Re: How much connections are handled per thread?
Am Tue, 20 Dec 2011 15:52:57 +0100 schrieb uwe.hellm...@t-systems.com: It is Tomcat 5.5.26 [..] If this is the case I get some munition to go the the developers. In my experience this route is an useless approach as long as you run a 4 years old Tomcat and without being able to identify classes that aren't thread-safe. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Port 443 for AIX
Am Sat, 12 Nov 2011 07:21:58 -0500 schrieb whoswho pongd...@gmail.com: Tomcat has been installed as a non-root user. I want to use SSL port 443 and not the deafult port 8443. When I modify the SSL connector, and try connecting as 443, I get permission denied since the tomcat account owner is non-root. It's a (Unix?-) principle that services with numbers below 1024 are only allowed to get startet by root. You can use NAT to exchange port numbers. Or if it's possible to extract SSL-certificates you install Apache (httpd) that is using it's own mechanism to start services with low port numbers, setup SSL and use something like mod_proxy_ajp or mod_jk to contact Tomcat's ajp-connector. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: URI mapping
Am Sat, 22 Oct 2011 17:17:26 +0100 schrieb Mark Thomas ma...@apache.org: ProxyPass /tomcat7 http://localhost:8080 or ProxyPass /tomcat7 ajp://localhost:8080 Usually Tomcat is listening for ajp-requests on port 8009, not 8080. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.27 - Solaris 10 - Tomcat process starts additional copies of itself with only 1 thread and no CPU
Am Fri, 09 Sep 2011 11:25:13 +0200 schrieb André Warnier a...@ice-sa.com: What does the command netstat -pan | grep LISTEN show when you have such multiple copies running ? Unfortunately Solaris' netstat doesn't know a option to show listeners. IIRC there are some scripts in Solaris-world that should do the job. Regards, Tobias Crefeld. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.27 - Solaris 10 - Tomcat process starts additional copies of itself with only 1 thread and no CPU
Am Fri, 9 Sep 2011 09:54:36 +0100 schrieb Dave Stubbs d...@stubbs.uk.com: When we list the system tasks we see that the ghost process PPID is the same as the PID of the still running main tomcat instance. Here is list of what happened when it wasn't picked up for a while. Obviously the parent-JVM itself starts the other JVMs, so it must be an application issue. Do the child-JVMs stop when 21115 shuts down? Do the child-JVMs terminate on normal signals like -SIGTERM? I would try to log the exact time, when these additional JVM are being started and compare these with things that were happening on the parent-Tomcat - maybe you find a application dependency that way. Just an idea: Maybe the parent-JVM gets a signal to restart itself that isn't handled correct? ( http://publib.boulder.ibm.com/infocenter/realtime/v1r0/topic/com.ibm.rt.doc.10/user/signals.html - sorry, but haven't found a source for Sun-JDK instantly) Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.27 - Solaris 10 - Tomcat process starts additional copies of itself with only 1 thread and no CPU
Am Fri, 09 Sep 2011 14:34:44 +0200 schrieb André Warnier a...@ice-sa.com: As an alternative to netstat under Solaris, there is the lsof utility. AFAIK there is no lsof in (standard-) Solaris-10. But maybe one can take it from independent repositories like Sunfreeware (http://www.sunfreeware.com/ shows a hit for lsof on Solaris10/Sparc). Actually I never found a standard tool in Solaris-10 that could list the tcp-listeners (...and meanwhile there are only 2 Solaris-machines left - dying next month...). Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: virtual host for apache/tomcat server
Am Thu, 31 Mar 2011 07:49:07 -0400 schrieb James Pifer j...@obrien-pifer.com: So I have a web server at: http://server.domain.com that has just static web pages, etc. I have a tomcat jsp that I want to respond to http://myapp.domain.com. I setup a VirtualHost similar to you example, but when I go to http://server.domain.com it loads tomcat, not my static pages. I guess this is an Apache2-issue. It seems that your separation of vhosts doesn't work properly. You could setup an own vhost-config for a named-vhost with server.domain.com or check your config for default to deliver your static, non-tomcat content. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: virtual host for apache/tomcat server
Am Wed, 30 Mar 2011 15:09:12 -0400 schrieb James Pifer j...@obrien-pifer.com: Ok, my httpd.conf is pretty standard. It includes proxy_ajp.conf which has: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /tomcat/ ajp://localhost:8009/ I only have some experience with Tomcat-6, not Tomcat-5.5, so maybe there are some mistakes in my posting, but AFAIK: - A corresponding ProxyPassReverse is missing. - If you want to redirect requests to http://hostname.domain.tld/ to ROOT then you should simply write / and not /tomcat/. Maybe a chip of our mixed IP- and name-based Apache-vhost-configs gives you an idea of how to setup Apache2 (in this environment hostnames with TLD prod are private IP-adresses for internal access). The setup uses a mix of mod_proxy_http and mod_proxy_ajp. Of course you have to configure tomcat's server.xml to offer ajp-access via Port 8009. Usually mod_proxy_ajp works better (handling of out-buffer, cache ontrol) but in rare cases we had problems with mod_proxy_ajp. Of course httpd.conf of our apache2.2 has got an include-statement for /srv/conf.d/*.conf in order to use this config. ---snip--- [crm@mikesch ~]$ cat /srv/conf.d/crm.conf # # vhost-configuration *.crm.company.* # # Virtual IP-Alias via DNS NameVirtualHost crm.company.prod:80 # # vhost for production # VirtualHost crm.company.prod:80 DocumentRoot /srv/crm/html ServerName crm.company.de ServerAlias crm.company.prod ErrorLog /srv/crm/logs/error_log TransferLog /srv/crm/logs/access_log # Reverse-Proxy for ajp-connector ProxyRequests Off Proxy * Order deny,allow Allow from all /Proxy # avoid public access to mgmt-applications ProxyPass/docs ! ProxyPass/probe ! ProxyPass/manager ! # connecting tomcats ROOT via mod_proxy_http and coyote ProxyPass/ http://crm.company.prod:8080/ ProxyPassReverse / http://crm.company.prod:8080/ # alternative: connecting tomcats ROOT via ajp # ProxyPass/ ajp://crm.company.prod:8009/ # ProxyPassReverse / ajp://crm.company.prod:8009/ /VirtualHost # # allow vhost for management only for users in private network # VirtualHost crm.cataneo.prod:80 DocumentRoot /srv/crm/html/mgmt ServerName mgmt.crm.cataneo.prod ErrorLog /srv/crm/logs/error_log TransferLog /srv/crm/logs/access_log # Displaying Apache vhost-statistics under /usage Alias /usage /srv/crm/html/mgmt/usage Location /usage Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ::1 Allow from company.prod /Location # Reverse-Proxy fuer ajp-connector ProxyRequests Off Proxy * Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ::1 Allow from company.prod /Proxy ProxyPass/probe ajp://crm.cataneo.prod:8009/probe ProxyPassReverse /probe ajp://crm.cataneo.prod:8009/probe ProxyPass/manager ajp://crm.cataneo.prod:8009/manager ProxyPassReverse /manager ajp://crm.cataneo.prod:8009/manager ProxyPass/docsajp://crm.cataneo.prod:8009/docs ProxyPassReverse /docsajp://crm.cataneo.prod:8009/docs /VirtualHost ---snip--- RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Cert
Am Mon, 13 Dec 2010 20:15:55 -0500 schrieb George Christiansen - PA george.christian...@capmark.com: I'm trying to remove an SSL cert from a Tomcat instance. Can I just comment/remove the certs from server.xml and maintain SSL without the cert? You can create a self-signed SSL-certificate instead. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat log files
Am Tue, 09 Nov 2010 16:06:14 -0500 schrieb Christopher Schultz ch...@christopherschultz.net: Have you correctly replaced lib/tomcat-juli.jar and installed lib/tomcat-juli-adapters.jar? If not, you may be falling back to the old logger which requires logging.properties. For whatever-reason and different than tomcat-juli-adapters.jar the default location of tomcat-juli.jar is bin/, not lib/. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Rotating Tomcat-Logs
Am Thu, 21 Oct 2010 11:13:53 +0200 schrieb André Warnier a...@ice-sa.com: In addition, it is somewhat of a moving target, since Linux distributions seem to each superpose their own schemes to the standard Tomcat scheme (like using jsvc, and/or re-directing to SYSLOG e.g.). Today this is necessary because the default installation of Tomcat delivers (somehow) managed logs like catalina.2010-10-20.log and unmanaged logs like catalina.out at the same time. Deploying a logging facility on a server (e.g. Linux-based OS) for one or more Tomcats on one hardware / OS can become difficult because on the one hand you need a way to disconnect log file access during rotation or deletion of the log file and on the other hand you might need a logging facility that separates logging of each Tomcat-installation of one server AND gives the different Tomcats the necessary rights to write / send their log data to their log file. In addition it might be necessary that a webapps of Tomcat needs random access to the log data of its Tomcat to do some file analysis (e.g. Lambda Probe, Chainsaw, Splunk) which won't work if you use syslogd. Using syslogd instead file-handler might be an alternative but of course this is OS-specific. At our company we are using MS-Win for developers and CentOS/Debian/Solaris for production (and I guess that this is a typical scenario) and so we are interested in a general solution. This leads of course to a Java-based solution but it should work more predictable than the JULI-setup of Tomcat. Anyway, I am interested in finding a scheme, based on JULI, and which : - would generally-speaking start by directing ALL Tomcat logs to one single file, NOT rotated by JULI I think a default setup of Tomcat should deliver a logging that isn't growing endless by design. This means it should use log rotation with a clearly limited number of generations. Today catalina.-MM-DD.log (and friends) seem to have no limit of generations. I wouldn't care if the rotation is happening time controlled or size controlled but initially there should be a maximal possible number of files that could be created. One file-pattern for default-Tomcat (without webapps) is enough - actually I still have no idea what all these standard-0-Byte-logs are used for. - would use the system facilities (aka logrotate), to rotate, compress and archive this logfile as I see fit, not as JULI sees fit. This could get difficult because you have to pause Tomcats access to the log files during external log rotation. Today you already have to do this in order to rotate catalina.out. We do this during a daily Tomcat-reboot every night at about the same time as the logrotate-cronjob but actually this is just a hack and there is no real synchronisation between these two events (like the reload of Apache2 by logrotate). And it would be OS-specific. - would provide a simple path to, /when needed/, provide more specific logfiles for one or the other application. (but not the current standard unmanageable mess) - create a Tomcat FAQ that explains how to do the above, so that other sysadmin-types can enjoy the fruits of my labor There is already a lot of scattered information on this topic in the archives of this list, but to my knowledge nothing really comprehensive at one single location. This is my impression as well. Another source I use often is the book Professional Apache Tomcat 6 but some of the described features (or attributes) doesn't work, too - e.g. generation-parameter %g that works if you use it for your own application but not in Tomcats conf/logging.properties. I think the concept of java.util.logging or JULI isn't so bad but 1. Tomcat shouldn't supersede parameters in the logging.properties, 2. Tomcat should inform about faults in logging.properties, 3. we need a complete documentation of logging.properties, and 4. 0-byte-logfiles like admin, host-manager, localhost and manager should be left out by default. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Rotating Tomcat-Logs
We have problems to manage Tomcats Logs. Logfiles like catalina.out or application specific logging is not the problem, but there are some files that are created each day new by tomcat (Tomcat-6): localhost.2010-02-27.log manager.2010-02-16.log host-manager.2009-08-30.log admin.2010-07-10.log catalina.2010-10-20.log From what I read till now JULI should be able to offer some rotation features, so I tried several new settings in tomcat/conf/logging.properties but it seems that it has little effect. Our goal is to delete all log data that is older than e.g. 3 months. The file naming schema doesn't matter. Additionally I would prefer if the usually empty files (actually all files mentioned above except catalina.*.log) aren't been created at all. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 64 bits
Am Fri, 20 Aug 2010 13:37:08 +0200 schrieb KiLiCoOl kilic...@gmail.com: Is there a version of Tomcat 6.* in 64 bits under linux ? A short search in the archives of this mailing list would help: http://mail-archives.apache.org/mod_mbox/tomcat-users/201008.mbox/thread?1 Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 64 bits
Am Fri, 20 Aug 2010 14:15:30 +0200 schrieb KiLiCoOl kilic...@gmail.com: True but no one explain how to compile tomcat in 64 bits for unix ... :( This is correct and there is an explanation in the thread. A short search in the archives of this mailing list would help: http://mail-archives.apache.org/mod_mbox/tomcat-users/201008.mbox/thread?1 Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat starts slow
Am Tue, 10 Aug 2010 16:58:45 +0400 schrieb Maxim Kuleshov maxim.kules...@gmail.com: But for some reason tomcat wants IPv6 connection and while time (retries * timeout) passed - it hangs at start. And I even don't know - what subsystem use such kind of interconnection (via IPv6 loopback). Just an idea: Tomcat is trying to establish a listener at localhost:8005 for shutdown-requests during start. AFAIK you can change the port number but not the host address. Maybe you have an /etc/hosts- or a DNS-entry that translates localhost to an IPv6-address. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 64 bit version for linux
Am Tue, 10 Aug 2010 08:07:06 -0500 schrieb Caldarale, Charles R chuck.caldar...@unisys.com: JAVA_OPTS=$JAVA_OPTS -d64 -Xms512m -Xmx4096m Odd; -d64 is not valid on any JVM I have installed. Interesting! I never tested leaving out this parameter on a 64bit-JVM under Linux but after a short test it looks as if we don't need -d64 on JVM/Linux. We ran Tomcat on JVM/Solaris in the past and had to use it there. ( http://download.oracle.com/javase/6/docs/technotes/tools/solaris/java.html ) During migration to JVM/Linux we simply took over most Java-Options. Only on some old systems (with Linux on Sparc) we had to leave out the -d64 because there is no 64-bit-version of Sun-JDK for this platform - only 32bit-OpenJDK. Thanks for the hint! Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 64 bit version for linux
Am Mon, 9 Aug 2010 04:52:55 -0700 (PDT) schrieb Angelo Chen angelochen...@yahoo.com.hk: the standard tomcat(apache-tomcat-6.0.20.tar.gz) is running in a 64 bit version of Centos. so can my app use memory bigger than 4G? I Which JVM-version does your Tomcat use? IIRC there are different defaults for different versions of CentOS. Maybe yum list installed |grep ^java or yum list installed |grep ^jdk helps. I would download last JDK for Linux/x64 at http://java.sun.com/javase/downloads/index.jsp, install it and set the correct path, for example: JAVA_HOME=/usr/jdk/latest;export JAVA_HOME before starting Tomcat. Maybe defaults of JVM have changed but AFAIK you have to set some additional JAVA_OPTS-parameters to use 64bit and more RAM. We are using a scriptlet like the following on our larger machines as part of the catalina.sh or start-stop-wrapper for catalina.sh: schnipp JAVA_OPTS=$JAVA_OPTS -server JAVA_OPTS=$JAVA_OPTS -d64 # Speicherlimit nur bei Aufruf von run, debug oder start auf 3 GB oder mehr hochsetzen case $1 in start|run|debug) # Fuer 32-Bit-Betrieb die naechsten beiden Zeilen auf 3072k aendern JAVA_OPTS=$JAVA_OPTS -Xms6000m JAVA_OPTS=$JAVA_OPTS -Xmx11000m ;; stop) JAVA_OPTS=$JAVA_OPTS -Xms600m JAVA_OPTS=$JAVA_OPTS -Xmx600m ;; esac schnipp believe the 2G is the limit for 32 bit version of Linux. 3GB is a possible limit for 32bit. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error: Invalid or unreadable WAR file : error in opening zip file
Am Fri, 9 Jul 2010 10:21:09 -0300 schrieb Fernando Morgenstern ferna...@consultorpc.com: SEVERE: Error starting static Resources java.lang.IllegalArgumentException: Invalid or unreadable WAR file : error in opening zip file I've verified and tomcat user does have read permissions to war file. Also, i don't think this is a problem with the war file ( actually, all of them ), since other tomcat servers can deploy applications normally. Just guessing: Tomcat user (of this particular machine) has no write permission on Tomcats directory webapps/ or webapps/Box/ Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error: Invalid or unreadable WAR file : error in opening zip file
Am Fri, 9 Jul 2010 11:01:00 -0300 schrieb Fernando Morgenstern ferna...@consultorpc.com: * Only webapps folder is shared between servers using glusterfs. I don't think that it is a good idea if you put your webapps-directory on a shared storage - especially if you use funny things like setgid-flag. Tomcat expects an exclusive access to its Tomcat-directory-structure. We are using Tomcat-installations for the same application as well but we use rsync to synchronize and avoid common storage. -- Mit freundlichen Grüßen, Tobias Crefeld. +49 - 89 - 2190 964-15 Cataneo GmbH Lilienstrasse 8, D-81669 Muenchen Tel: +49 (0) 89-2190 964-0 Fax: +49 (0) 89-2190 964-48 Web: www.cataneo.de Geschäftsführer: Michael Wölfle, Martin Gerull HR: München HRB 144834 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to calculate a memory tomcat
Am Tue, 15 Jun 2010 08:42:47 +1000 schrieb Matthew Peterson matt.peter...@une.edu.au: Lambda Probe is stale. It has been forked to Psi Probe which has regular activity: http://code.google.com/p/psi-probe/ It's always nice if there is some development in progress but it's not so nice if this makes results worse. Unfortunately some Psi-probes pages are hard to read, e.g. the new thread-column at the connection page making the URL-column unreadable - the new development seems to wear IE-only-glasses... ;) - or a change of fonts for static text causing collisions with the dynamic part of the text at the same page. Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RewriteRule rewrites, but mod_jk persists with old URI
Am Tue, 15 Jun 2010 15:04:01 +0200 schrieb André Warnier a...@ice-sa.com: In other words, it appears to receive the URI /mir/search.jsp, try to map it to a worker, succeed, but then forwarding the request to Tomcat as /jsp/search.jsp anyway (which was the original URL, not the rewritten one). This /jsp/search.jsp is indeed not found by Tomcat (because in Tomcat it is /mir/search.jsp), and I receive in return a 404 error page from Tomcat. I'm not quite sure whether I have understood your problem but maybe this additional setting (after JkMount) helps: JkOptions +ForwardURIProxy Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RewriteRule rewrites, but mod_jk persists with old URI
Am Tue, 15 Jun 2010 20:08:15 +0200 schrieb André Warnier a...@ice-sa.com: The version of mod_jk on that system is 1.2.18, and [..] Now I'll see if I can get a more recent mod_jk as a Debian package, I'm not so familiar with Debian and we run only on sparc-version (5.0, Lenny), but there should be a newer one at the normal repositories: Server Version: Apache/2.2.9 (Debian) mod_jk/1.2.26 $ dpkg-query -p libapache2-mod-jk |head Package: libapache2-mod-jk Priority: optional Section: web Installed-Size: 536 Maintainer: Debian Java Maintainers pkg-java-maintain...@lists.alioth.debian.org Architecture: sparc Source: libapache-mod-jk Version: 1:1.2.26-2+lenny1 Replaces: libapache2-mod-jk2 Depends: libc6 (= 2.7-1), apache2.2-common, apache2 Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to calculate a memory tomcat
Am Sun, 13 Jun 2010 22:27:40 +0700 schrieb andy susanto ibsolut...@gmail.com: is there any tool that i can monitor my tomcat ?, because at peak hour You should ask your preferred search engine after JMX. JDK offers some applications like jconsole (old fashioned but usually sufficent) or jvisualvm (looks nicer, less stable) to monitor the JVM. Additional, more tomcat-specific data can be monitored by the tomcat-app lamdba-probe. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to calculate a memory tomcat
Am Mon, 14 Jun 2010 20:06:42 +0400 schrieb Myk Bova syste...@narod.ru: Lambda Probe for Apache Tomcat ? http://www.lambdaprobe.org/d/index.htm Correct, sorry for the typo! Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat died on java.lang.OutOfMemoryError: requested 2147483664 bytes for Chunk::new. Out of swap space? message
Am Wed, 26 May 2010 13:08:23 +1000 schrieb Leon Kolchinsky lkolc...@gmail.com: # A fatal error has been detected by the Java Runtime Environment: # # java.lang.OutOfMemoryError: requested 2147483664 bytes for Chunk::new. Out of swap space? Without knowing the application I would strongly estimate that it is an application bug if it requests a block of 2 GB memory. It might be a good idea to monitor the JVM and its memory management with JMX-tools like jconsole (X11) or LambdaProbe (Tomcat). CATALINA_OPTS=-server -XX:+UseParallelGC -Xms2048m -Xmx2048m -XX:MaxPermSize=1024m -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled -Djava.awt.headless=true We are using in our standard setups some more parameters although I'm not sure if they are necessary always or just still valid, e.g.: # Maximum Size of new generation; default: function of NewRatio JAVA_OPTS=$JAVA_OPTS -XX:MaxNewSize=400m # Default size of new generation; default: 30% larger JAVA_OPTS=$JAVA_OPTS -XX:NewSize=400m # Ratio of new/old generation sizes; default: 8 JAVA_OPTS=$JAVA_OPTS -XX:NewRatio=3 JAVA_OPTS=$JAVA_OPTS -XX:+UseParNewGC Here you find some parameter docs: http://java.sun.com/javase/6/docs/technotes/tools/solaris/java.html http://java.sun.com/javase/technologies/hotspot/vmoptions.jsp Generally I would ask the application vendor for suggested parameters. Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Classpath for JSP
Am Mon, 26 Apr 2010 13:22:49 -0400 schrieb Reuven Koblick reu...@koblick.com: I verified that the class that was not found is indeed in /WEB-INF/classes. Also, classes in *.jar files in WEB-INF/lib are found. Does anyone have any thoughts or suggestions? Maybe wrong rights for directories or files in the classes-directory? Is the class at the correct place within the directory tree compared to the class-hierarchy? What does catalina.out report exactly? There is a nice management tool called Lambda-Probe that could give you some assistance under its menu applications/attributes. You get it as a war-file at http://www.lambdaprobe.org/ . Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.26 startup scripts changed from 6.0.18
Am Thu, 8 Apr 2010 15:16:36 -0400 schrieb Eric B. ebe...@hotmail.com: So what my init.d script currently does is pre-create an empty pid file in the /var/run directory, then changes ownership of it to tomcat so that tomcat can then update it with the actual pid of the tomcat process. Given that there is no way for the startup script to write to the /var/run directory, my options are fairly limited without modifying it. 1) Change the location of the pid file. 2) Make the /var/run directory tomcat writable by default (via acl or by mode permissions) Neither option particularly appeals to me. Your solution with creating an empty PID-file, changing the ownership and filling it afterwards with the PID-number sounds a little bit complicated and I doubt that there are a lot of installations using this approach. We created a special directory for the tomcat-PID-files (we're running up to 8 Tomcats on one hardware) in order to keep the PIDs together and set the sticky bit for this directory (looks similar to the usual settings of /tmp) to restrict access to the PID-files once they are created by catalina.sh: [te...@mikesch ~]$ ls -l /srv/ drwxr-xrwt 2 rootroot4096 8. Apr 08:08 run te...@mikesch ~]$ ls -l /srv/run/ -rw-r--r-- 1 crm crm 6 8. Apr 04:03 TCcrm.pid -rw-r--r-- 1 premiere premiere 6 8. Apr 08:08 TCpremiere.pid Changing the path of the PID-file is pretty simple by setting CATALINA_PID before calling catalina.sh: CATALINA_PID=/srv/run/TCcrm.pid BTW: I have no opinion concerning the patch of catalina.sh you suggested, sorry. BTW2: We aren't so happy with the change of the default-catalina.sh in 6.0.26, too, but as we separated tomcat's bin-directory from tomcat's symlinked default-installation for some historical reason, it causes no trouble with rebooted hardware as we still use the old catalina.sh. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
I guess that you should exchange the JkMount /* tomcatssl by JkMount /* tomcat1 provided you use a standard Tomcat-setup. For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2 virtual-hosts in Apache2. One for Port 443 with the standard-SSL-parameters Apache2 expects to integrate OpenSSL for https and another for Port 80 / plain http. The Jk-directives are the same for both virtual hosts and don't care about SSL and go to Tomcats port 8009 (= using standard configuration). 8443 is typically the http-over-ssl-port (=http) for direct SSL access via coyote-connector and has nothing to do with ajp. If your Apache2 is doing the SSL-integration Tomcat sees no SSL-traffic because Apache2 lets openssl do the conversion from SSL and is connecting to Tomcat without any SSL-traffic but simple http. You can give Tomcat some information about the SSL-session like you did with JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT but then you have to give Apache2 an advice to deliver these information by a SSLOptions +StdEnvVars +ExportCertData (http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might give you an idea about the two possibilities to setup Tomcat + SSL) On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat 6 on Solaris - nearly the same setup as under Linux. These servers run with SSL and Non-SSL parallel but without these extra Jk-SSL-indicator-parameters you are using. Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Am Fri, 22 Jan 2010 14:25:11 + schrieb Matt Turner m4tt_tur...@hotmail.com: The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly - but it sounds like that's the wrong approach. If it isn't possible to move the SSL-certificate and -keys to the Apache2 (and change the Tomcat to service ajp- or plain-http-requests) the only possibility to do a pass-through will be a NAT-machine / firewall with port-forwarding (e.g. port 443 - 8443). There is another approach to passthrough https (=443) to 8443 by using xinetd: http://tp.its.yale.edu/pipermail/cas/2008-April/008083.html Should I just use something like.. ProxyPass /cas https://10.13.0.218:8443/cas ? I doubt that this will work. A https-client (alias webbrowser) is transmitting SSL-traffic and ProxyPass is configuring a http-proxy which expects http - no matter what kind of traffic it use to connect to the real webserver. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSP 2.0 examples throw security exception - Need help with configuration
Am Mon, 4 Jan 2010 17:08:26 +0530 schrieb Shanmugham, Dayanand (IE10) dayanand.shanmug...@honeywell.com: 3.Started Tomcat instance 4.All Servlets and JSP 1.2 examples work fine but when I run the JSP 2.0 examples, I get the following security exception messages 5.I removed the comments from tomcat-users.xml file IIRC you have to restart Tomcat after changing tomcat-users.xml (+ refresh webbrowser). Gruss, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fw: JSP 2.0 examples throw security exception - Need help with configuration
Am Mon, 4 Jan 2010 17:47:23 +0530 schrieb Shanmugham, Dayanand (IE10) dayanand.shanmug...@honeywell.com: 127.0.0.1 - admin [04/Jan/2010:17:45:09 +0530] GET /manager/html HTTP/1.1 500 2615 admin is not a valid username but a valid role in the (uncommented) default-version of tomcat-users.xml. You should look (or insert) in the file which usernames (and passwords) are valid. Gruss, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Rerouting Traffic when number of connection increases
Am Thu, 10 Dec 2009 16:44:35 -0500 schrieb Arunkumar Janarthanan arunkumar.webad...@gmail.com: We have a 4 Apache Tomcat instances running on and trying to setup a What do you mean with 4 Apache Tomcat exactly? custom message by redirecting user to different Apache instance with currently we are expereincing HIGH traffic, please visit later Is this a problem of overload of the Apache or of the Tomcats? If Tomcat isn't answering the forwarded requests of an Apache-webserver fast enough Apache will show a error-page (IIRC error code 503). You could change the content of this page to something less mysterious. If your application supports load balancing you could use mod_proxy or mod_jk to use one Apache as load balancer but you should have carefully tested the ability of your application to run in a load-balanced environment (e.g. session handling, DB-connection pooling,...). If your application is getting irreparable unstable by overload it might help if you limit the number of connections that the Apache-Tomcat-connector allows. Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to get java process id of a user running tomcat
Am Wed, 2 Dec 2009 12:00:06 +0530 schrieb raj kumar bprajkumar...@gmail.com: When i ran tomcat and shut it down my java process is not closing along with shutdown.i need to kill it explicitly. So I would like to BTW: How much memory is reserved for your Tomcat-JVM ($JAVA_OPTS) and how much memory has your server available? Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to get java process id of a user running tomcat
Am Wed, 2 Dec 2009 12:00:06 +0530 schrieb raj kumar bprajkumar...@gmail.com: Tomcat: jakarta-tomcat-5.0.28 Java : j2sdk1.4.2 OS: SunOS ps -fu TomcatsUsername |grep java |grep -v grep |cut -f2 -d If the release of your SunOS is as antique as the rest of your software it's possible that one of these commands doesn't work. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Easy Way to Upgrade Tomcat Versions?
Am Mon, 30 Nov 2009 08:02:41 -0800 (PST) schrieb Thomas Moorer tcm...@yahoo.com: I have been thinking about upgrading my Tomcat 6.0.16 instance to the latest 6.0.20. I have been thinking about the best way to do that. I have modified several config and shell files and suppose I could just copy those to the 6.0.20 instance, but then I began to wonder if I could just update the Tomcat specific files in my current install location. Usually (!) it should be enough if you copy the files from conf/ and bin/ (and your application, of course) to the new apache-tomcat-tree. Is it acceptable as an upgrade method to just copy the 6.0.20/lib/*.jar files into the existing 6.0.16/lib directory? It depends on how clean your installation is. If you have put additional jars into the apache-tomcat/lib/ - directory in the past this might be the better way. Of course this isn't good practice because application specific jars should be installed unter webapps/application/WEB-INF/lib/. Running Unix/Linux I prefer another practice. In the home-dir of the tomcat-User I create a skeleton similar to the following: ~/tomcat ~/tomcat/bin ~/tomcat/webapps ~/tomcat/webapps/bsps - ../default/webapps/examples ~/tomcat/webapps/docs - ../default/webapps/docs ~/tomcat/webapps/manager - ../default/webapps/manager ~/tomcat/webapps/j4p ~/tomcat/webapps/probe ~/tomcat/webapps/ROOT - ../../ROOT ~/tomcat/temp ~/tomcat/conf ~/tomcat/conf/Catalina ~/tomcat/work ~/tomcat/work/Catalina ~/tomcat/lib - default/lib ~/tomcat/logs - ../logs ~/tomcat/default - /opt/apache-tomcat-6.0.20 ~/logs ~/ROOT Under /opt I install the Tomcat-versions out of the... tar.gz-archive: /opt /opt/apache-tomcat-6.0.18 /opt/apache-tomcat-6.0.18/conf /opt/apache-tomcat-6.0.18/webapps /opt/apache-tomcat-6.0.18/bin /opt/apache-tomcat-6.0.18/lib /opt/apache-tomcat-6.0.18/temp /opt/apache-tomcat-6.0.18/work /opt/apache-tomcat-6.0.18/logs /opt/apache-tomcat-6.0.20 /opt/apache-tomcat-6.0.20/conf /opt/apache-tomcat-6.0.20/webapps /opt/apache-tomcat-6.0.20/bin /opt/apache-tomcat-6.0.20/lib /opt/apache-tomcat-6.0.20/temp /opt/apache-tomcat-6.0.20/work /opt/apache-tomcat-6.0.20/logs ... After this preparation changing to another tomcat-version is just a deletion and re-creation of the symbolic link default ( ~/tomcat/default - /opt/apache-tomcat-6.0.20 ) and you roll back to an older version the same way. In this setup your configuration and scripting under tomcat/conf/ and tomcat/bin/ is left untouched and the factory-installation of tomcat under /opt is left untouched as well. By setting links under tomcat/ to default/xyz/ you tell your installation to take the factory-default and by replacing the links to a separate directory (like tomcat/conf/) you can customize your installation. Of course you have to pay attention that your customized directories stay compatible if you made a Tomcat-update by exchanging the links as described above but usually there is no need to change something. Maybe this principle works under MS-Windows as well. I read that MS is offering symbolic links since WinXP-SP2 but I have not much experience with their OS. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Use java 1.5 apps with tomcat 6
Am Thu, 26 Nov 2009 10:54:08 +0100 schrieb Jimmy Spam spa...@pobladores.com: By default, system is using jre1.6 and If I uninstall it, tomcat 6 doesn't work, so How can do for that tomcat use jre1.5 without crash? Please have a look at the beginning of the catalina.sh of your Tomcat-installation. There is a brief documentation how to set the intended JVM. If Opensuse is using another script to start Tomcat you will have to check if there is a setting of the environment variable JAVA_HOME. Basically you will have to set the variable JAVA_HOME to /usr/java/latest, /usr/java/jdk1.6.0_17 or /usr/java/jre1.5.x_y or where-ever the bin-directory of your JVM is. You can have dozens of different JVM under /usr/java/ (typical place for JDKs under Linux) installed. The selection happens through a JAVA_HOME=/usr/java/latest, etc.. Usually it shouldn't be necessary to export this variable as long as catalina.sh and the environment variable setting happens in the same process. This way the impact for the rest of the OS is kept to a minimum. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing httpd from accessing WEB-INF contents
Am Wed, 25 Nov 2009 11:13:19 -0500 schrieb Jonathan Mast jhmast.develo...@gmail.com: I need something that will be apply globally and can't be overridden by VirtualHost directives. Why don't you use a standard like Location/Order/Deny/Allow in the vhosts config to deny access to WEB-INF, etc.? Individual config-files for Apache's vhosts are still part of the Apache-config and you can insert in it whatever you like to control (or crash!) Apache as a whole. Because of this I would never give the Tomcat-User (e.g. our developers) direct access to the vhost's config-files. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: https and port numbers
Am Tue, 17 Nov 2009 09:40:46 + schrieb Robert Denison r...@blim.org: I've set up my tomcat server to serve http requests on port 8080 and https on port 8443. My firewall forwards requests for 80 to 8080 and 8443 to 8443. Tomcat cannot help you in this case. You will have to make your firewall forward port 443 to 8443 because 443 is the port number that an average webbrowser assumes if the URL starts with https:// RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: problem on TOMCAT 6.0.20: no access to manager pages
Am Fri, 13 Nov 2009 16:29:22 +0100 schrieb Marie-Christine Lagasquie lagasq...@free.fr: Of course, the file /usr/local/tomcat/conf/tomcat-users.xml has been modified before running Tomcat and now contains : --- tomcat-users This is the start of a comment: !-- role rolename=tomcat/ role rolename=role1/ role rolename=manager/ role rolename=admin/ user username=tomcat password=tomcat roles=tomcat/ user username=both password=tomcat roles=tomcat,role1/ user username=role1 password=tomcat roles=role1/ user username=chef password=chtomcat roles=manager,admin/ ..and this the end: -- /tomcat-users BTW: If the system can be accessed from the www you should leave out the standard-users tomcat, both and role1. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Manager Application | Security | Tomcat 5.5.27
Am Thu, 5 Nov 2009 19:42:58 + schrieb Anurag Kapur On Thu, Nov 5, 2009 at 12:29 PM, Tobias Crefeld t...@cataneo.eu wrote: Separating JMX Proxy from manager won't be very helpful because JMX Proxy itself is offering control over tomcat. And it needs direct access to MBeans of Tomcat's JVM. My Understanding: Even if an attacker gets access to the jmx proxy servelt, it would not pose the same risk as access to the manager application would. With the proxy servlet you can only query the MBeans and get information about the state of the container. However, with access to manager application, you can potentially reload/start/stop contexts which is a big risk. Am I correct with this understanding? The doc under http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html#Using the JMX Proxy Servlet describes a command set in addition to the query you mentioned. I haven't tested but it looks like that it offers nearly the same possibilities as manager does. Actually query alone discloses enough information that a potential attacker could use to get real confidential information via other channels that I don't want to have it in the web. I don't know how safe you webserver is - standard-setup of Solaris runs with no active packet filter... - but if you have no other firewall with ALG I would strongly suggest that you run e.g. an Apache in front of Tomcat with no access by Tomcat-deployers. Today in our standard setup there is such an Apache2 that offers the same Tomcat via two different virtual hosts. One is only proxying URIs that belong to the production context and can be reached from the whole web. The other is proxying the manager-applications as well (manager, probe and j4p) but there are some Apache-rules that allow only access for clients from VPN-users. BTW: j4p might be another nice approach to get a read-only monitoring. It's a Tomcat application that delivers all (?) the data that can get reached by JMX/TCPIP or Mbeans. There is script jmx4perl to read this data and there is a plugin check_jmx4perl to poll this data by a Nagios-server. I found a article which describes this nice tool: http://blog.techstacks.com/2009/09/tomcat-management-jmx4perl-makes-it-easier.html Actually I haven't tested it in detail and so I can't promise that this tool is already ready for production. Ask me in two months when I can tell you more... ;) RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tocat webapp listening on different port
Am Wed, 04 Nov 2009 09:43:54 +0100 schrieb Sergio Arrighi sergio.arri...@iminholding.com: Is it possible to have a tomcat webapp listening on a port different from the port which is in use by the server itself?? Example: I have a tomcat server listening on port 80 and I want the 'A' webapp to be listening on port 1. AFAIK it is not possible to setup 2 http-connectors for one tomcat, but you can install another tomcat in its own JVM with other port- and/or IP-address-assignments with a coyote-connector listening to Port 1. Or you install a proxy or Apache2 with mod_proxy_ajp or mod_proxy_http to offer an access via port 80 to tomcat and change tomcats coyote-connector to Port 1. Of course this will only give you two different ways to connect to the same tomcat (and both applications) but you can control access by using valves in tomcat and ProxyPass-settings in Apache2. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6.exe tomcat6w.exe 64-bit binaries link - how to download
Am Tue, 27 Oct 2009 12:25:18 +0300 schrieb Terekhov Artyom (ADV) artyom.terek...@advgroup.ru: Hello, I wonder how to get tomcat 64-bit binaries from this link. Does not seem to work. http://svn.apache.org/viewvc/tomcat/tc6.0.x/tags/TOMCAT_6_0_16/res/procrun/ The link works well but svn is for developers information, not for binary download. Go to http://tomcat.apache.org/download-60.cgi if you need binaries. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Jre upgrade Issue with Tomcat 5.5 :java.util.zip.ZipException: error in opening zip file
Am Tue, 27 Oct 2009 03:47:23 -0700 (PDT) schrieb selvakumar.V selvakumar.velmuruge...@gmail.com: WARNING: Could not get dir listing for /opt/CSCOpx/MDC/tomcat/webapps/ipm/WEB-INF What do you get if you type at the shell prompt: ls -la /opt/CSCOpx/MDC/tomcat/webapps/ipm/WEB-INF and ls -la /opt/CSCOpx/MDC/tomcat/ ? Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Real Security on Port 80 - Connection Interrupted
Am Thu, 22 Oct 2009 05:11:57 -0700 (PDT) schrieb Kris Reid krisrei...@gmail.com: Tomcat 5.5.25 httpd 1.3.41 We are using mod_proxy with the following commands: Contents of /usr/local/apache/conf/userdata/std/1/realtim1/1realtimemlmleads.com/proxy.conf: ProxyPass / http://localhost:8080/Leads/ ProxyPassReverse / http://localhost:8080/Leads/ [..] Any ideas would be appreciated Without watching catalina.out during logon process it is hard to say what is happening there. Just an idea: Some of our sites use mod_proxy, too. There we are using this additional settings: ProxyPreserveHost On ProxyVia On Don't know if these settings exist in mod_proxy for Apache 1.3 - we're using 2.2. Especially the first entry might be important if the application is using the hostname that the proxy is sending. And we are using the local interface address of the vhost, not localhost, e.g.: ProxyPass/ http://www.1realtimemlmleads.com:8080/ ProxyPassReverse / http://www.1realtimemlmleads.com:8080/ Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Persistent Storage for Webapps
Am Mon, 12 Oct 2009 18:57:43 +0200 schrieb Jesse Long j...@unknown.za.net: Thanks for your answers Tobias. Unfortunately we have a very real use case for multiple instances on one host, with different data paths. So, /etc/app.properties is not usable, but /etc/app-context path derived data.properties might be but virtual hosting would break. No way datato identify unique host consistently. It depends on how you implement virtual hosting. I have no experience with Tomcats virtual hosting but a Tomcat-application can always can request the hostname from the URI and use it to build a path name. We are using this hostname to give users via VPN other privileges than users via public internet. Not really secure but within our business it's enough. We're using Apache2-vhosts and run one Tomcat (in its own JVM) per vhost. This wastes RAM but avoids that a crash|deadlock|overload|whatever in one vhost affects the other vhosts seriously. In our scenario we have one home-directory per vhost (e.g. /srv/vhost1) where we install Tomcat (mostly by symbolic links to unpacked Tomcats-archives) incl. startup/shutdown-scripts, cronjobs, logs, Apache2-document-root, Tomcat-ROOT and persistent data for import/export. Tomcat's webapps-concept is only used to deploy some standard applications like Lambda probe, Webservice or j4p. This vhost-home also contains some *.properties-files with parameters, e.g. for database-access (we don't use JNDI due to historic reasons), paths for import/export, etc. If your using only one Tomcat with several name-based vhosts it probably will be enough if you read hostname from URI and use this information to construct the path to a tree with /srv/vhost1, /srv/vhost2, etc. as data directories. Gruß, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Persistent Storage for Webapps
Am Mon, 12 Oct 2009 13:01:44 +0200 schrieb Jesse Long j...@unknown.za.net: In my webapp I need persistent storage. I am building my webapp as a .war file, and copying it into $CATALINE_HOME/webapps/ Tomcat extracts $CATALINA_HOME/webapps/app.war to $CATALINA_HOME/webapps/app/ The war file contains an empty directory /WEB-INF/data . During operations, data files are created under /WEB-INF/data/ WEB-INF should contain only static files which shouldn't be accessible by Webclients (directly), e.g. by /app/data/filename . So it seems to be a bad place Question: id /WEB-INF/ in the extracted directory the correct place for persistent data storage? If not, where is? AFAIK there is no general advise where to put dynamic, persistent data. As system administrator I prefer solutions that give me the opportunity to decide myself where to put dynamic data. There are a lot of reasons for this: securing against disk space overflow, backup, priviledge separation, etc. Following this way you might create a properties-file outside the Tomcat-hierarchy at a sensible place (e.g. /etc/app.properties) with the paths your application should use. Another way is to define a Tomcat-parameter during JVM-startup that will contain the path to your data-directory. As this might not survive the next update of Tomcat itself I don't like this kind of configuration but some applications and classes are working this way. My goal is to find a consistent way of creating persistent data relative to the context. I dont want to have to configure context parameters with data directory paths for each installation. untested idea: If you have no control over the filesystem of the target Tomcat you could create a mini-application named data.war that you are deploying. Of course there is always the danger of accidentally erasing the data by re-deploying this pseudo-application. And you will have to find a way by valves, etc. to preserve this path from being accessed by web-clients. Maybe it is enough if you leave out the context-entry. Gruss, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Should I use mod_jk or mod_proxy_ajp for my Apache2 to Tomcat5 connector on AIX ?
Am Thu, 24 Sep 2009 10:54:56 -0500 schrieb Strickland, Lawrence P lawrence-strickl...@uiowa.edu: I am having some problems building mod_jk on AIX and I see the same functionality is supported in mod_proxy_ajp. Does anyone have some good reason why I should use one over the other? Using mod_proxy_ajp we got problems with larger http-1.0-POST's: The connector is truncating the POST before receiving its size. FOR US this is a serious issue and we found no other workaround than changing to mod_proxy (http) to wrap port 80 to port 8080 (Tomcat's coyote-interface) which has other limitations (out.flush; hiding source IP-addresses). Beside this mod_proxy_ajp runs pretty well and is more simple to setup than mod_jk and for most applications it works fine. We are still testing mod_jk, so I cannot say if there are other arguments against mod_jk. Unfortunately CentOS' default-installation of Apache2 has no support for mod_jk, so we have to update manually. I estimate it's the same for AIX. We're running Tomcat-6 but I don't think that this makes any difference concerning your question. RU, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Container based authentication using LDAP and Active Directory
Am Tue, 15 Sep 2009 15:00:39 -0500 schrieb sharda k sktom...@gmail.com: - User ids are being stored in LDAP - User credentials(password) are being stored in Active Directory (AD). - User roles are gain being stored in LDAP And how are ADS-credentials and LDAP'S IDs synchronized? Why don't you put the roles into ADS? ADS is based on LDAP with Kerberos-authentication, so it should be no problem to add the necessary schema extensions (untested - I have no ADS). BTW: There is a book called Professional Apache Tomcat 6 at John Wiley (www.wrox.com) with some advice how to setup authentication by file, LDAP, PAM or database. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org