.net wrote: - To: Tomcat Users List users@tomcat.apache.org From: Christopher Schultz ch...@christopherschultz.net Date: 04/24/2015 07:14PM Subject: Re: Tomcat Thread issue -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Felix, On 4/24/15 3:19 AM, Felix Schumacher wrote: Am 24. April 2015 09:08:08 MESZ, schrieb Subhro Paul subhro.p...@tcs.com: -Subhro Paul subhro.p...@tcs.com wrote: - To: users@tomcat.apache.org From: Subhro Paul subhro.p...@tcs.com Date: 04/23/2015 06:20PM Subject: Re: Tomcat Thread issue -Daniel Mikusa dmik...@pivotal.io wrote: - To: Tomcat Users List users@tomcat.apache.org From: Daniel Mikusa dmik...@pivotal.io Date: 04/23/2015 05:01PM Subject: Re: Tomcat Thread issue On Thu, Apr 23, 2015 at 7:15 AM, Subhro Paul subhro.p...@tcs.com wrote: Dear Team, One of our client's website stopped working yesterday. We observed that Tomcat servers were not working properly during that time. We have checked the memory usage of the server was fine but in the Catalina.out log we found it was already reached to max thread which is 512 though the number of connections to the server was normal. We took a thread dump from the server using VisualVM and we got the below message from threaddump: Since a thread dump is a point in time snapshot, you should always take multiple thread dumps, with a few seconds in between each one. This gives you additional perspective as to what's happening with the threads over a period of time. http-8080-1 - Thread t@22 java.lang.Thread.State: BLOCKED at java.util.Vector$1.nextElement(Vector.java:320) - waiting to lock 37749687 (a java.util.Vector) owned by http-8080-116 t@161 at org.apache.jsp.includes.header_jsp.isExcludePath(header_jsp.java:116 ) at org.apache.jsp.includes.header_jsp._jspService(header_jsp.java:314) Look at what header.jsp is doing. It seems to be doing something with the Vector class which is causing the thread to block. at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper .java:377) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3 13) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDisp atcher.java:646) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationD ispatcher.java:551) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDis patcher.java:488) at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary .java:968) at org.apache.jsp.home.customer_005fservice.bill.my_005fbill_jsp._jspSer vice(my_005fbill_jsp.java:126) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper .java:377) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3 13) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:102) at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterVa lve.java:269) at org.apache.catalina.valves.RemoteHostValve.invoke(RemoteHostValve.jav a:81) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: 555) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce ss(Http11Protocol.java:588) at