Upgrading Embedded Tomcat 7.x to 10.x
Please may I have some assistance to upgrade a JAVA Maven project which uses embedded Tomcat 7 to use embedded Tomcat 10? I’m having extreme difficulty determining the appropriate versions of the various components such that they play nice together. I am also planning to upgrade from JAVA 7 to JAVA 9. I’t a general modernisation operation. It is set up as a Maven project and uses Apache CXF and Spring to provide a RESTful API, a SOAP Client and minimal Web Server functionality. All Tomcat configuration is by direct JAVA code - no configuration files - to ensure it runs standalone and cannot be interfered with by the user. There are no database or JNDI requirements in Tomcat, but the product uses a SOAP API for data retrieval. The Versions currently used are: 3.1.1.RELEASE 3.1.7.RELEASE 7.0.70 2.7.14 3.0 1.9.11 3.4 1 1.8.0 2.2 3.1.4 1.0.13 1.7 Has anyone executed a similar upgrade and can help me find the appropriate mash-up of componentry and versions? Thanks!
Question about Tomcat 8.5.77 and CVE-2022-0778
Tomcat 8.5.77 was published on March 17. The Windows distribution contains tcnative-1.dll, version 1.2.31. Tcnative-1.dll appears to be statically linked to OpenSSL, and was built in 2021, prior to the fix for CVE-2022-0778 being published by OpenSSL. The tcnative source tree was updated to "recommend" a new version of OpenSSL six days ago, but the DLL in the 8.5.77 release doesn't appear to have been built with this change. I believe this means that if an APR connector is enabled, that the Windows distribution of Tomcat 8.5.77 is exposed to a pretty severe DOS attack vector. I emailed secur...@tomcat.apache.org<mailto:secur...@tomcat.apache.org> about this, believing that that was the responsible way to bring this to light, but received a pretty nasty email in response that told me that this mailing list was the correct forum. Would it be possible to get a canonical version of Tomcat (e.g. 8.5.78) built that contains the remediation for CVE-2022-0778? Is there anything I can do to help? Matthew Mellon CISSP Chief Information Security Officer 828.265.2907 ext 5058 | www.ecrs.com<https://www.ecrs.com/> [cid:image001.png@01D83D1E.16997AA0]
RE: Proxy Apache https to Tomcat http
Ted Spradley writes: > Problem: A Tomcat application at context "/mycontext" on port 8081 > running through Apache proxy renders as expected when using > http://example.com/mycontext but https://example.com/mycontext call > renders "The requested URL /mycontext/ was not found on this server." Dear Ted, I'm running a similar configuration, using stock Apache httpd/Tomcat on CentOS 7 to host the Shibboleth IdP. Rather than try to proxy HTTPS-HTTP, I'm using the AJP connector. In the httpd configuration, I've enabled mod_proxy_ajp and set the following in the VirtualHost section for the IdP web site: ProxyPass/idp ajp://localhost:8009/idp ProxyPassReverse /idp https://login.example.com/idp "/idp" here being the Tomcat Catalina context. I did not change any of the connectors listed in server.xml. Note that I do not allow unencrypted access to this application: I redirect all HTTP requests to the HTTPS site, and I set a HSTS header that signals browsers to remember this for future connection attempts. Best wishes, Matthew P.S. If you haven't already, please review https://wiki.mozilla.org/Security/Server_Side_TLS and apply its recommendations to your Apache httpd configuration. -- "The lyf so short, the craft so longe to lerne." - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat maven plugin sni
is this the right place to ask about tomcat7-maven-plugin v2.2? i am trying to run mvn tomcat:deploy to /manager/text on a host which is proxy passed from behind httpd. several virtual hosts are deployed on the server. SNI works fine through the browser and using openssl s_client server-name. however it doesn't seem to work from tomcat7-maven-plugin. i get [ERROR] Failed to execute goal org.apache.tomcat.maven:tomcat7-maven-plugin:2.3-SNAPSHOT:redeploy (default-cli) on project example: Cannot invoke Tomcat manager: hostname in certificate didn't match: != OR OR -> [Help 1] i.e. it is reverting to the first host using ssl defined in httpd.conf i looked at the dependencies and tomcat7-maven-plugin depends on common-tomcat-maven-plugin 2.2 which depends on httpclient 4.3.1. according to some stuff i read httpclient supports SNI on any version after 4.3.1. are there any updates in the works? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: (Cross-Posted) Does anybody have any experience with Tomcat 8 on an IBM Midrange (AS/400, iSeries, whatever they're calling it this week) box?
HAHAHAHAHAHA On Wed, Jul 27, 2016 at 7:06 PM, James H. H. Lampert < jam...@touchtonecorp.com> wrote: > Ladies and Gentlemen of both Lists: > > Does anybody in either the Tomcat List or the Java 400 List have > experience running Tomcat 8 on an IBM Midrange box? > > And (just for the Java 400 list) does anybody know if there's a way to run > Java 7 on a V6 box (specifically, an E4A running V6R1M0) without replacing > the OS? > > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "I am no Einstein." -- Albert Einstein
Re: Do I need a keystore?
Yeah, I'm still *not* running tomcat as root. I ran it as root once to see if I could tease out any useful error messages, and I probably caused errors by doing so. In any case I'll read the docs, and thanks. On Fri, May 6, 2016 at 12:24 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Matthew, > > On 5/5/16 9:09 PM, Matthew Herzog wrote: > > You said, "the http-bio-8443 endpoint is an HTTP connector, not an > > AJP13 connector." > > > > This is confusing to me because all the tutorials I have read don't > > say anything about commenting out the line in server.xml that > > reads: > > > > > > Usually tutorials are written to get you started quickly, and don't > want to explain what's really going on. > > Read the documentation for "redirectPort" on this page: > https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html > (or this page) > https://tomcat.apache.org/tomcat-8.0-doc/config/http.html > > The redirectPort has meaning, but it's not the meaning you were > thinking. The real port being used above is 8009. You can set the > redirect port to 12345 and you will still use port 8009 to connect to > your AJP connector. > > In your case, it appears you are not even using your AJP connector, so > its configuration is essentially meaningless. > > > I had assumed port 8443 was analogous to port 443. Bad assumption > > on my part. > > 8443 is traditionally the port used by non-privileged processes to > listen for HTTPS requests. That's why you'll likely see a port="8443" SSLEngine="on" secure="true" ... /> somewhere in your > configuration. In order to use TLS (the modern name for what used to > be called SSL), you definitely need to have a keystore. > > (I suppose you could use NULL authentication and/or key exchange and > yes, I guess you could use a pre-shared key, but I don't believe > Tomcat currently supports such setups, and obviously using NULL > authentication and/or key exchange pretty much means that you aren't > using encryption, so there's no point in using HTTPS at that point.) > > But, really: don't run Tomcat as root. If there's a reason you think > you should be (or need to be) running Tomcat as root, let us know and > we'll tell you how to fix that so you don't need to run as root anymore. > > Hope that helps, > - -chris > > > On Thu, May 5, 2016 at 5:28 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Matthew, > > > > On 5/5/16 5:05 PM, Matthew Herzog wrote: > >>>> when I run the startup script > >>>> > >>>> /usr/bin/java -Djava.security.egd=file:/dev/./urandom > >>>> -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m > >>>> -XX:+UseConcMarkSweepGC -classpath > >>>> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-ju > li. > > > >>>> > jar:/usr/share/java/commons-daemon.jar > >>>> > >>>> > > -Dcatalina.base=/usr/share/tomcat > > -Dcatalina.home=/usr/share/tomcat > >>>> -Djava.endorsed.dirs= > >>>> -Djava.io.tmpdir=/var/cache/tomcat/temp > >>>> -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.prop > ert > > > >>>> > ies > >>>> > >>>> > > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > >>>> org.apache.catalina.startup.Bootstrap start > >>>> > >>>> I see the following error. > >>>> > >>>> SEVERE: Failed to initialize end point associated with > >>>> ProtocolHandler ["http-bio-8443"] > >>>> > >>>> java.io.FileNotFoundException: /root/.keystore (No such file > >>>> or directory) So if I change my ajp config from > >>>> > >>>> >>>> /> to > >>>> > >>>> >>>> /> > >>>> > >>>> will I be able to avoid the keystore work? I'm doing a proof > >>>> of concept so my cluster will never be exposed to the > >>>> Internet. > > > > You are confused about a few things: > > > > 1. It's never good to run as root. Stop doing that. > > > > 2. The "redirectPort" attribute doesn't have any effect on what > > ports Tomcat binds to. > > > > 3. The http-bio-8443 endpoint is an HTTP connector, not an AJP13 > > connector. > > > > 4. If you want to enable TLS,
Re: Do I need a keystore?
Firstly, thanks. You said, "the http-bio-8443 endpoint is an HTTP connector, not an AJP13 connector." This is confusing to me because all the tutorials I have read don't say anything about commenting out the line in server.xml that reads: I had assumed port 8443 was analogous to port 443. Bad assumption on my part. On Thu, May 5, 2016 at 5:28 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Matthew, > > On 5/5/16 5:05 PM, Matthew Herzog wrote: > > when I run the startup script > > > > /usr/bin/java -Djava.security.egd=file:/dev/./urandom > > -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m > > -XX:+UseConcMarkSweepGC -classpath > > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli. > jar:/usr/share/java/commons-daemon.jar > > > > > - -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat > > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp > > -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.propert > ies > > > > > - -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > > org.apache.catalina.startup.Bootstrap start > > > > I see the following error. > > > > SEVERE: Failed to initialize end point associated with > > ProtocolHandler ["http-bio-8443"] > > > > java.io.FileNotFoundException: /root/.keystore (No such file or > > directory) So if I change my ajp config from > > > > > > to > > > > > > > > will I be able to avoid the keystore work? I'm doing a proof of > > concept so my cluster will never be exposed to the Internet. > > You are confused about a few things: > > 1. It's never good to run as root. Stop doing that. > > 2. The "redirectPort" attribute doesn't have any effect on what ports > Tomcat binds to. > > 3. The http-bio-8443 endpoint is an HTTP connector, not an AJP13 > connector. > > 4. If you want to enable TLS, then yes, you will need a keystore. > > So, if you don't need HTTPS, then disable whatever connector you have > that looks kind of like this: > > > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlcruwwACgkQ9CaO5/Lv0PDwTgCgkTa+TGbqw9WX0ttjVPShmKlr > z24AnRnkDLeXVQcOxNVBU0EdHKxVB+Yw > =KyZE > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "I am no Einstein." -- Albert Einstein
Do I need a keystore?
when I run the startup script /usr/bin/java -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m -XX:+UseConcMarkSweepGC -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start I see the following error. SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"] java.io.FileNotFoundException: /root/.keystore (No such file or directory) So if I change my ajp config from to will I be able to avoid the keystore work? I'm doing a proof of concept so my cluster will never be exposed to the Internet. -- "I am no Einstein." -- Albert Einstein
API requests overloading Tomcat?
I use an application called Spacewalk to manage RHEL systems in an enterprise environment. The application provides an API that I use for automation purposes. While load starts to increase on the application server, we reach a breaking point where the application becomes unresponsive, and throws 500 internal server errors. Listed at the bottom are some of the errors I see when this happens. I'm looking for advice on how to better diagnose and\or tune my settings to optimize Tomcat performance. I feel like the system is beefy enough to handle this load, but Tomcat appears to be my bottleneck.. How should I go about resolving this? I have played around with the AJP connector settings quite a bit, but can't seem to find suitable parameters. OS: RHEL6.6 RAM: 64GB (Please note, under heavy load, we are not utilizing even 50% of RAM.. it seems to be all CPU, but I'm not sure how to get Tomcat to utilize more RAM other than boosting the Xmx settings which I have already done) CPU: 16 (vCPU) Tomcat: apache-tomcat-apis-0.1-1.el6.noarch tomcat6-el-2.1-api-6.0.24-83.el6_6.x86_64 tomcat6-lib-6.0.24-83.el6_6.x86_64 tomcat6-servlet-2.5-api-6.0.24-83.el6_6.x86_64 tomcat6-6.0.24-83.el6_6.x86_64 tomcat5-jsp-2.0-api-5.5.27-7.jpp5.noarch tomcat6-jsp-2.1-api-6.0.24-83.el6_6.x86_64 tomcat5-servlet-2.4-api-5.5.27-7.jpp5.noarch Java: java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.x86_64 Oracle client: oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64 JAVA_OPTS=-ea -Xms512m -Xmx4096m -Djava.awt.headless=true -Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser -Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=1024 -XX:MaxNewSize=256 -XX:-UseConcMarkSweepGC -Dnet.sf.ehcache.skipUpdateCheck=true -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Djava.library.path=\${system_property:java.library.path}:/usr/lib:/usr/lib64/oracle/11.2/client/lib Connector settings: Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 URIEncoding=UTF-8 address=127.0.0.1 maxThreads=1024 maxKeepAliveRequests=1000/ !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 URIEncoding=UTF-8 address=127.0.0.1 maxThreads=1024/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443 URIEncoding=UTF-8 address=::1 maxThreads=1024/ From /var/log/tomcat6/catalina.out Aug 25, 2015 1:33:23 AM org.apache.jk.core.MsgContext action WARNING: Unable to send headers java.net.SocketException: Broken pipe at java.net.SocketOutputStream.socketWrite0(Native Method) at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:109) at java.net.SocketOutputStream.write(SocketOutputStream.java:153) at org.apache.jk.common.ChannelSocket.send(ChannelSocket.java:532) at org.apache.jk.common.JkInputStream.appendHead(JkInputStream.java:326) at org.apache.jk.core.MsgContext.action(MsgContext.java:266) at org.apache.coyote.Response.action(Response.java:183) at org.apache.coyote.Response.sendHeaders(Response.java:379) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:305) at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:288) at org.apache.catalina.connector.CoyoteWriter.flush(CoyoteWriter.java:95) at org.apache.jasper.runtime.JspWriterImpl.flush(JspWriterImpl.java:175) at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:956) at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:622) at com.opensymphony.module.sitemesh.taglib.page.ApplyDecoratorTag.doEndTag(ApplyDecoratorTag.java:258) at org.apache.jsp.WEB_002dINF.pages.common.errors._500_jsp._jspx_meth_page_005fapplyDecorator_005f0(Unknown Source) at org.apache.jsp.WEB_002dINF.pages.common.errors._500_jsp._jspService(Unknown Source) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:438) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302) at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:415) at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:342) at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:286) at
Re: Android 5.0 SSL handshake failure
On 01/22/2015 04:19 AM, Mark Thomas wrote: On 22/01/2015 00:12, Matthew Mah wrote: On 01/21/2015 03:24 PM, Christopher Schultz wrote: Have you tried a plain-old HTTPS connection? No Websocket? I just tried HTTPS using HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); try { try { InputStream in = new BufferedInputStream(urlConnection.getInputStream()); byte [] buffer = new byte[1024]; in.read(buffer); Log.i(TAG, new String(buffer)); } catch(Exception e){ } String cipherSuite = urlConnection.getCipherSuite(); Log.i(TAG, connected? + cipherSuite); } There is currently no content being served (only the websocket), but the network trace shows a successful TLSv1.2 handshake. This should mean the certificates and cipher suites are fine, but there is a problem with some interaction between Android 5.0 and the Tyrus websocket implementation. Huh? Tyrus WebSocket is nothing to do with Tomcat. Mark Tyrus is running on a client trying to negotiate a SSL connection with Tomcat. At this point, I am confident there is a bug either in Android or in Tyrus and not in the Tomcat configuration, so we can cease discussion on this topic here. I think the most logical next step is to try a different websocket implementation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Android 5.0 SSL handshake failure
On 01/21/2015 11:26 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Matt, On 1/21/15 11:13 AM, Matthew Mah wrote: On 01/20/2015 10:08 AM, Christopher Schultz wrote: Matthew, On 1/18/15 1:54 PM, Matthew Mah wrote: I have setup a Tomcat server using spring-boot with SSL/TLS for secure websockets. Tomcat version? JVM version? Any relevant configuration? Tomcat 8.0.15. multiple JVM: java version 1.7.0_55 OpenJDK Runtime Environment java version 1.7.0_65 OpenJDK Runtime Environment java version 1.7.0_71 OpenJDK Runtime Environment I have tried the default ciphers, as well as: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed as both supported and enabled for Android API 11+ http://developer.android.com/reference/javax/net/ssl/SSLSocket.html I would prefer a stronger cipher suite (not SHA1), but right now I am looking for anything that works. This works for Android 4.4, iOS, Firefox, and Chrome clients. Android 5.0 clients (Nexus 5) fail the SSL handshake. What protocol and ciphers are those working browsers using? Chrome: TLS 1.2 ECDHE RSA AES 128 CBC SHA1 Firefox: TLS v? ECDHE RSA AES 128 CBC SHA1 Check the archives for a somewhat recent post by me including code to scan an SSL server for the protocols and ciphers it supports. That's a great tool you've written. Using the shortlist of cipher suites on Tomcat above, this is supported: AcceptedTLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA AcceptedTLSv1 TLS_RSA_WITH_AES_128_CBC_SHA AcceptedTLSv1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Cool. Is that the whole list? It's not many: just 3 different ciphers for each of 3 protocols. It's possible there simply isn't any match between what Android 5.0 can do and what you have available. Yes, that's currently the whole list. I tried the default cipher suites first and when they did not work, I tried to slim down the list so that the openssl s_client would negotiate a cipher suite on the supported Android list. - From your SO posting, I can see you claim that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is documented to be available in Android's SSL/TLS API, so I'd be surprised if it didn't connect. I wonder if this is a problem with the handshake only? I suspect there is a problem with Android 5's handshake. I've opened an Android bug report: https://code.google.com/p/android/issues/detail?id=103251 If someone on the list had responded that they do have Android 5 connecting a websocket to Tomcat, it would probably be a configuration problem on my Tomcat server. What does your Connector configuration look like? I am using spring-boot 1.2.1, and I don't have that set explicitly. The configuration I do have is the spring boot application.properties: server.ssl.key-store = mind7.cs.umd.edu.chained.p12 server.ssl.key-store-password = secret server.ssl.key-store-type = PKCS12 Otherwise the configuration is the default for spring-boot. Perhaps you have to re-enable the SSLv2hello protocol. (Note that this does not allow SSLv2 or SSLv3 to be used as the protocol... only to start the handshake using the old protocol). I will look into this for spring boot. Thanks. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUv9NEAAoJEBzwKT+lPKRY7QwQAJOJUhBJT4F7jzuT44+vp3oF 2qd+cJLcNtF0Q6u+eyjrWLtvih+AlkxkXvEl9ezOqD5KEwnv0OHk+UDXO6NNu9ha f+X/dXWIr6+WBX9+GAF83b3G4+ZT6VqyYLjj1ydUkx5LIW6JHDbDbXbtt0OGCzN+ q98e0NKOFs2jcw0fudWWtQj1pg7VIMH5eviTdjMWSQursK1MC5n6Byreq0a1KqaP uxbmFI9NgnD9YFm+FCZeDz2Bwj76oHBYdB01TvqDFvvkihepz7SlqsuSLqBOO3Ev s3yIuq6WFIcZUjmqBmrX4aR35DsOzDTS6XRXLuS2vxKn8/WEoclezRmPlqU++f7I qy7EBZEe6wkCTxGtd13/3YbXHhfixvjwplh6127gmLQtfYRF40N++7ZTIAUejLBK bLoeB12NGbFOsPjrSXXcYb0Bj9oz9OKYYCFLL7tgLfBFgtZfh8g8xQuu8DTBs+Ue 4qXDvYDuEq1o4xlgTtQClUq2YG8dKq30U4LMW3K8e7bZFZw7yof2GW2IatWHaljj RcIM9kUxXYrUC3ak4oLJ03xRCqpu6xoouAGr/WVfT182el+CVIJM93llvxA3ULRb AeyF8J+svDiEBeZ4TNmuIp4LVbjBBYlOy7rG3SswHYHUw5KWjzQNNUlN63S1IvL5 gEfezVm/77xilOEMPp9+ =5tO3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Android 5.0 SSL handshake failure
On 01/20/2015 10:08 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Matthew, On 1/18/15 1:54 PM, Matthew Mah wrote: I have setup a Tomcat server using spring-boot with SSL/TLS for secure websockets. Tomcat version? JVM version? Any relevant configuration? Tomcat 8.0.15. multiple JVM: java version 1.7.0_55 OpenJDK Runtime Environment java version 1.7.0_65 OpenJDK Runtime Environment java version 1.7.0_71 OpenJDK Runtime Environment I have tried the default ciphers, as well as: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed as both supported and enabled for Android API 11+ http://developer.android.com/reference/javax/net/ssl/SSLSocket.html I would prefer a stronger cipher suite (not SHA1), but right now I am looking for anything that works. This works for Android 4.4, iOS, Firefox, and Chrome clients. Android 5.0 clients (Nexus 5) fail the SSL handshake. What protocol and ciphers are those working browsers using? Chrome: TLS 1.2 ECDHE RSA AES 128 CBC SHA1 Firefox: TLS v? ECDHE RSA AES 128 CBC SHA1 Check the archives for a somewhat recent post by me including code to scan an SSL server for the protocols and ciphers it supports. That's a great tool you've written. Using the shortlist of cipher suites on Tomcat above, this is supported: AcceptedTLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA AcceptedTLSv1 TLS_RSA_WITH_AES_128_CBC_SHA AcceptedTLSv1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Has anyone successfully setup secure websockets with Android 5? I know there are SSL/TLS changes in Android 5, and so far I am unable to find any combination of configurations on the server and client to successfully connect. If someone else has gotten this to work, at least I will know I am making an error somewhere. I have details posted on stack overflow: http://stackoverflow.com/questions/28011581/android-5-0-lollipop-websocket-ssl-handshake-failure It looks like you might have to re-enable the SSL2hello pseudo-protocol, which is weird because Android 5 should definitely speak TLS. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvm93AAoJEBzwKT+lPKRYawkQAIaON8MmU0bTw0RYmzuvcL1X uPP23ARjgfNpL04skX/+Rmy6fuHF5zmwhSeABDaHnhx/Uuyobpz+5W9/nXF1IyCq eb6wuGIrQfjHBvvA3vUHN46hNOCrN1hT/ky5oGaXcKShepNB5psl+3/l2zWSIosv 535YYYb59LLykMPEC99LNKjwHszPTciFlbiBJqkbGDWu3AxZ5iaQw8T+UlxtgHsc Mh5UlsC72hi9lkeQ9fpwV74dqpitJsVz336D2gXjtz6MeIgBc0BWYrzHCTtL4Ra7 ISk/T5wHNZTYD4iINTCrWQ4uBGazIs3x91Y8MpKHA9kiBJPZMNqX0UiED+ZuAD0x wT/9MTVyzz1YK9e8i1crcCb3EKEC4aYD6QRLoxqet9i5Bkp2ZGbUoSzw70CmEhz+ w/jHzWJ/pVVIPsxBduFRdj4R+wlYNK/wp6Qyr6EX2Fgm3ZE0MJuAH8OirnYgizrj p/vu17S/P6e8xf1q+3rcWj1ar4/1C73CVOzs1G71dAlx3KaT+DIW2CkZrySYQP29 BpEFjYy08pUUIaG36V5Jeylmz1PeF78CpSV/MD0/XdP8Ar8ayoEfFngkPKCm2e4q KF87qDZ9ylAX97Qn2hmXZKnW2AhXsi3BTf/Z/Z6eDKywhSFuWL4yO2gDrwBHZ+rb ye41SxCVoaxzodEO62Bw =yZdl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Android 5.0 SSL handshake failure
On 01/21/2015 03:24 PM, Christopher Schultz wrote: Have you tried a plain-old HTTPS connection? No Websocket? I just tried HTTPS using HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); try { try { InputStream in = new BufferedInputStream(urlConnection.getInputStream()); byte [] buffer = new byte[1024]; in.read(buffer); Log.i(TAG, new String(buffer)); } catch(Exception e){ } String cipherSuite = urlConnection.getCipherSuite(); Log.i(TAG, connected? + cipherSuite); } There is currently no content being served (only the websocket), but the network trace shows a successful TLSv1.2 handshake. This should mean the certificates and cipher suites are fine, but there is a problem with some interaction between Android 5.0 and the Tyrus websocket implementation. I think the most logical next step is to try a different websocket implementation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Android 5.0 SSL handshake failure
I have setup a Tomcat server using spring-boot with SSL/TLS for secure websockets. This works for Android 4.4, iOS, Firefox, and Chrome clients. Android 5.0 clients (Nexus 5) fail the SSL handshake. Has anyone successfully setup secure websockets with Android 5? I know there are SSL/TLS changes in Android 5, and so far I am unable to find any combination of configurations on the server and client to successfully connect. If someone else has gotten this to work, at least I will know I am making an error somewhere. I have details posted on stack overflow: http://stackoverflow.com/questions/28011581/android-5-0-lollipop-websocket-ssl-handshake-failure Thanks, Matt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL Root Cert install
I'm running Apache Tomcat 7 on Windows Server 2008 R2 with Java jdk 1.8.0_25. I was able to use the keytool.exe command with the -genkey switch to create a keystore. I then used keytool.exe to create a CSR which I submitted to an issuer and received a certificate. I have to use keytool.exe to import the Root and Chain certificates first. I can't get the import of the Root certificate to work. I get the error message keytool error: java.io.FileNotFoundException: C:\Users\Administrator\root.cer (The system cannot find the file specified) Searches I do for this error seem to only net me results when people run keytool.exe and it can't find their .keystore. Keytool.exe finds my keystore just fine, it can't find the actual root.cer file though. I've tried putting that cert file in the C:\Users\Administrator folder with the .keystore file, I've put it in the Java jdk folders, I've put it in the tomcat7 folder, and keytool.exe still can't find it. I've download the Microsoft Process Monitor util and setup a filter to watch for any commands/errors related to my root.cer file, and the keytool.exe process can access the root.cer file, even though the import fails. I've modified the -file command to use the current directory, I've passed it the full path to the root.cer file in multiple locations, nothing is working, and I've run out of ideas for things to try. Has anyone else seen this problem before?
Re: Is it possible to send a 'keep-alive' packet back to client session every x seconds?
Thanks everyone, development tells me that their going to build the function into the application. trying to build custom kernels and then using a tcp_keepalive would be a logistic nightmare. Cheers, Matt On Fri, Mar 28, 2014 at 12:53 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/27/14, 5:38 AM, Mark Thomas wrote: On 27/03/2014 03:08, Matthew Turany wrote: Is it possible to configure either apache or tomcat to send a packet every x number of seconds so that at the client end the gateway thinks the session is still active and will keep the connection open, or is this something best put into the actual web app? http://tomcat.apache.org/connectors-doc/reference/workers.html socket_keepalive You'll need to configure the OS to send the packets frequently enough. Alternatively, change the application design: - One request to trigger generation of the report - N requests to retrieve report which returns either still processing (maybe with an ETA) or here it is. +1 I believe this is a better design in the long-run. It also allows you to do things like off-line processing of batches without changing your UI. Another thing you could do is simulate the above by using a report-builder thread launched from your servlet, and then have your request-processing thread to a flush() on the response (causing chunked encoding to be used), then sleep for some amount of time (maybe 1-5 seconds), then check the status of the report, then flush() again (not sure if it will keep emitting 0-length chunks if you flush over and over again), then sleep again. This seems like a perfect use case for async processing. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTNFd6AAoJEBzwKT+lPKRYANwP/Rx3W5KQQnLzMx/xEY41cix0 JuAEGxZVQyX5LDwLlB5iivIAGdVqLZxXGP/4on/sIgl+XjC59hkU4N77oLokb3Cl heAgUmR9VA4KsUTMeSJmN0Km5lMOzCv3c+Ru5fAjSpsNKgp2SjsitpdGgRfebd1y djQfemWIkC6bBHjtW4PbwGkva9Kny8FVx2Ius8f6V+jKcHGLGztWIfy99rR0Oya3 2dP/JboBPH0PYW19Jhor7qM7IMJXJjdRSswnBc63e7runvw8hA1DD3KDW0mHceVo Q4Q0WW1zRaT1DOzkmQhOs4H68ev20EjV9DZu8Md17kJVrwkeFMN+GGNppLeivzdK UZHkEWbZjDZRcIGR0iEQQZGLVCRMImNsm+fBoO6piXrr8UFpzMUqXLMiSuD3Woab GFtvydUBuO4gyxAHXh2yW+XJ1iZBSfigUBvTZUKOyS1sEURBKmgTopySuJaKPhYN OMYCQ8e5MKbcxl09qp7JRg+H/jfIr9NBgakWrQRe4R1Pox1doMaNZsJufwpkbxH2 0CKNuLClIrvQC/iw5D7McB0o5PY5brOMGzWfdb6Psgnrq/4FB3QDdSCbIaQ8JF+E GfRZ5D2VE73ueb8dYiElA0t3fEV0DSdqOtxR40IwROlpR6My7HBUVgy/7dxkxEg7 xXj/B0T5nbShYxZrlw3S =RtBD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Is it possible to send a 'keep-alive' packet back to client session every x seconds?
Hi, Trying to figure out if this is possible; apache reverse-proxy sitting in front of a server running tomcat serving a web app. Due to the amount of data in the backend DB, when a user generated report is requested, it can take several minutes (3-4) for the report to be presented to the browser session. In this particular case the client browser is sitting behind a gateway / firewall that will drop the connection after 60 seconds of 'inactvity' e.g. no traffic back to the browser (high-security environment). The app presents a web pop-up stating Your report is being prepared and session keepalive timeouts are all set accordingly, however since the gateway doesn't see any active traffic it will close the connection forcing the client browser to reconnect on a new connection which in affect loses their report. (Note: that this all works fine for anyone not behind that particular gateway) Is it possible to configure either apache or tomcat to send a packet every x number of seconds so that at the client end the gateway thinks the session is still active and will keep the connection open, or is this something best put into the actual web app? Thanks, Matt
Apache / Tomcat consultant needed?
Hi, Apologies if this is the wrong place to post this and if so it would be great if you could let me know where I should direct it. We're a software developer located in Australia, one of our products uses Apache as a reverse proxy to multiple tomcat instances each supporting numerous customers. We would like to engage a 'expert' in both Apache and Tomcat that can review the current configuration(s) and advise on configuration changes (if any) for maximising performance, security, and any other areas needed / observed. There are no known issues at the moment, and this would primarily be a review / health check. For further information please reply to this post. Cheers, Matt
Setting unloadDelay within embedded Tomcat
I am running Tomcat embedded via something like the following code: tomcat = new Tomcat(); tomcat.setBaseDir(DEFAULT_BASE_DIR); tomcat.getService().addConnector(defaultConnector); tomcat.setConnector(defaultConnector); tomcat.init(); tomcat.start(); How do I go about setting the *unloadDelay* property programmatically in the above example? Cheers, Matthew
Configure Tomcat Logging Programmatically
I am running Tomcat programmatically (embedded) and I wanted to configure its logging so I can track inbound request. I start Tomcat as follows: tomcat = new Tomcat(); tomcat.setBaseDir(DEFAULT_BASE_DIR); tomcat.getService().addConnector(defaultConnector); tomcat.setConnector(defaultConnector); tomcat.init(); tomcat.start(); How do I go about configuring the logging? Cheers, Matt
Configuring Embedded Tomcat for SSL
Tomcat version: 7.0.47 OS: Windows 7 (x64) JDK: 1.7 I am attempting to start an embedded instance of Tomcat, which is configured for SSL only, on port 443. The code I am using is as follows: *public* *static* *void* *main*(String[] args) *throws*UnknownHostException, LifecycleException, ServletException { Tomcat tomcat = *new* Tomcat(); tomcat.setBaseDir(D:\\Temp); tomcat.addWebapp(/sslapp, D:\\); Connector connector = *new* Connector(); connector.setPort(443); connector.setScheme(https); connector.setSecure(*true*); connector.setAttribute(address, 127.0.0.1); connector.setAttribute(SSLEnabled, *true*); connector.setAttribute(bindOnInit, *true*); connector.setAttribute(keystoreFile, ...\\EngineInstance.keystore); connector.setAttribute(keystorePass, password); connector.setAttribute(clientAuth, false); connector.setAttribute(sslProtocol, TLS); connector.setAttribute(keyAlias, test); connector.setAttribute(keyPass, password); tomcat.setConnector(connector); tomcat.init(); tomcat.start(); tomcat.getServer().await(); } When I run the above, I receive the following output: Nov 01, 2013 10:08:07 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Tomcat Nov 01, 2013 10:08:07 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Nov 01, 2013 10:08:07 AM org.apache.catalina.startup.ContextConfig getDefaultWebXmlFragment INFO: No global web.xml found It does not look like the connector I created is actually being started. When I try browsing to the above port using Chrome/IE all it does not connect. I thought I was following the correct process base don information I located on Google, however, it would appear I am still doing something incorrect. I have confirmed the existence of the private key in the keystore (using Keystore Explorer), so all that is fine. Please, any help would be greatly appreciated. Cheers, Matthew *Matthew Westwood-Hill ** *
Re: [OT] Re: Tomcat Linux/Windows Performance Question
On 10/29/2012 03:16 PM, verlag.preis...@t-online.de wrote: 3. Bizarre observations when using high-resolution (or even ms-res) clocks and timers... seems like you can't get more than about 0.1-sec resolution or so reliably -- or at least plausibly -- on a win32 box. Hmm, I think this applies for outdated versions of Windows like WinXP, which don't support HPET timers. I remember when I wrote a java snippet at my WinXP machine at work like this: long startTime = System.nanoTime(); // do something which doesn't take much time... long duration = System.nanoTime() - startTime; and then being surprised that duration contained a negative value... As much as I hate to give windows the benefit of the doubt, there is a plausible explanation where windows wasn't technically doing anything wrong: if you were setting your clock via NTP, it's possible that there was a clock-correction in process. POSIX dealt with this (relatively recently in unix terms) by introducing a couple functions; one that lets to see what the system thinks its clock resolution is, and also a way to access a monotonic clock (guaranteed to be unaffected by system-clock corrections). There is another platform-specific issue that bit me once: Windows+NTFS is really horrible at dealing with directories with large numbers of files. I once had a web app that scanned directories containing a few thousand files looking for the most recent file. On linux (w/ ext3), there was no noticeable time difference between a directory with 2 or 2000 entries. On windows, small directories were as fast as linux, but once the number of files in the directory got large, the operation would take on the order of minutes. Most people avoid that issue by using a DB to store their data (and let the DB implement platform-specific optimizations) instead of trying to use flat files, but we had a special requirement (integration w/ third-party tool). Matt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Odd NIO connector behavior
Just a heads up to the Tomcat team - I switched all our comet handling to Jetty, and these issues are resolved. Something is definitely amiss in the NIO connector. Regards, Matt Tyson On Sat, Dec 31, 2011 at 10:23 AM, Mark Thomas ma...@apache.org wrote: On 31/12/2011 16:35, Matthew Tyson wrote: On Wed, Dec 28, 2011 at 1:04 AM, ma...@apache.org wrote: Matthew Tyson matthewcarlty...@gmail.com wrote: That's right, there is an f5 load balancer. The valve is used to keep track of whether the request was via HTTPS or not. What happens if you go direct to Tomcat and bypass the F5? tcpdump seems to confirm the same. What are you thinking? Probably, like me, that the F5 isn't handling the Comet requests correctly. Mark I am trying to understand how the load balancer could cause Tomcat to respond with an empty 200 response to a request, without ever executing the service method on the servlet mapped to the url. I've seen all sorts of odd behaviors when something is expecting HTTP but doesn't get it. The inbound request to tomcat is correct, and it is sometimes handled correctly. However, much of the time it is sending the empty 200. Given that there appears to be multiple issues here, I'd suggest concentrating on the one that is likely easiest to debug. Fix that and then see what the other problems then look like. We might be seeing two sides of the same issue. My recommendation is: - if possible, test without the F5 just to be sure this is purely a Tomcat issue - investigate the repeated calls to service() with no incoming request as that is likely to be easier to debug. As per my previous suggestion, get Tomcat into this state and then use remote debugging to see what is calling NioEndpoint.processSocket() Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Known Tomcat 6.0 and JDK 1.7.0_02 issues?
Are there known Tomcat 6.0 and JDK 1.7.0_02 issues? I know this is a hard question to answer, if the answer is no. But I need to ask just in case the answer is yes. Also I will accept any solutions to the issues below as answers. Please just share whatever issues you have had, and I will update this question if need be. Issues: Some issues I have run into since upgrading from JDK 1.7.0 to 1.7.0_02 (which I did to avoid the Eclipse's help menus from crashing, due to a Java 1.7.0 bug.): * Tomcat server takes much longer to start, I need a 120 second timeout to handle it. * FATAL ERROR in native method: JDWP No transports initialized, jvmtiError=AGENT_ERROR_TRANSPORT_INIT(197) error, which disappeared the next day and then reappeared the third day, with no changes other than reloading Eclipse. * Tomcat server takes much longer to shut down. I need a 60 second timeout to handle it, from 15 second default. * Eclipse itself appears to crawl to a halt (figuratively speaking) upon building the workspace and validating the project at hand. Everything within Eclipse appears to take longer, even opening an unopened file. Everything seems suspicious. P.S. JDK 1.7.0_02 is also known as 1.7.0u2, Java SE 7u2, Java SE 7 Update 2, etc. Versions: * JDK = Oracle, 64-bit, downloaded from http://www.oracle.com/technetwork/java/javase/downloads/index.html. Exact file downloaded and installed was jdk-7u2-windows-x64.exe. * Tomcat = Tomcat 6.0.33, downloaded separately from Eclipse * Eclipse = Eclipse Java EE IDE for Web Developers., Version: Indigo Release, Eclipse Platform, Version: 3.7.0.v20110530-9gF7UHNFFt4cwE-pkZDJ7oz-mj4OSEIlu9SEv0f, Build id: I20110613-1736. * 64-bit Windows 7 machine Thank you, -- Matthew Doucette
Configuring Tomcat 6 to only start the default manager webapp
Hi, I was wondering if anyone knew how to configure Tomcat (6.0.26) to only start the default app when the Tomcat service starts. I have many webapps deployed so that they are accessible when I need them and I don't have to re-deploy/configure them later, but I don't like that they all start up when the service starts. I've tried searching around for this, but haven't had any luck so far. I found one entry in the mail list archives, but it was talking about disabling the auto deploy which I don't think will help me here. Thanks in advance, Matt Marleau - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Odd NIO connector behavior
On Wed, Dec 28, 2011 at 1:04 AM, ma...@apache.org wrote: Matthew Tyson matthewcarlty...@gmail.com wrote: That's right, there is an f5 load balancer. The valve is used to keep track of whether the request was via HTTPS or not. What happens if you go direct to Tomcat and bypass the F5? tcpdump seems to confirm the same. What are you thinking? Probably, like me, that the F5 isn't handling the Comet requests correctly. Mark I am trying to understand how the load balancer could cause Tomcat to respond with an empty 200 response to a request, without ever executing the service method on the servlet mapped to the url. That just doesn't seem possible. The inbound request to tomcat is correct, and it is sometimes handled correctly. However, much of the time it is sending the empty 200. Matt Tyson
Re: single large tomcat or multiple tomcats
On Fri, Dec 30, 2011 at 11:57 AM, S Ahmed sahmed1...@gmail.com wrote: I know with other frameworks (like python/rails) people tend to run multiple instaces of the web server and round robin requests to each using something like haproxy. Is this known in the tomcat community at all? If I have a server with 16GB ram, would it make sense to run a few tomcat processes on different ports and use haproxy to round robin requests to each tomcat instance? I realize python/ruby do this because of their poor threading support. thanks! Take a look at: http://tomcat.apache.org/tomcat-7.0-doc/cluster-howto.html Tomcat has extensive clustering support. Best, Matt Tyson
Re: Odd NIO connector behavior
On Wed, Dec 28, 2011 at 6:22 PM, Matthew Tyson matthewcarlty...@gmail.comwrote: On Wed, Dec 28, 2011 at 8:58 AM, Stefan Mayr ste...@mayr-stefan.dewrote: Am 28.12.2011 10:04, schrieb ma...@apache.org: Matthew Tysonmatthewcarltyson@gmail.**com matthewcarlty...@gmail.com wrote: That's right, there is an f5 load balancer. The valve is used to keep track of whether the request was via HTTPS or not. What happens if you go direct to Tomcat and bypass the F5? tcpdump seems to confirm the same. What are you thinking? Probably, like me, that the F5 isn't handling the Comet requests correctly. This is what I would guess. We have a loadbalancing device that handles n client-lb connections with m lb-server connections in its HTTP mode. There we have to switch to TCP proxy mode to keep 1:1 relations. Your F5 is where to do start crosschecking with tcpdump: client - F5 vs F5 - server Stefan You think its possible that multiplexing or some load-balancer config would cause the two observed issues: 1) When the custom valve is in use, zombie service() executions continue with no actual inbound requests 2) Inbound requests are being replied to with blank 200s, without ever executing the service method. Thanks, Matt Tyson I think maybe I wasn't clear before. I am running ngrep on the server, inside the f5. F5 - ngrep - tomcat So the behavior I am seeing is inbound traffic from the F5 to Tomcat, then outbound traffic from Tomcat (empty 200s that don't execute the servlet service) back to the F5. It seems very unlikely that F5 configuration is the cause there. Matt Tyson
Re: Odd NIO connector behavior
On Thu, Dec 29, 2011 at 11:07 AM, Pid p...@pidster.com wrote: On 29/12/2011 17:27, Matthew Tyson wrote: On Wed, Dec 28, 2011 at 6:22 PM, Matthew Tyson matthewcarlty...@gmail.comwrote: On Wed, Dec 28, 2011 at 8:58 AM, Stefan Mayr ste...@mayr-stefan.de wrote: Am 28.12.2011 10:04, schrieb ma...@apache.org: Matthew Tysonmatthewcarltyson@gmail.**com matthewcarlty...@gmail.com wrote: That's right, there is an f5 load balancer. The valve is used to keep track of whether the request was via HTTPS or not. What happens if you go direct to Tomcat and bypass the F5? tcpdump seems to confirm the same. What are you thinking? Probably, like me, that the F5 isn't handling the Comet requests correctly. This is what I would guess. We have a loadbalancing device that handles n client-lb connections with m lb-server connections in its HTTP mode. There we have to switch to TCP proxy mode to keep 1:1 relations. Your F5 is where to do start crosschecking with tcpdump: client - F5 vs F5 - server Stefan You think its possible that multiplexing or some load-balancer config would cause the two observed issues: 1) When the custom valve is in use, zombie service() executions continue with no actual inbound requests 2) Inbound requests are being replied to with blank 200s, without ever executing the service method. Thanks, Matt Tyson I think maybe I wasn't clear before. I am running ngrep on the server, inside the f5. F5 - ngrep - tomcat So the behavior I am seeing is inbound traffic from the F5 to Tomcat, then outbound traffic from Tomcat (empty 200s that don't execute the servlet service) back to the F5. It seems very unlikely that F5 configuration is the cause there. Can you post the CometdServlet code? p Here is the code from the service method, it is basically from the cometd.org project, with some added logging. There's obviously quite a bit more involved in how cometd processes things, but in this case, the servlet itself is very simple. How an empty 200 response could be generated without executing the logging statement here is a mystery. protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { logger.info(REQUEST: + request.getRemoteAddr() ++ request.getMethod() ++ request.getQueryString() + | TRACE: , new Throwable()); if (OPTIONS.equals(request.getMethod())) { serviceOptions(request, response); return; } HttpTransport transport = null; ListString allowedTransports = _bayeux.getAllowedTransports(); for (String transportName : allowedTransports) { ServerTransport serverTransport = _bayeux.getTransport(transportName); if (serverTransport instanceof HttpTransport) { HttpTransport t = (HttpTransport)serverTransport; if (t.accept(request)) { transport = t; logger.info(ACCEPTED: + request.getRemoteAddr() + + t.getClass().getName()); break; } else { logger.info(NOT ACCEPTED: + request.getRemoteAddr() + + t.getClass().getName()); } } } if (transport == null) { if (!response.isCommitted()) { response.sendError(HttpServletResponse.SC_BAD_REQUEST, Unknown Bayeux Transport); } else { logger.info(NULL TRANSPORT: + request.getRemoteAddr()); } } else { try { _bayeux.setCurrentTransport(transport); transport.setCurrentRequest(request); transport.handle(request, response); } finally { transport.setCurrentRequest(null); BayeuxServerImpl bayeux = _bayeux; if (bayeux != null) bayeux.setCurrentTransport(null); } } } Best, Matt Tyson
Re: Odd NIO connector behavior
On Thu, Dec 29, 2011 at 12:02 PM, Tim Watts t...@cliftonfarm.org wrote: On Thu, 2011-12-29 at 11:22 -0800, Matthew Tyson wrote: BIG SNIP How an empty 200 response could be generated without executing the logging statement here is a mystery. Do you still have that MonitoringFilter configured in the web app? Perhaps it is short circuiting the chain. I've been running tests without the filter in place - unfortunately, same results. Empty 200s from tomcat for many requests. Thanks, Matt Tyson
Re: Odd NIO connector behavior
On Wed, Dec 28, 2011 at 8:58 AM, Stefan Mayr ste...@mayr-stefan.de wrote: Am 28.12.2011 10:04, schrieb ma...@apache.org: Matthew Tysonmatthewcarltyson@gmail.**com matthewcarlty...@gmail.com wrote: That's right, there is an f5 load balancer. The valve is used to keep track of whether the request was via HTTPS or not. What happens if you go direct to Tomcat and bypass the F5? tcpdump seems to confirm the same. What are you thinking? Probably, like me, that the F5 isn't handling the Comet requests correctly. This is what I would guess. We have a loadbalancing device that handles n client-lb connections with m lb-server connections in its HTTP mode. There we have to switch to TCP proxy mode to keep 1:1 relations. Your F5 is where to do start crosschecking with tcpdump: client - F5 vs F5 - server Stefan You think its possible that multiplexing or some load-balancer config would cause the two observed issues: 1) When the custom valve is in use, zombie service() executions continue with no actual inbound requests 2) Inbound requests are being replied to with blank 200s, without ever executing the service method. Thanks, Matt Tyson
Re: Odd NIO connector behavior
On Tue, Dec 27, 2011 at 11:11 AM, Mark Thomas ma...@apache.org wrote: On 25/12/2011 02:17, Matthew Tyson wrote: INFO 2011-12-24 10:25:35,578 COMET REQUEST: 75.149.42.46 POST null | TRACE: java.lang.Throwable at org.cometd.server.CometdServlet.service(CometdServlet.java:149) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.company.util.filter.MonitoringFilter.doFilter(MonitoringFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at com.company.util.tomcat.SecureProxyValve.invoke(SecureProxyValve.java:57) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1571) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) That all looks pretty normal. What I am wondering now, is what is calling NioEndpoint.processSocket() I'd suggest if at all possible, setting up your Tomcat instance to allow remote debugging and then once the instance gets into this state check what is calling that code. It gets called far too often to output a stack trace every call during normal operation. 2. How comfortable are you patching Tomcat and building it from source? I have some debug logging sat in a git branch that I use for debugging similar issues that will generate a lot of logging but show exactly what is happening. I can either provide you with the patch or an updated JAR (or JARs) that you can drop into a 7.0.23 instance. Does the stack trace shed any light? If not, I can try the JAR or the git branch. I'm not sure my debug code is in the right place for this. If the debugging above isn't possible then patching Tomcat may be the only option. It sounds like you know enough of what you are doing to just patch it if required (noting that any such patch will generate a lot of output in normal running) but feel free to ask here if I have misjudged things. I noticed in the stack trace our custom valve. Its a very simple valve that just checks what port a request came in on and sets a flag on the request object: public void invoke(Request req, Response resp) throws IOException, ServletException { if (req.getLocalPort() == secureProxyPort) { req.setSecure(true); req.setServerPort(serverPort); } if (getNext() != null) { getNext().invoke(req, resp); } } I disabled the valve, and so far, the repeating requests have stopped. (I should mention that asyncSupported is true on this valve). Any thoughts on why this would cause this problem? Strange. I don't see anything wrong with that but if there is a threading problem at the bottom of this, the timing change this creates may be enough to trigger whatever the problem is. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Although removing the Valve seems to have prevented the ghost requests, I still see issues. I often see requests come in that then get an empty 200 response sent back, but the service method is never executed in the servlet (the logging statement never outputs). For instance, here is output from ngrep: T clientIP:33517 - serverIP:8080 [A] GET /cometd/connect?message=%5B%7B%22channel%22
Re: Odd NIO connector behavior
On Tue, Dec 27, 2011 at 1:31 PM, Stefan Mayr ste...@mayr-stefan.de wrote: Am 24.12.2011 00:39, schrieb Matthew Tyson: Hello, We have been having quite a few problems with using long-polling connections in Tomcat, via the NIO connector. Upgrading to Tomcat 7.0.23 definitely improved things, but we are still seeing major issues. The problems only crop up after a couple minutes under some load (modest load, around 2-3 connections per second). One very clear problem I am looking at right now is that the service method on a servlet is continually being called, although there is no traffic coming into tomcat from that remote IP (we verified this at the ethernet device). The logging statement at the beginning of the service method is being executed every so often, like so: logger.info(REQUEST: + request.getRemoteAddr() ++ request.getMethod() ++ request.getQueryString()); INFO 2011-12-23 15:30:50,860 org.cometd.server.**CometdServlet REQUEST: 75.149.42.46 POST null INFO 2011-12-23 15:31:02,484 org.cometd.server.**CometdServlet REQUEST: 75.149.42.46 GET message=%5B%7B%22channel%22%**3A%22%2Fmeta%2Fconnect%22%2C%** 22connectionType%22%3A%**22callback-polling%22%2C%** 22advice%22%3A%7B%22timeout%**22%3A0%7D%2C%22id%22%3A%22354%** 22%2C%22clientId%22%3A%**222b611tiekwk6p2mfh5bye3bm6y7l**%22%7D%5Djsonp= dojo.io.**script.jsonp_dojoIoScript135._**jsonpCallback INFO 2011-12-23 15:31:28,512 org.cometd.server.**CometdServlet REQUEST: 75.149.42.46 POST null INFO 2011-12-23 15:31:36,571 org.cometd.server.**CometdServlet REQUEST: 75.149.42.46 POST null But again, there is no traffic from that IP. I'm not sure if this is some sort of loop, a very long delay, or other connections being mixed up. Probably the last, since I don't see any loop pattern, and it has continued without any traffic for almost a half an hour now. Your Valves code makes me suspicious: the proxy port looks like there could be something between your client and your tomcat. A loadbalancer with some kind of TCP multiplexing maybe? That's right, there is an f5 load balancer. The valve is used to keep track of whether the request was via HTTPS or not. Have you already tried a tcpdump to crosscheck? tcpdump seems to confirm the same. What are you thinking? Stefan --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks, Matt Tyson
Re: Odd NIO connector behavior
On Sat, Dec 24, 2011 at 1:06 AM, Mark Thomas ma...@apache.org wrote: On 23/12/2011 23:39, Matthew Tyson wrote: Hello, We have been having quite a few problems with using long-polling connections in Tomcat, via the NIO connector. Upgrading to Tomcat 7.0.23 definitely improved things, but we are still seeing major issues. Glad to hear things are getting better. No so glad to hear you are still having problems. The problems only crop up after a couple minutes under some load (modest load, around 2-3 connections per second). That's pretty low load. It is. We have just a small portion of connections routed to this server. One very clear problem I am looking at right now is that the service method on a servlet is continually being called, although there is no traffic coming into tomcat from that remote IP (we verified this at the ethernet device). Hmm. Very strange that the service method is being called. There needs to be a complete and valid set of HTTP headers for that to happen and the request/response gets recycled afterwards so the data shouldn't get processed twice. It is very strange. The logging statement at the beginning of the service method is being executed every so often, like so: logger.info(REQUEST: + request.getRemoteAddr() ++ request.getMethod() ++ request.getQueryString()); INFO 2011-12-23 15:30:50,860 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null INFO 2011-12-23 15:31:02,484 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 GET message=%5B%7B%22channel%22%3A%22%2Fmeta%2Fconnect%22%2C%22connectionType%22%3A%22callback-polling%22%2C%22advice%22%3A%7B%22timeout%22%3A0%7D%2C%22id%22%3A%22354%22%2C%22clientId%22%3A%222b611tiekwk6p2mfh5bye3bm6y7l%22%7D%5Djsonp=dojo.io.script.jsonp_dojoIoScript135._jsonpCallback INFO 2011-12-23 15:31:28,512 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null INFO 2011-12-23 15:31:36,571 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null Odd. So there are at least two different requests being processed here. But again, there is no traffic from that IP. I'm not sure if this is some sort of loop, a very long delay, or other connections being mixed up. I'm not aware of any connection mix up issues that might explain this. Probably the last, since I don't see any loop pattern, and it has continued without any traffic for almost a half an hour now. Thoughts? We need more information :) If you can create a simple web application that reproduces this I'd be happy to take a look. I suspect that is non-trivial so I'll suggest a couple of other options. 1. The simple thing is to add a stack trace to that log message so we can see exactly what code path is triggered this. Here is a couple stack traces from this when the problem is occurring: INFO 2011-12-24 10:25:35,578 COMET REQUEST: 75.149.42.46 POST null | TRACE: java.lang.Throwable at org.cometd.server.CometdServlet.service(CometdServlet.java:149) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.company.util.filter.MonitoringFilter.doFilter(MonitoringFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at com.company.util.tomcat.SecureProxyValve.invoke(SecureProxyValve.java:57) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1571) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run
Re: Odd NIO connector behavior
On Sat, Dec 24, 2011 at 10:33 AM, Matthew Tyson matthewcarlty...@gmail.comwrote: On Sat, Dec 24, 2011 at 1:06 AM, Mark Thomas ma...@apache.org wrote: On 23/12/2011 23:39, Matthew Tyson wrote: Hello, We have been having quite a few problems with using long-polling connections in Tomcat, via the NIO connector. Upgrading to Tomcat 7.0.23 definitely improved things, but we are still seeing major issues. Glad to hear things are getting better. No so glad to hear you are still having problems. The problems only crop up after a couple minutes under some load (modest load, around 2-3 connections per second). That's pretty low load. It is. We have just a small portion of connections routed to this server. One very clear problem I am looking at right now is that the service method on a servlet is continually being called, although there is no traffic coming into tomcat from that remote IP (we verified this at the ethernet device). Hmm. Very strange that the service method is being called. There needs to be a complete and valid set of HTTP headers for that to happen and the request/response gets recycled afterwards so the data shouldn't get processed twice. It is very strange. The logging statement at the beginning of the service method is being executed every so often, like so: logger.info(REQUEST: + request.getRemoteAddr() ++ request.getMethod() ++ request.getQueryString()); INFO 2011-12-23 15:30:50,860 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null INFO 2011-12-23 15:31:02,484 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 GET message=%5B%7B%22channel%22%3A%22%2Fmeta%2Fconnect%22%2C%22connectionType%22%3A%22callback-polling%22%2C%22advice%22%3A%7B%22timeout%22%3A0%7D%2C%22id%22%3A%22354%22%2C%22clientId%22%3A%222b611tiekwk6p2mfh5bye3bm6y7l%22%7D%5Djsonp=dojo.io.script.jsonp_dojoIoScript135._jsonpCallback INFO 2011-12-23 15:31:28,512 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null INFO 2011-12-23 15:31:36,571 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null Odd. So there are at least two different requests being processed here. But again, there is no traffic from that IP. I'm not sure if this is some sort of loop, a very long delay, or other connections being mixed up. I'm not aware of any connection mix up issues that might explain this. Probably the last, since I don't see any loop pattern, and it has continued without any traffic for almost a half an hour now. Thoughts? We need more information :) If you can create a simple web application that reproduces this I'd be happy to take a look. I suspect that is non-trivial so I'll suggest a couple of other options. 1. The simple thing is to add a stack trace to that log message so we can see exactly what code path is triggered this. Here is a couple stack traces from this when the problem is occurring: INFO 2011-12-24 10:25:35,578 COMET REQUEST: 75.149.42.46 POST null | TRACE: java.lang.Throwable at org.cometd.server.CometdServlet.service(CometdServlet.java:149) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.company.util.filter.MonitoringFilter.doFilter(MonitoringFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at com.company.util.tomcat.SecureProxyValve.invoke(SecureProxyValve.java:57) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1571) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886
Odd NIO connector behavior
Hello, We have been having quite a few problems with using long-polling connections in Tomcat, via the NIO connector. Upgrading to Tomcat 7.0.23 definitely improved things, but we are still seeing major issues. The problems only crop up after a couple minutes under some load (modest load, around 2-3 connections per second). One very clear problem I am looking at right now is that the service method on a servlet is continually being called, although there is no traffic coming into tomcat from that remote IP (we verified this at the ethernet device). The logging statement at the beginning of the service method is being executed every so often, like so: logger.info(REQUEST: + request.getRemoteAddr() ++ request.getMethod() ++ request.getQueryString()); INFO 2011-12-23 15:30:50,860 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null INFO 2011-12-23 15:31:02,484 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 GET message=%5B%7B%22channel%22%3A%22%2Fmeta%2Fconnect%22%2C%22connectionType%22%3A%22callback-polling%22%2C%22advice%22%3A%7B%22timeout%22%3A0%7D%2C%22id%22%3A%22354%22%2C%22clientId%22%3A%222b611tiekwk6p2mfh5bye3bm6y7l%22%7D%5Djsonp=dojo.io.script.jsonp_dojoIoScript135._jsonpCallback INFO 2011-12-23 15:31:28,512 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null INFO 2011-12-23 15:31:36,571 org.cometd.server.CometdServlet REQUEST: 75.149.42.46 POST null But again, there is no traffic from that IP. I'm not sure if this is some sort of loop, a very long delay, or other connections being mixed up. Probably the last, since I don't see any loop pattern, and it has continued without any traffic for almost a half an hour now. Thoughts? Regards, Matt Tyson
Errors with NIO processor
Hey Guys, We are seeing the following errors (in production of course, testing didn't reveal this) after switching to NIO protocol. This is Tomcat 7.0.22 on CentOS 6. There is a load balancer sending only comet traffic to port 8080, where the NIO protocol is used. Nov 15, 2011 8:39:29 AM org.apache.tomcat.util.net.NioEndpoint processSocket SEVERE: Error allocating socket processor java.lang.NullPointerException Nov 15, 2011 8:39:51 AM org.apache.tomcat.util.net.NioEndpoint processSocket SEVERE: Error allocating socket processor java.lang.NullPointerException at org.apache.tomcat.util.net.NioEndpoint.processSocket(NioEndpoint.java:712) at org.apache.tomcat.util.net.NioEndpoint$Poller.processKey(NioEndpoint.java:1200) at org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1136) at java.lang.Thread.run(Thread.java:662) Nov 15, 2011 8:39:52 AM org.apache.coyote.AbstractProtocol$AbstractConnectionHandler process SEVERE: null java.lang.IllegalStateException: Calling [asyncPostProcess()] is not valid for a request with Async state [STARTED] at org.apache.coyote.AsyncStateMachine.asyncPostProcess(AsyncStateMachine.java:202) at org.apache.coyote.AbstractProcessor.asyncPostProcess(AbstractProcessor.java:104) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:519) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1550) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Exception in declaration() I see more of the Calling [asyncPostProcess()] is not valid for a request with Async state [STARTED] error by itself also. Here is the connector setup: Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=2 redirectPort=8443 / Any direction on where to look for the cause? Thanks, Matt
Re: Errors with NIO processor
Is there more info I can provide to help diagnose this error? It is killing us. Thanks, Matt On Tue, Nov 15, 2011 at 9:00 AM, Matthew Tyson matthewcarlty...@gmail.comwrote: Hey Guys, We are seeing the following errors (in production of course, testing didn't reveal this) after switching to NIO protocol. This is Tomcat 7.0.22 on CentOS 6. There is a load balancer sending only comet traffic to port 8080, where the NIO protocol is used. Nov 15, 2011 8:39:29 AM org.apache.tomcat.util.net.NioEndpoint processSocket SEVERE: Error allocating socket processor java.lang.NullPointerException Nov 15, 2011 8:39:51 AM org.apache.tomcat.util.net.NioEndpoint processSocket SEVERE: Error allocating socket processor java.lang.NullPointerException at org.apache.tomcat.util.net.NioEndpoint.processSocket(NioEndpoint.java:712) at org.apache.tomcat.util.net.NioEndpoint$Poller.processKey(NioEndpoint.java:1200) at org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1136) at java.lang.Thread.run(Thread.java:662) Nov 15, 2011 8:39:52 AM org.apache.coyote.AbstractProtocol$AbstractConnectionHandler process SEVERE: null java.lang.IllegalStateException: Calling [asyncPostProcess()] is not valid for a request with Async state [STARTED] at org.apache.coyote.AsyncStateMachine.asyncPostProcess(AsyncStateMachine.java:202) at org.apache.coyote.AbstractProcessor.asyncPostProcess(AbstractProcessor.java:104) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:519) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1550) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Exception in declaration() I see more of the Calling [asyncPostProcess()] is not valid for a request with Async state [STARTED] error by itself also. Here is the connector setup: Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=2 redirectPort=8443 / Any direction on where to look for the cause? Thanks, Matt
Re: Errors with NIO processor
Thanks Bob. It doesn't seem to be a load problem. It happens consistently even for just 1 user. If I switch the connector back to HTTP/1.1, instead of NIO, the problem goes away. Sometimes, there doesn't appear to be an error in catalina.out, but there is a response with no body, just headers like this: DateWed, 16 Nov 2011 00:43:58 GMT ServerApache-Coyote/1.1 Content-Typetext/html;charset=ISO-8859-1 Cache-Controlmax-age=2 ExpiresWed, 16 Nov 2011 00:44:00 GMT Set-Cookiexgh=gnweb10; path=/; BIGipCookie=00 000 000 VaryUser-Agent,Accept-Encoding P3P policyref=http://www.company.net/w3c/p3p.xmlhttp://www.gaggle.net/w3c/p3p.xml, CP=ALL Content-Encodinggzip Content-Length20 Connectionclose On Tue, Nov 15, 2011 at 4:51 PM, Bob Hall rfha...@yahoo.com wrote: Matt, Did the testing include load testing? Have you checked the open file limit values? If not, you may be running into an open file limit for the OS and/or user that is running Tomcat. - Bob From: Matthew Tyson matthewcarlty...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 15, 2011 4:18 PM Subject: Re: Errors with NIO processor Is there more info I can provide to help diagnose this error? It is killing us. Thanks, Matt On Tue, Nov 15, 2011 at 9:00 AM, Matthew Tyson matthewcarlty...@gmail.comwrote: Hey Guys, We are seeing the following errors (in production of course, testing didn't reveal this) after switching to NIO protocol. This is Tomcat 7.0.22 on CentOS 6. There is a load balancer sending only comet traffic to port 8080, where the NIO protocol is used. Nov 15, 2011 8:39:29 AM org.apache.tomcat.util.net.NioEndpoint processSocket SEVERE: Error allocating socket processor java.lang.NullPointerException Nov 15, 2011 8:39:51 AM org.apache.tomcat.util.net.NioEndpoint processSocket SEVERE: Error allocating socket processor java.lang.NullPointerException at org.apache.tomcat.util.net.NioEndpoint.processSocket(NioEndpoint.java:712) at org.apache.tomcat.util.net.NioEndpoint$Poller.processKey(NioEndpoint.java:1200) at org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1136) at java.lang.Thread.run(Thread.java:662) Nov 15, 2011 8:39:52 AM org.apache.coyote.AbstractProtocol$AbstractConnectionHandler process SEVERE: null java.lang.IllegalStateException: Calling [asyncPostProcess()] is not valid for a request with Async state [STARTED] at org.apache.coyote.AsyncStateMachine.asyncPostProcess(AsyncStateMachine.java:202) at org.apache.coyote.AbstractProcessor.asyncPostProcess(AbstractProcessor.java:104) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:519) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1550) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Exception in declaration() I see more of the Calling [asyncPostProcess()] is not valid for a request with Async state [STARTED] error by itself also. Here is the connector setup: Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=2 redirectPort=8443 / Any direction on where to look for the cause? Thanks, Matt
Re: Tomcat 7, Servlet 3.0, and Non-Blocking
That's very illuminating, thanks. I was looking at the table at the bottom of http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#NIO_specific_configuration, and got the impression APR was blocking also, but now I see 'waiting for next request' is non-blocking in the TC7 table. Would you give us a sense of how using a non-blocking connector would be important when doing comet? Once startAsync is called, will the standard (blocking) connector continue to hold resources (where the NIO connectors won't)? Thanks, Matt On Wed, Nov 9, 2011 at 1:24 AM, ma...@apache.org wrote: Matthew Tyson matthewcarlty...@gmail.com wrote: I guess what I'm asking is if I just start using the Servlet 3.0 support for suspending requests out of the box, will it be a thread blocking implementation I'm using? That depends what you mean by thread blocking. Once startAsync has been called the thread that was processing the request/response is released to handle other requests regardless of connector. HTTP APR/native is blocking as well, correct? Wrong. You should read the docs, particularly the summary at the bottom of the HTTP connector configuration page So if I want to use Servlet 3.0 async (eg, a call to request.startAsync), and have it be handled without blocking IO, I need to use the NIO connector? Wrong again. All Servlet IO is blocking IO. If you look at the API you'll see that all read and write calls are blocking. You seem to be mixing up blocking and non-blocking IO with whether or not a thread is dedicated to processing a request/reponse pair for the life of the request/response. They are very different beasts. All connectors release the thread to handle other requests once startAsync has been called. As an aside, the non-blocking connectors will use non-blocking IO where they can but once you get to the Servlet API, that is always blocking IO. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7, Servlet 3.0, and Non-Blocking
Hey Guys, It has been my assumption that Tomcat 7's comet implementation (ie, asyncSupported=true), will automatically use NIO processing. Is that not true? Do I need to set the connector to be org.apache.coyote.http11.Http11NioProtocol explicitly? Thanks, Matt
Re: Tomcat 7, Servlet 3.0, and Non-Blocking
I guess what I'm asking is if I just start using the Servlet 3.0 support for suspending requests out of the box, will it be a thread blocking implementation I'm using? HTTP APR/native is blocking as well, correct? So if I want to use Servlet 3.0 async (eg, a call to request.startAsync), and have it be handled without blocking IO, I need to use the NIO connector? Thanks, Matt On Tue, Nov 8, 2011 at 12:27 PM, Mark Thomas ma...@apache.org wrote: On 08/11/2011 20:15, Matthew Tyson wrote: Hey Guys, It has been my assumption that Tomcat 7's comet implementation (ie, asyncSupported=true), will automatically use NIO processing. Comet != Servlet 3.0 async Is that not true? Yes, that is not true. Do I need to set the connector to be org.apache.coyote.http11.Http11NioProtocol explicitly? If you want to use Comet you'll need to use HTTP NIO or HTTP APR/native. Servlet 3.0 async works with any connector. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 Specific Error: Invalid byte tag in constant pool
Adding that to the skip list definitely prevented that error, but I'm getting many jars with the same problem. I thought I could maybe get away with just skipping them all, but I'm starting to see some jars that have taglibs in them (and so need to be scanned). All these jars are giving the same error: ,asm.jar,jboss-cache.jar,backport-util-concurrent.jar,struts-tiles-1.3.5.jar,shared-ldap-0.9.5.5.jar,jniwrap-3.6.jar,org.osgi.core-4.1.0.jar,fontbox-1.6.0.jar,apacheds-server-jndi-1.0.2.jar,apacheds-protocol-ldap-1.0.2.jar,jetm-1.2.2.jar,gdata-contacts-meta-3.0.jar,standard.jar,xbean-spring-2.8.jar,custom_rhino.jar,apacheds-server-ssl-1.0.2.jar,poi-ooxml-schemas-3.8-beta2-20110408.jar,commons-cli-1.2.jar,gdata-contacts-3.0.jar,webservices-rt.jar,iText-2.1.7.jar,javassist-3.9.0.GA.jar,mime-util-2.1.3.jar,jcaptcha-all-1.0-RC3.jar,ical4j-1.0-rc3-SNAPSHOT.jar,tomcat-jdbc.jar,dnsns.jar,jcharset.jar,pager-taglib.jar Any ideas? Thanks, Matt On Wed, Jul 20, 2011 at 12:21 AM, Mark Thomas ma...@apache.org wrote: On 20/07/2011 03:55, Matthew Tyson wrote: Hey guys, tomcat 7.0.19 Java 1.6.0_22 CentOS 5.6 I just switched the web.xml to servlet 3.0 (from a app running servlet 2.4 previously without issue) and now I'm seeing the following error (turned on fine logging in the util class): FINE: Scanning JAR [file:/usr/java/jdk1.6.0_22/jre/lib/ext/jcharset.jar] from classpath Jul 19, 2011 10:04:40 AM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: Error deploying web application directory ROOT org.apache.tomcat.util.bcel.classfile.ClassFormatException: Invalid byte tag in constant pool: 60 That might be a BCEL bug or could be a corrupted JAR. Just add it to the jarsToSkip property in catalina.properties. Also, if you open a bugzilla issue, someone will take a closer look. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 Specific Error: Invalid byte tag in constant pool
java -version: java version 1.6.0_26 Java(TM) SE Runtime Environment (build 1.6.0_26-b03) Java HotSpot(TM) Server VM (build 20.1-b02, mixed mode) We just upgraded it from 1.6.0_22 to see if it would address this problem (it didn't). 1. Are you using Tomcat downloaded from tomcat.apache.org? Yes. 3. Maybe if you enable debug logging in org.apache.tomcat.util.bcel you will able to provide some context where the issue happens? Did that - its actually how I got the name of the files failing. Thanks for taking a look. Matt On Wed, Jul 20, 2011 at 11:43 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2011/7/20 Matthew Tyson matthewcarlty...@gmail.com: Adding that to the skip list definitely prevented that error, but I'm getting many jars with the same problem. I thought I could maybe get away with just skipping them all, but I'm starting to see some jars that have taglibs in them (and so need to be scanned). All these jars are giving the same error: 2. Where that JDK 1.6.0_22 is from? What is shown by `java -version`? 3. Maybe if you enable debug logging in org.apache.tomcat.util.bcel you will able to provide some context where the issue happens? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 Specific Error: Invalid byte tag in constant pool
Konstantin, I may have to give the debugger a try - thanks for the info. Matt On Wed, Jul 20, 2011 at 1:02 PM, Konstantin Kolinko knst.koli...@gmail.comwrote: org.apache.tomcat.util.bcel.classfile.ClassFormatException: Invalid byte tag in constant pool: 60 The above message is created by o.a.tomcat.util.bcel.classfile.Constant#readConstant(...). There is a switch() and default: label results in this exception being thrown. Expected values there are from 1 to 12. Your 60 is far outside the range. 2011/7/21 Matthew Tyson matthewcarlty...@gmail.com: 3. Maybe if you enable debug logging in org.apache.tomcat.util.bcel you will able to provide some context where the issue happens? Did that - its actually how I got the name of the files failing. I hoped to see some information about what class files in those jars BCEL tries to scan when it fails. Call hierarchy is bcel.classfile.Constant#readConstant(...) - bcel.classfile.ConstantPool#ConstantPool(stream) - bcel.classfile.ClassParser#readConstantPool() - bcel.classfile.parse() - o.a.catalina.startup.ContextConfig#processAnnotationsStream(stream, webxml) Unfortunately there is no debug printing in ContextConfig, and ClassParser operates on a stream and so does not know its context. Maybe you can run your copy of Tomcat with debugger, using remote debugging? http://wiki.apache.org/tomcat/FAQ/Developing#Debugging Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Servlet 3.0 Specific Error: Invalid byte tag in constant pool
Hey guys, tomcat 7.0.19 Java 1.6.0_22 CentOS 5.6 I just switched the web.xml to servlet 3.0 (from a app running servlet 2.4 previously without issue) and now I'm seeing the following error (turned on fine logging in the util class): FINE: Scanning JAR [file:/usr/java/jdk1.6.0_22/jre/lib/ext/jcharset.jar] from classpath Jul 19, 2011 10:04:40 AM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: Error deploying web application directory ROOT org.apache.tomcat.util.bcel.classfile.ClassFormatException: Invalid byte tag in constant pool: 60 Thanks, Matt
Corrupt files in 6.0.29 distribution?
Hello, Just performed a download on the 6.0.29 version of the software, and after performing a Sophos Anti-virus scan found the following four files to be corrupt: dso-dlfcn.o, locks.o, replace.o, signals.o. These files were found within the commons-daemon-native.tar.gz for the apache-tomcat-6.0.29.tar.gz download. The same files seem to be coming up corrupt for different types of download for 6.0.29, and versions earlier then 6.0.29...since the files don't appear in the beta for 7, this isn't an issue for that version. Wondering if this is a known issue, how necessary these files are, etc. Thanks for the assistance Matt
newbie question re mod_jk
Hi, I'm a newbie with tomcat trying to get a basic mod_jk configuration working. I have a mod_jk.conf file containing JkMount /Client_Access ajp13 JkMount /Client_Access/* ajp13 I'm not getting any errors in the file specified as JkLogFile, and netstat -l shows a listening socket at port 8009. I can load my servlet from http://localhost:8080/Client_Access, but I can't load it from http://localhost/Client_Access so mod_jk isn't working. What could it be? Thanks, Matthew Fleming PS, here is my whole mod_jk.conf file: LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so JkWorkersFile /home/mfleming/apache-tomcat-6.0.29/conf/workers.properties JkLogFile /var/log/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkRequestLogFormat %w %V %T JkMount /Client_Access ajp13 JkMount /Client_Access/* ajp13 Here is workers.properties: worker.list=ajp13 worker.ajp13.type=ajp13 worker.ajp13.host=localhost worker.ajp13.port=8009 worker.ajp13.lbfactor=50 worker.ajp13.cachesize=10 worker.ajp13.cache_timeout=600 worker.ajp13.socket_keepalive=1 worker.ajp13.socket_timeout=300 This is what I'm seeing in mod_jk.log: [Wed Aug 11 20:44:10 2010][4008:3066754848] [warn] jk_map_validate_property::jk_map.c (410): The attribute 'worker.ajp13.cachesize' is deprecated - please check the documentation for the correct replacement. [Wed Aug 11 20:44:10 2010][4008:3066754848] [warn] jk_map_validate_property::jk_map.c (410): The attribute 'worker.ajp13.cache_timeout' is deprecated - please check the documentation for the correct replacement. [Wed Aug 11 20:44:10 2010][4008:3066754848] [info] init_jk::mod_jk.c (2830): mod_jk/1.2.26 initialized I'm running tomcat 6.0.29 on Linux.
newbie question re mod_jk
I appreciate all the suggestions and have implemented them all, but its still not working. Any other suggestions? Matthew Fleming
newbie question re mod_jk
Working now. Thanks again for all your advice. The original recommendations were all that was necessary (plus I had two apache Includes in the wrong order, and there was a little matter of a typo...) Thanks so much for all your help. Matthew Fleming
RE: SEVERE message from DeltaManager
Thankyou very much for your diagnosis here, Mark. I will investigate the proposed solution and let you know how it goes. Cheers, Matt. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, 20 July 2010 3:07 AM To: Tomcat Users List Subject: Re: SEVERE message from DeltaManager On 16/07/2010 10:19, Mark Thomas wrote: On 16/07/2010 06:49, Matt Peterson wrote: While load testing our clustered Tomcats, we are seeing the following stack trace in our catalina.out occasionally, but not regularly: Jul 16, 2010 3:34:49 PM org.apache.catalina.ha.session.DeltaManager messageReceived SEVERE: Manager [localhost#/urs]: Unable to receive message through TCP channel java.lang.IllegalStateException: removeAttribute: Session already invalidated snip/ Under what conditions would this occur? Could it be that a session diff is being transmitted, but the session it relates to has been invalidated by the time the diff is processed (via a user logout for example)? Or could it be that a timeout has been reached??? Someone at $work has been doing a load test with tc Server (which has identical code to Tomcat in this area) and seen the same issue. I know it isn't due to timeout since the sessions are only a few seconds old when it happens. My current guess is that the messages are not being processed in the same order as they are sent. I need to dig into this more to figure out if this is a configuration issue or a bug. I did wonder if switching to channel send options 6 would fix it. I'll get them to try that and see. Matt, Testing shows that it is caused by using async session replication. If you use synchronous replication that ensures messages are processed on the receiving nodes in the order they are sent. Asynchronous replication in conjunction with the fact the the receiving node uses a thread pool to process messages means that it is possible for messages to be processed out of sequence. If a session invalidate is processed before and update then you'll see this error. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, Great news (for me), seems the problem was that because I was using relative linking and sending the credentials to log the user in to SOLR the links on the landing page were being recreated with the same credentials in them so I just put in direct link locations in and and for the most part the problem is solved. It also is more secure this way because turns out I was revealing the passwords that I was trying to keep hidden. Thanks for the help! ~Matt Christopher, I may have found a problem in the SOLR header.jsp file that I am using in navigation. The header.jsp file might be trying to send headers, unfortunately I am not in the same location as the server so I will have to check this out tomorrow. I'll keep you posted, ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 6/30/2010 8:20 PM, Matthew Mauriello wrote: The behavior seems rather strange to me in fact, I've seen other websites run on what looks to be BASIC Authentication without popping these browser messages when leaving secured sections. Most websites use HTTP AUTH consistently, at least for a particular URL prefix. See the http://user:passw...@website.com/SOLR is only used once and it might actually be http://user:passw...@website.com/SOLR/ I have to look into this. I feel like the authentication cookie is being created for the user and then being forwarded to every page the user visits after that. I am hoping to find some way of preventing this behavior. Well, for starters, what web browser are you using? Can you give me a sample URL that I can use to play with a test version of your webapp? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwr76cACgkQ9CaO5/Lv0PACLQCgjmn6kpeN1L3uQPuxpUEbHT8C W/UAn1iaKySqcMfZNuttx7MjHYr6EqX4 =Yxdn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, The behavior seems rather strange to me in fact, I've seen other websites run on what looks to be BASIC Authentication without popping these browser messages when leaving secured sections. See the http://user:passw...@website.com/SOLR is only used once and it might actually be http://user:passw...@website.com/SOLR/ I have to look into this. I feel like the authentication cookie is being created for the user and then being forwarded to every page the user visits after that. I am hoping to find some way of preventing this behavior. ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 6/30/2010 12:07 AM, Matthew Mauriello wrote: I have two directories in 'webapps' other than ROOT. ROOT redirects users to webappA. WebappA does not use tomcat's basic authentication but if you log into the application there are links inside it that sends the user to the SOLR webapp via http://user:passw...@website.com/SOLR. Ok. SOLR uses basic authentication. The problem is once the browser logs into SOLR the error message pops up when navigating back to WebappA. Where is webappA deployed? /webappA? Generally, when the server requests BASIC authentication, the client will then provide credentials to the server for the original URL plus any URLs that are under it. I wonder if you used http://user:passw...@website.com/SOLR/; (note the trailing slash) if you might avoid this behavior. I think the browser sees http://user:passw...@website.com/SOLR, removes the SOLR from the end (because it thinks that's the name of the resource), and then anything starting with http://website.com/ will then get the HTTP AUTH headers. I understand this isn't the greatest setup but other than the constant pop up message after logging into SOLR it meets the needs of the very few users on the website. It's odd that your web browser complains about this... it implies that the browser pre-fetches the URL /without/ the authentication header, just to see if the server replies with a request-for-authentication header. That's actually kind of a nice security feature. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwrUfoACgkQ9CaO5/Lv0PAETACeONnx4nYQFXLwud13KCb9Nu0Z GkkAnj28Iz5yxZaZzJGOi7sZThMcZY62 =50Ze -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, First off, I really appreciate your responses. Unfortunately I do not have a link that I can send out. I generally use Mozilla Firefox, Microsoft recently implemented a patch that prevents http://user:passw...@website.com/SOLR/ from working. So on this consistent implementation method, how do websites grant access to public sites and secure certain sections? Or is this a problem because I have two separate applications deployed and I am trying to navigate between both? Thanks again, ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 6/30/2010 8:20 PM, Matthew Mauriello wrote: The behavior seems rather strange to me in fact, I've seen other websites run on what looks to be BASIC Authentication without popping these browser messages when leaving secured sections. Most websites use HTTP AUTH consistently, at least for a particular URL prefix. See the http://user:passw...@website.com/SOLR is only used once and it might actually be http://user:passw...@website.com/SOLR/ I have to look into this. I feel like the authentication cookie is being created for the user and then being forwarded to every page the user visits after that. I am hoping to find some way of preventing this behavior. Well, for starters, what web browser are you using? Can you give me a sample URL that I can use to play with a test version of your webapp? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwr76cACgkQ9CaO5/Lv0PACLQCgjmn6kpeN1L3uQPuxpUEbHT8C W/UAn1iaKySqcMfZNuttx7MjHYr6EqX4 =Yxdn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, I may have found a problem in the SOLR header.jsp file that I am using in navigation. The header.jsp file might be trying to send headers, unfortunately I am not in the same location as the server so I will have to check this out tomorrow. I'll keep you posted, ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 6/30/2010 8:20 PM, Matthew Mauriello wrote: The behavior seems rather strange to me in fact, I've seen other websites run on what looks to be BASIC Authentication without popping these browser messages when leaving secured sections. Most websites use HTTP AUTH consistently, at least for a particular URL prefix. See the http://user:passw...@website.com/SOLR is only used once and it might actually be http://user:passw...@website.com/SOLR/ I have to look into this. I feel like the authentication cookie is being created for the user and then being forwarded to every page the user visits after that. I am hoping to find some way of preventing this behavior. Well, for starters, what web browser are you using? Can you give me a sample URL that I can use to play with a test version of your webapp? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwr76cACgkQ9CaO5/Lv0PACLQCgjmn6kpeN1L3uQPuxpUEbHT8C W/UAn1iaKySqcMfZNuttx7MjHYr6EqX4 =Yxdn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, Thanks for the response. I have two directories in 'webapps' other than ROOT. ROOT redirects users to webappA. WebappA does not use tomcat's basic authentication but if you log into the application there are links inside it that sends the user to the SOLR webapp via http://user:passw...@website.com/SOLR. SOLR uses basic authentication. The problem is once the browser logs into SOLR the error message pops up when navigating back to WebappA. I understand this isn't the greatest setup but other than the constant pop up message after logging into SOLR it meets the needs of the very few users on the website. Hope this clears things up. Thanks, ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt, On 6/29/2010 5:57 PM, Matthew Mauriello wrote: I am having a minor problem related to Tomcat's BASIC Authentication setup. A user access my custom web application in the 'webapps' folder which is accessible to everyone in a separate sub folder. This already smells funny. Can you give us the details of your directory structure, and what contexts actually map to what directories on the disk? I have another 'webapps' sub folder for SOLR which is secured with BASIC Authentication. I have my custom web application log the user into the SOLR application when the user wants to access it. So, webapp A contacts SOLR using HTTP BASIC AUTH, provides credentials, and then... what? The problem I am having is that when the user navigates back to the custom application folder from the SOLR application folder they get prompted with the following message that I would like to disable: - You are about to log in to the site greygoose with the username admin, but the website does not require authentication. This may be an attempt to trick you. Is greygoose the site you want to visit? - I am not sure if this is a browser setting that needs to be changed or if there is a Tomcat setting I can implement to kill this error message, but any help would be appreciated. It sounds like your webapp isn't doing the authentication: instead, you are somehow tricking the browser into doing the authentication instead. Do you ever intend for the client (the browser) to authenticate? Or, is webapp A supposed to use HTTP BASIC AUTH against SOLR and nothing else? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwqqgAACgkQ9CaO5/Lv0PBz2wCgnxIfadjNeeIeoAWsTLa1sWQK Q7MAn3S6k5tJLbNL5Am3V7hjzgpchebc =MOWu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: HTTP connector to be aware of proxied SSL requests
This is *open* source... Thx Capt. Obvious - very helpful ;-) OK, so I now understand why it was chosen to perform the redirection in the Connector rather than in a Valve; to remove unnecessary processing keeping the redirect response as efficient as possible. I might lodge an enhancement for the connector to have the redirect configurable so that it can be disabled via an element attribute. The redirecting can then be done as a valve instead. We are using an F5 LB which does not support AJP. So that option will not work for us. The other option of using multiple HTTP Connectors is doable, but adds a lot of config management overhead (and points of possible failure/error) which is not very popular with those responsible for that management. But that is an internal issue which I need to deal with if this prob is deemed to be worth the worry. Out of interest, what are some of the security risks around non-trusted proxies injecting the x-forwarded-* headers? Thanks for your help, Matt. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, 17 June 2010 10:28 PM To: Tomcat Users List Subject: Re: HTTP connector to be aware of proxied SSL requests On 17/06/2010 01:41, Matt Peterson wrote: I can't find any documentation on the order of events for the Connector, so I'm not sure what other decisions get made based on the request attributes, but assume there are others. This is *open* source... Is there another solution to handling proxied SSL requests so that Catalina as well as our apps are aware that the requests are secure??? One possibility is to have two Connectors (1 using the secure, scheme and serverPort attributes for secure and 1 for non-secure) and have the LB connect to the appropriate Connector depending on the request. But this effectively doubles the amount of config needed to be managed (2nd set of config for LB + 2nd connector), which is considerable when dealing with 6 TC clusters each with their own set of LB config. The other option would be to proxy using AJP rather than HTTP (if the load-balancer supports it) since AJP passes SSL info as part of the protocol. If you want to use mixed HTTP/HTTPS in the LB and just HTTP on Tomcat than multiple connectors is usually what I'd recommend. Should I lodge an enhancement request for the Connector to become aware of proxied SSL requests (perhaps via an injected x-forwarded-proto header, ala WebLogic)? You can, not sure how much traction it would get. Both the logic and configuration is non-trivial to ensure only trusted proxies set the header. We try to keep the connector code fairly slick. This feels like more than we would want to add (bearing in mind this is just instinct - I haven't looked at any code at ths point). You might have better luck with an option to defer the redirection with the / to later in the processing chain. That would be simpler to implement but would add some extra processing that currently is bypassed by doing the rediection as early as possible. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: HTTP connector to be aware of proxied SSL requests
Hi Cyrille, We have the RemoteIpValve implemented already, thanks. The behaviour we are seeing is occurring in the Connector, before the request even reaches the valves. In this case, the request never reaches the valves as the redirect is done within the connector. Cheers, Matt. -Original Message- From: Cyrille Le Clerc [mailto:clecl...@xebia.fr] Sent: Friday, 18 June 2010 8:30 AM To: Tomcat Users List; Matthew Peterson Subject: Re: HTTP connector to be aware of proxied SSL requests Hello Matt, I think the RemoteIpValve does what you need : it looks at http headers filled in the request by preceding network components (layer 7 load balancer, ssl accelerator, etc) such as 'x-forwarded-for' to get the real ip address and 'x-forwarded-proto' to get the http/https protocol. A concept of internal/trusted incoming proxies is used to decide weither the http headers can be trusted or not. Configuration is detailed in the javadocs : http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html The documentation of RemoteIpValve has been enhanced in Tomcat 7 to integrate the content of the java doc. I wrote a blog post in french to explain how it works with detailed diagrams here : http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ Basically, if you want to trust http header x-forwarded-for and x-forwarded-proto coming from LB/web-server 192.168.0.10 and 192.168.0.11, the valve configuration will look like : Server ... ... Service name=Catalina Connector ... / Engine ... !-- Process X-Forwarded-For to get remote address and X-Forwarded-Proto to identify SSL requests -- Valve className=org.apache.catalina.valves.RemoteIpValve internalProxies=192\.168\.0\.10, 192\.168\.0\.11 protocolHeader=X-Forwarded-Proto / !-- AccessLogValve must be declared after RemoteIpValve to get the remote address and the scheme https/http -- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=common prefix=access_log. resolveHosts=false suffix=.txt / ... /Host /Engine /Service /Server Please note that you can simplify the configuration omitting 'internalProxies' attribute and rely on the default that trusts all the class A, B C private IP addresses. Hope this helps, Cyrille -- Cyrille Le Clerc clecl...@xebia.fr http://blog.xebia.fr On Thu, Jun 17, 2010 at 2:41 AM, Matt Peterson matt.peter...@une.edu.au wrote: Hi All, We have a hardware load balancer terminating SSL requests before making a plain-text connection with Tomcat. So that all contexts are aware that the request is actually a secure request, we have implemented the RemoteIpValve with a LB injected header. This works well for our apps. However, we have noticed that there is some processing of the request happening within the connector, before the valves are processed. In particular, the redirecting to URLs with a trailing slash. Because this processing is occurring before the valves are processed the Connector still thinks that the original request was a non-secure one, even though it was not. The result is that requests to https://domain.name/context are redirected to http://domain.name/context/ instead of to https://domain.name/context/. This is not major, because our LB then redirects from http://domain.name/context/ to https://domain.name/context/ and all is good (except for the extra redirect). I can't find any documentation on the order of events for the Connector, so I'm not sure what other decisions get made based on the request attributes, but assume there are others. Is there another solution to handling proxied SSL requests so that Catalina as well as our apps are aware that the requests are secure??? One possibility is to have two Connectors (1 using the secure, scheme and serverPort attributes for secure and 1 for non-secure) and have the LB connect to the appropriate Connector depending on the request. But this effectively doubles the amount of config needed to be managed (2nd set of config for LB + 2nd connector), which is considerable when dealing with 6 TC clusters each with their own set of LB config. Should I lodge an enhancement request for the Connector to become aware of proxied SSL requests (perhaps via an injected x-forwarded-proto header, ala WebLogic)? Cheers, Matt. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: how to calculate a memory tomcat
Yup. Have you seen the Bugs Issues forum? http://www.lambdaprobe.org/forum2/forum.jspa?forumID=2start=0 or the Feature Request forum? http://www.lambdaprobe.org/forum2/forum.jspa?forumID=3 There are a lot of people who do think that it is lacking something, but their requests have been falling on deaf ears until the project was forked (for this very reason). While Lambda Probe sits stale and unattended, progress continues in dependent areas (Tomcat, JDBC, etc.) regardless. It did a great job for the era it was developed for, but has slipped behind more recent developments, that's all. Cheers, Matt. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, 16 June 2010 3:03 AM To: Tomcat Users List Subject: Re: how to calculate a memory tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt, On 6/14/2010 6:42 PM, Matthew Peterson wrote: Lambda Probe is stale. It has been forked to Psi Probe which has regular activity: http://code.google.com/p/psi-probe/ Is Lambda Probe stale? It may not have gotten any updates for a while, but is it really lacking anything? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwXskIACgkQ9CaO5/Lv0PCH1ACfQByPb9MOuaHz0Ia5asvXm5Kb 2IAAoK/vXmq6pGUuFHV1VbSICAspz0In =9Rij -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Setting scheme on catalina Requests
I have discovered that the RemoteIPValve which has been shipped with Tomcat since v6.0.24 also performs the tasks am trying to perform with my valve. I had overlooked it previously due to its name. We are using v6.0.26, so I'll give it a whirl! Cheers, Matt. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, 15 June 2010 8:06 AM To: Tomcat Users List Subject: Re: Setting scheme on catalina Requests -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt, On 6/13/2010 6:03 PM, Matt Peterson wrote: I am trying to develop a valve to modify requests based on a HTTP request header as set by our SSL terminating load balancer. The valve is to watch out for a particular header and when found, call the setSecure(true), setScheme(https) and setServerPort(443) methods so that the receiving servlet is aware that the request is a secure one. Why set the server port? You may end up confusing code that performs redirects and things like that. Can you get away with simply setSecure()/setScheme()? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwWp88ACgkQ9CaO5/Lv0PCE6QCePtQgxZKDiDgB7GVjRK7HiM2k IA0An3Wnzw4RdIM1IMHw+q4WNFupseiv =EHI5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Re: how to calculate a memory tomcat
Lambda Probe is stale. It has been forked to Psi Probe which has regular activity: http://code.google.com/p/psi-probe/ -Original Message- From: Myk Bova [mailto:syste...@narod.ru] Sent: Tuesday, 15 June 2010 2:07 AM To: Tomcat Users List Subject: Re: Re: how to calculate a memory tomcat Lambda Probe for Apache Tomcat ? http://www.lambdaprobe.org/d/index.htm 14.06.10, 19:54, Tobias Crefeld t...@cataneo.eu: Am Sun, 13 Jun 2010 22:27:40 +0700 schrieb andy susanto : is there any tool that i can monitor my tomcat ?, because at peak hour You should ask your preferred search engine after JMX. JDK offers some applications like jconsole (old fashioned but usually sufficent) or jvisualvm (looks nicer, less stable) to monitor the JVM. Additional, more tomcat-specific data can be monitored by the tomcat-app lamdba-probe. Regards, Tobias. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- /* ** */ Myk Bova Phone: +380447131381 Cell: +380983225480 ICQ: 157902492 Email: syste...@narod.ru Web: http://www.chantingwolf.narod.ru /* ** */ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Setting scheme on catalina Requests
Never mind. I found out how to do it. For anyone else interested, from a catalina.Request object you need to get the underlying coyote.Request object, access it's Scheme object (type MessageByte) and then set it's String value to https. I still don't understand why the catalina.Request object doesn't implement the convenience method setScheme(String) for this... Cheers, Matt. -Original Message- From: Matt Peterson [mailto:matt.peter...@une.edu.au] Sent: Monday, 14 June 2010 8:04 AM To: users@tomcat.apache.org Subject: Setting scheme on catalina Requests Using Tc 6.0.26, Java 6 on Win XP Pro. I am trying to develop a valve to modify requests based on a HTTP request header as set by our SSL terminating load balancer. The valve is to watch out for a particular header and when found, call the setSecure(true), setScheme(https) and setServerPort(443) methods so that the receiving servlet is aware that the request is a secure one. The setSecure() setServerPort() methods work as expected, but the setScheme() method does not set the scheme. I have looked into the source for catalina.connector.Request and have found the setScheme() method is made of a single line: // Not used. This would explain why the setScheme() method is not setting the scheme as I expect it would. So, how else could I set the scheme of the request to 'https'? There must be a way, because the http connector is able to set it if I use the 'scheme' attribute in the connectors XML config in server.xml. I have tried to find the code which does this, but have not been able to find it. Any help is ppreciated. Cheers, Matt. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Setting scheme on catalina Requests
Hi Mark, I cannot find another reference to the setScheme method by searching the tomcat-users archive (http://marc.info/?l=tomcat-userw=2r=1s=setSchemeq=b). Where else would I find some info on this topic? Cheers, Matt. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, 14 June 2010 9:58 AM To: Tomcat Users List Subject: Re: Setting scheme on catalina Requests On 13/06/2010 23:40, Matthew Peterson wrote: I still don't understand why the catalina.Request object doesn't implement the convenience method setScheme(String) for this... Try searching the archives. This has bee discussed previously. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: centralized log server
This application might help. Doesn't matter what versions you have. Takes a bit to get setup though. http://www.splunk.com/ From: Caldarale, Charles R [chuck.caldar...@unisys.com] Sent: Tuesday, November 17, 2009 7:23 AM To: Tomcat Users List Subject: RE: centralized log server From: Kaushal Shriyan [mailto:kaushalshri...@gmail.com] Subject: centralized log server is there a centralized application to access all the tomcat server catalina.logs Your question is badly phrased, as Pid keeps trying to point out. If all you want is to be able to look at the log files, any editor will do. LambdaProbe can display the Tomcat log files in a browser - if it can be installed on your version of Tomcat, which you didn't bother to tell us. You also didn't tell us what platform you're running on, or whether you're using a standard Tomcat download or a 3rd-party repackaged version. (The location of the log files varies with each.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jk Status not showing errors
Unfortunately I'm not seeing that. What I did was start both Tomcats in my LB pair, start Apache, then I take the second Tomcat down to see if it will detect it being failed. Unfortunately it never seems to, it just shows the second as OK/IDLE, and happily directs all requests to the first. This concerns me, because if the second were to fail, then later the first, everything would die and I'd have no advance warning. I can't seem to make it ping and detect a dead Tomcat. I am using the latest version of mod_jk, I upgraded that before I began playing with the load balancer settings. I'd appreciate any feedback on what I might be doing wrong. Thanks. workers.properties: worker.list=production,development,old,jkstatus worker.production.type=lb worker.production.balance_workers=production1,production2 worker.production.sticky_session=True worker.production.method=S worker.lbbasic.type=ajp13 worker.lbbasic.connect_timeout=1 worker.lbbasic.recovery_options=7 worker.lbbasic.socket_keepalive=1 worker.lbbasic.socket_timeout=60 worker.lbbasic.ping_mode=CI worker.production1.reference=worker.lbbasic worker.production1.port=8009 worker.production1.host=localhost worker.production2.reference=worker.lbbasic worker.production2.port=8012 worker.production2.host=localhost worker.development.port=8010 worker.development.host=localhost worker.development.type=ajp13 worker.old.port=8011 worker.old.host=localhost worker.old.type=ajp13 worker.jkstatus.type=status Lawrence Lamprecht wrote: I do not know if this is relevant or not, but I have just installed the latest version of mod_jk and the jkstatus is very much better than it used to be. I had the same issue with loadbalancers not showing when they are offline or broken. With the latest version, jksataus has the possibility to auto refresh itself. This now shouws when load balancers go down without a request being send to it. It is pretty dynamic as well. I ran several tests where I took one of the balancers down, and left jkstatus refreshing every 10 seconds and that told me that the worker was in error. It also shows you that the work is OK - IDLE when the worker is not being used but is good. As soon as it receives a request the status then changes to OK. Hope this helps. Kind regards / Met vriendelijke groet, Lawrence Lamprecht Application Content Manager QUADREM Netherlands B.V. Kabelweg 61, 1014 BA Amsterdam Post Office Box 20672, 1001 NR Amsterdam Office: +31 20 880 41 16 Mobile: +31 6 13 14 26 31 Fax: +31 20 880 41 02 Read our blog: Intelligent Supply Management - Your advantage -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Saturday, May 30, 2009 2:46 PM To: Tomcat Users List Subject: Re: jk Status not showing errors On 29.05.2009 22:50, Matthew Laird wrote: Good afternoon, I've been trying to get the jkstatus component of mod_jk running, and I'm not quite sure what I'm doing wrong in trying to have it report dead Tomcat instances. I have two tomcat instances setup in a load balancer, as a test I've taken down one of them. However the jkstatus screen still shows both of them as OK. I'm not sure what I'm missing from my workers.properties file to make it test the Tomcat and report a failed instance, so I can set Nagios to monitor this page and report problems. My workers.properties is: worker.list=production,development,old,jkstatus worker.production.type=lb worker.production.balance_workers=production1,production2 worker.production.sticky_session=True worker.production.method=S worker.lbbasic.type=ajp13 worker.lbbasic.connect_timeout=1 worker.lbbasic.recovery_options=7 worker.lbbasic.socket_keepalive=1 worker.lbbasic.socket_timeout=60 worker.production1.reference=worker.lbbasic worker.production1.port=8009 worker.production1.host=localhost #worker.production1.redirect=production2 worker.production2.reference=worker.lbbasic worker.production2.port=8012 worker.production2.host=localhost #worker.production2.activation=disabled worker.development.port=8010 worker.development.host=localhost worker.development.type=ajp13 worker.old.port=8011 worker.old.host=localhost worker.old.type=ajp13 worker.jkstatus.type=status Any advice on extra options to make jkstatus check and report when one of the Tomcat instances isn't responding would be appreciated. I assume, that the actual error detection works and you are really only asking about display in status worker. I also assume your are using a recent mod_jk. Nevertheless do yourself a favor and look at the Timeouts documentation page to improve your configuration. Until recently, only workers used via a load balancing worker had good manageability with jkstatus. Very recently also pure AJP workers without any load balancer got more useful information in their display. So let's talk about your worker production. Whenever a request comes in the lb first checks whether it already carries a session for one
Re: jk Status not showing errors
I'm not seeing anything like that. I just took both Tomcats down, I instantly get the 503 from Apache when I try to load the application. However tailing the mod_jk.log, I just see entries like this: [Tue Jun 02 12:36:23 2009] jkstatus www.innatedb.ca 0.000360 [Tue Jun 02 12:36:26 2009] jkstatus www.innatedb.ca 0.000263 [Tue Jun 02 12:36:39 2009] production www.innatedb.ca 0.498998 [Tue Jun 02 12:36:40 2009] jkstatus www.innatedb.ca 0.000282 mod_jk seems happy sending the requests to Tomcat, and doesn't seem to notice there's no actual Tomcat responding. Only after a few minutes does the JK Status screen go to ERR/REC for both. I would think this is the kind of thing mod_jk should notice instantly, when there's no Tomcat where there should be one. Or am I missing something? Thanks. Lawrence Lamprecht wrote: What you could do is tail -f mod_jk.log file. Then take down the tomcat, see if the errors appear. You should see something like the following. Good Entries to Track Attempting to map context URI '/search-engine*' ajp_unmarshal_response::jk_ajp_common.c (621): status = 302 Maintaining worker loadbalancer1 Maintaining worker prod_se1 Maintaining worker prod_se2 Maintaining worker prod_sea Maintaining worker prod_seb service::jk_lb_worker.c (612): service worker=prod_sea jvm_route=prod_sea service::jk_lb_worker.c (612): service worker=prod_seb jvm_route=prod_seb service::jk_lb_worker.c (612): service worker=prod_sea jvm_route=prod_se1 service::jk_lb_worker.c (612): service worker=prod_seb jvm_route=prod_se2 Possible Error Entries Error connecting to tomcat. Tomcat is probably not started or is listening on the wrong port. worker=prod_se1 failed Error connecting to tomcat. Tomcat is probably not started or is listening on the wrong port. worker=prod_se2 failed You should be able to trace where your config is problematic. Kind regards / Met vriendelijke groet, Lawrence Lamprecht -Original Message- From: Matthew Laird [mailto:lai...@sfu.ca] Sent: Tuesday, June 02, 2009 8:53 PM To: Tomcat Users List Subject: Re: jk Status not showing errors Unfortunately I'm not seeing that. What I did was start both Tomcats in my LB pair, start Apache, then I take the second Tomcat down to see if it will detect it being failed. Unfortunately it never seems to, it just shows the second as OK/IDLE, and happily directs all requests to the first. This concerns me, because if the second were to fail, then later the first, everything would die and I'd have no advance warning. I can't seem to make it ping and detect a dead Tomcat. I am using the latest version of mod_jk, I upgraded that before I began playing with the load balancer settings. I'd appreciate any feedback on what I might be doing wrong. Thanks. workers.properties: worker.list=production,development,old,jkstatus worker.production.type=lb worker.production.balance_workers=production1,production2 worker.production.sticky_session=True worker.production.method=S worker.lbbasic.type=ajp13 worker.lbbasic.connect_timeout=1 worker.lbbasic.recovery_options=7 worker.lbbasic.socket_keepalive=1 worker.lbbasic.socket_timeout=60 worker.lbbasic.ping_mode=CI worker.production1.reference=worker.lbbasic worker.production1.port=8009 worker.production1.host=localhost worker.production2.reference=worker.lbbasic worker.production2.port=8012 worker.production2.host=localhost worker.development.port=8010 worker.development.host=localhost worker.development.type=ajp13 worker.old.port=8011 worker.old.host=localhost worker.old.type=ajp13 worker.jkstatus.type=status Lawrence Lamprecht wrote: I do not know if this is relevant or not, but I have just installed the latest version of mod_jk and the jkstatus is very much better than it used to be. I had the same issue with loadbalancers not showing when they are offline or broken. With the latest version, jksataus has the possibility to auto refresh itself. This now shouws when load balancers go down without a request being send to it. It is pretty dynamic as well. I ran several tests where I took one of the balancers down, and left jkstatus refreshing every 10 seconds and that told me that the worker was in error. It also shows you that the work is OK - IDLE when the worker is not being used but is good. As soon as it receives a request the status then changes to OK. Hope this helps. Kind regards / Met vriendelijke groet, Lawrence Lamprecht Application Content Manager QUADREM Netherlands B.V. Kabelweg 61, 1014 BA Amsterdam Post Office Box 20672, 1001 NR Amsterdam Office: +31 20 880 41 16 Mobile: +31 6 13 14 26 31 Fax: +31 20 880 41 02 Read our blog: Intelligent Supply Management - Your advantage -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Saturday, May 30, 2009 2:46 PM To: Tomcat Users List Subject: Re: jk Status not showing errors On 29.05.2009 22:50, Matthew Laird wrote: Good afternoon, I've been trying to get
Re: jk Status not showing errors
Rainer Jung wrote: Assuming that you did refresh the jkstatus display: what is your test client? The fact that you see OK/IDLE, but all requests go to the other node indicates, that you are using requests with associated session, so the balancer is not allowed to send them to the other node and thus does not detect the down node. Check to remove the JSESSIONID cookie before sending requests, or use a client which allows cookie disabling (like curl). Is there any way to make it ping and detect a dead Tomcat without a request coming in? I thought I was doing that with the worker.lbbasic.ping_mode=CI setting. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
jk Status not showing errors
Good afternoon, I've been trying to get the jkstatus component of mod_jk running, and I'm not quite sure what I'm doing wrong in trying to have it report dead Tomcat instances. I have two tomcat instances setup in a load balancer, as a test I've taken down one of them. However the jkstatus screen still shows both of them as OK. I'm not sure what I'm missing from my workers.properties file to make it test the Tomcat and report a failed instance, so I can set Nagios to monitor this page and report problems. My workers.properties is: worker.list=production,development,old,jkstatus worker.production.type=lb worker.production.balance_workers=production1,production2 worker.production.sticky_session=True worker.production.method=S worker.lbbasic.type=ajp13 worker.lbbasic.connect_timeout=1 worker.lbbasic.recovery_options=7 worker.lbbasic.socket_keepalive=1 worker.lbbasic.socket_timeout=60 worker.production1.reference=worker.lbbasic worker.production1.port=8009 worker.production1.host=localhost #worker.production1.redirect=production2 worker.production2.reference=worker.lbbasic worker.production2.port=8012 worker.production2.host=localhost #worker.production2.activation=disabled worker.development.port=8010 worker.development.host=localhost worker.development.type=ajp13 worker.old.port=8011 worker.old.host=localhost worker.old.type=ajp13 worker.jkstatus.type=status Any advice on extra options to make jkstatus check and report when one of the Tomcat instances isn't responding would be appreciated. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat does not shut down
Hey guys. Just recently, I've started to have this problem with Tomcat not shutting down if the server has handled lots of traffic. Our test servers, which have very small amount of traffic, shut down fine. I have to manually kill the Tomcat process. If I run it in the foreground, ctr-c hangs forever. We're using Tomcat 6.0.18. The main components of our web application is Spring 2.5, Oracle 10, and Ice. Any tips that I can use to figure out what the server is doing or help it shut down quicker would be great. Thanks -Matt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6 unstable
Where to begin? Tomcat is not unstable. If you have been editing setclaspath.sh then you should probably start with a fresh tomcat install. You don't have to edit that file and who knows what else has been changed. Go download tomcat (don't use the Ubuntu version). Untar it. Don't copy your app into it yet. cd into bin and do 'catalina.sh run' and see if tomcat starts up. ctr-c to shut it down. Where are you putting your DB2 driver? Post your web.xml Are you using a war file? Why are you running tomcat as root? From: Ariela Carrera [EMAIL PROTECTED] Sent: Sunday, November 23, 2008 9:42 PM To: Tomcat Users Subject: Tomcat 6 unstable Hi dear users of Tomcat. I am writing to you because my webapp is not working fine. I am developing a web application with Java, a Servlet and JSP some in Tomcat 6.0.14, using Ubuntu Gutsy. I have developed a class that connects to DB2, which I tested plenty of times, with a kind of test, for console. The kind of connection is working properly. THE PROBLEM: Although it always starts well, charging that brings all the examples of jsp and servlet correctly, TOMCAT feature when you want, 1) Loading or not my servlet, 2) Losing or no connections to DB2, and 3) Making nulls or not, values in the http-Sesions. Without having made any changes in the source code, Tomcat sometimes do works and sometimes do not. SOLUTIONS I TRIED: - I tried to start adding the-Xmx but I do not see differences. Tomcat also remains unstable. - I tried to create the folder CATALINAHOME/common/lib (version 6 brings no folder) and there copying the jar needed. I continue as before. - I tried editing the setclaspath.sh, since in the first few lines, what it does is literally erasing the entire class that has ... Well, there was a CLASSPATH = and it changed by a CLASSPATH = $ CLASSPATH, this way it is not deleting the old value of the variable. - I tried booting java as a server with the-server. What else can I try? I accept any suggestion DETAILS What am I using? JAVA VERSION: $ java-version Java (TM) SE Runtime Environment (build 1.6.0_02-B05) Java HotSpot (TM) Client VM (build 1.6.0_02-B05, mixed mode) Javac VERSION: $ javac-version javac 1.6.0_02 By starting TOMCAT: $ sudo /opt/apache-tomcat-6.0.14/bin/./startup.sh Using CATALINA_BASE: /opt/apache-tomcat-6.0.14 Using CATALINA_HOME: /opt/apache-tomcat-6.0.14 Using CATALINA_TMPDIR: /opt/apache-tomcat-6.0.14/temp Using JRE_HOME: /opt/java/jdk/jre OUTPUT FOR PROBLEM 1) java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet java.lang.ClassLoader.defineClass1(Native Method) java.lang.ClassLoader.defineClass(ClassLoader.java:620) java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124) java.net.URLClassLoader.defineClass(URLClassLoader.java:260) java.net.URLClassLoader.access$000(URLClassLoader.java:56) java.net.URLClassLoader$1.run(URLClassLoader.java:195) java.security.AccessController.doPrivileged(Native Method) java.net.URLClassLoader.findClass(URLClassLoader.java:188) java.lang.ClassLoader.loadClass(ClassLoader.java:306) sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:276) java.lang.ClassLoader.loadClass(ClassLoader.java:251) org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1273) org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1204) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584) org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) java.lang.Thread.run(Thread.java:619) OUTPUT FOR PROBLEMS 2) and 3) org.apache.jasper.JasperException: java.lang.NullPointerException org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:541) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:435) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) causa raíz java.lang.NullPointerException org.apache.jsp.query_002dadd_002d2_jsp._jspService(query_002dadd_002d2_jsp.java:107) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:393) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) If you
Tomcat not using multiple cores
We're pulling our hair out with a Tomcat issue. We have an in-house application running on Tomcat 5.5 with Sun JDK 1.6. The machine is an x86 dual-CPU, quad core (8 cores total) with 16GB of RAM. We're running OpenSuSE 10.2, 32-bit. Java memory size set to 2GB, multi-threaded GC enabled. What occurs is when a user clicks a certain kind of analysis on the website, data is retrieved from a database and then a lot of formatting is done before returning it to the user. This typically causes 100% CPU usage for this thread for a few minutes (bioinformatics application, that part isn't going to change). Unfortunately what then occurs is all other threads suddenly become unusably slow. The entire web application grinds to a halt until this thread that's running hot completes. Looking at top, it appears that these threads aren't spreading among all the cores. I see one core go to 100% usage, and the others stay at 100% idle. So we're running multi-thread, but because everything is staying on the same core, we're still getting thread contention that's bringing the entire application to its knees. The only time I began to see the other cores actually start being used is when I enabled multi-threaded GC. But that doesn't give much improvement since the threads responding the web requests are still all on the same core. I'm not sure how to convince the Tomcat/Java container to spread its threads among the cores. Thanks. -- Matthew Laird Lead Software Developer, Bioinformatics Brinkman Laboratory, MBB Dept. Simon Fraser University - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat not using multiple cores
From the OS, no. From Tomcat, as far as I understand you can only do 2GB per Tomcat instance. Please correct me if I'm wrong. Jim Cox wrote: On Thu, Oct 16, 2008 at 10:30 PM, Matthew Laird [EMAIL PROTECTED] wrote: [...lines snipped...] We have an in-house application running on Tomcat 5.5 with Sun JDK 1.6. The machine is an x86 dual-CPU, quad core (8 cores total) with 16GB of RAM. We're running OpenSuSE 10.2, 32-bit. Java memory size set to 2GB, multi-threaded GC enabled. [...rest of post snipped...] Apologizing in advance for straying a off-topic, but have you had any issues seeing the full 16GB with a 32-bit Linux install? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat not using multiple cores
Caldarale, Charles R wrote: The only time I began to see the other cores actually start being used is when I enabled multi-threaded GC. But that doesn't give much improvement since the threads responding the web requests are still all on the same core. The most likely cause is internal synchronization in the webapp or the database it references. I've heard similar from someone else but I'm not sure how that's possible. The app is not at all threaded, is 100% read-only from the database (aside from creation of temp tables which have no interaction between client requests) and the MySQL server is on another machine humming along without any bottlenecks that I can see. But of course I'm not a Java or JVM expert and have no idea what kind of interlinks can exist between different client connections. But to my knowledge they're all pretty straight forward handlers, get data from database, format, return to user I'm leaning more towards GC issues. I setup Tomcat on a 64-bit machine and tried a few configurations: -Xms4096M -Xmx4096M -server -XX:+DisableExplicitGC -XX:+UseConcMarkSweepGC -Xms4096M -Xmx4096M -server -Xms2048M -Xmx2048M -server As I went through each of those the app became more and more sluggish and a single core finally in the last configuration did this 100% CPU usage again. Now, two issues I see. First, it's not being aggressive enough at spreading the load among different cores. Second, GC does seem to be an issue. Unless I'm missing something, which I might be. Thanks. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
IIS-Tomcat Integration
Hello, I have recently ported a tomcat-based application from using IIS 5.1 to using IIS 6.0, and I am seeing an interesting change in the IIS configuration that I hoped someone could explain. I have an application where I want a subset of the URLs to go through Basic Authentication and the rest not to. In this case, I want all URLs under /application/foo to require Basic Authn. Original Environment: MS Windows XP Pro 2002 SP2 IIS Version 5.1 Tomcat 5.5 with the associated ISAPI redirect.dll. Under IIS, I have created a directory structure like this, /Default Web Site/ /jakarta/ (maps to the ISAPI filter, no Basic Authn enabled) /application/ (no Basic Authn enabled) /application/foo (Basic Authn enabled) All of this works fine, and the set-up supports SSL and Basic Authn appropriately. Upgraded Environment: MS Windows Server 2003 R2 IIS 6.0 Tomcat 5.5 with associated ISAPI redirect dll. In this environment, I set-up a similar folder structure (including security), but the only way I could get everything to work properly is to turn on both Anonymous and Basic Authn for the jakarta directory. If I just turned on Basic Authn, then Basic Authn would be enforced for requests that should have just been anonymous, and if I turned on just anonymous, then requests requiring Basic Authn would fail with a 401.2 error. This was not the case if I turned on Basic Authn for a folder that mapped to a directory on the system. Does anyone understand why this additional configuration was necessary in IIS 6.0 and not IIS 5.1? Thanks for any help you can provide, Matt
RE: server mapping behaviour when directory structure mirrors mappings
Caldarale, Charles R wrote: From: Matthew Thomas Broadhead [mailto:[EMAIL PROTECTED] Subject: server mapping behaviour when directory structure mirrors mappings servlet-mapping servlet-nameSales/servlet-name url-pattern/sales/url-pattern /servlet-mapping If you look at the servlet spec (section 11.2), you'll see that the above is not valid other than for matching the exact request /sales. Newer versions of Tomcat are more strict in their implementation of the rules in the spec, so it's not too surprising that 6.0 works properly and 4.1 let you slide by. Looks like the url-pattern should really be /sales/* (without the quotes). - Chuck I want to match the pattern /sales but it instead adds an extra slash and tries to list directory /sales/. Is there any way to change the order in which it resolves the url, i.e. check for servlet-mapping first, then check for directory? -- View this message in context: http://www.nabble.com/server-mapping-behaviour-when-directory-structure-mirrors-mappings-tp14250184p14273740.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK - welcome file displays text when mapped to servlet
Rainer Jung-3 wrote: Which version of JK are you using? Assuming you are using 1.2.25, could you please provide - information about your platform, versions and configuration - the JK log using log level debug, and containing the full startup of apache and one request/response, where the problem appears? The problem sounds like something we had with servlets doing a flush before the headers were sent back. This has been fixed in JK waiting to get released with 1.2.26 and in Tomcat directly after 6.0.14 (also not released yet). The fix on one of the two sides should suffice. You casn grab a dev snapshot of JK 1.2.26 sources from http://people.apache.org/~rjung/mod_jk-dev/ Regards, Rainer I am using: - fedora 4 - httpd 2.0.53-3.4 - JK 1.2.15 JK has not been upgraded as it is the same version I was using with 4.1.31. I will try building those sources. -- View this message in context: http://www.nabble.com/JK---welcome-file-displays-text-when-mapped-to-servlet-tp14250500p14274456.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
server mapping behaviour when directory structure mirrors mappings
Recently upgraded Tomcat from version 4.1.31 to 6.0.14. In my webapp I mapped servlets to paths without extensions e.g. servlet-mapping servlet-nameSales/servlet-name url-pattern/sales/url-pattern /servlet-mapping Then in the root of the webapp there is a directory with the same name (e.g. sales) in which all the resources for that servlet are stored. This worked fine in 4.1.31 but in 6.0.14 it adds a slash at the end of the url and behaves like it is in the root of the directory rather than loading the servlet mapping first. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JK - welcome file displays text when mapped to servlet
Recently upgraded Tomcat from version 4.1.31 to 6.0.14. In my web.xml - index.htm is set as the welcome file - index.htm is mapped to a servlet which produces html and there is a blank index.htm in the root of the webapp. This worked fine for 4.1.31 on port 8080 and through AJP1.3 connector. On 6.0.14 it works fine through port 8080, but through AJP1.3 the content type seems to change to text/plain instead of text/html, i.e. browsers display raw code instead of formatting html. It renders ok for www.example.com/index.htm but www.example.com/ displays the raw source. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Virtual Host with Different IP Address
You could run both apps under the same domain but still on different hosts, such that: app1 is at mydomain.com app2 is at mydomain.com/app2 If you run tomcat behind apache httpd this is pretty simple to set up (via mod_proxy_ajp or mod_jk or ... ) For sub.mydomain.com you need to make a DNS change as Brian says. Alternatively, you could place the following line in your /etc/hosts file: 123.123.123.123 sub.mydomain.com The only problem there is convincing everyone else in the world to do so as well :p Matt - Original Message - From: banderson [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, October 26, 2007 11:24:21 AM (GMT-0600) America/Chicago Subject: Re: Virtual Host with Different IP Address So this can't be done with Tomcat? I don't have access to the DNS server, are there any other workarounds? Hassan Schroeder-2 wrote: On 10/26/07, banderson [EMAIL PROTECTED] wrote: Now: server1 - mydomain.com server2 - 123.123.123.123 End result: server1 - mydomain.com server2 - sub.mydomain.com This is not a Tomcat issue, this is a DNS issue. Assign sub.mydomain.com to 123.123.123.123. -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Virtual-Host-with-Different-IP-Address-tf4698153.html#a13430607 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat manager app question
Hello list! I've combed through the docs and cannot find a reference to my question. I am looking to grab some of the JVM memory utilization information presented in the tomcat5.5 manager webapp and pull that into a monitoring/reporting system. So far I have found :8080/manager/serverinfo Which provides me : OK - Server info Tomcat Version: Apache Tomcat/5.5.23 OS Name: SunOS OS Version: 5.9 OS Architecture: sparc JVM Version: 1.5.0_11-b03 JVM Vendor: Sun Microsystems Inc. The html interface provides information on the JVM's memory utilization, so I could conceivably get it that one, but I was hoping there is something akin to serverinfo's stripped down display. Any thoughts are appreciated! -Matthew
Granting permissions to JSPs in catalina.policy
Hi all, I have a JSP that calls some code that requires permissions that aren't in the default grant block in catalina.policy. Even though those permissions are granted to the code that is being called, I'm getting access exceptions when the JSP is loaded. I believe this is because the JSP (or rather the class it is compiled into) does not have the necessary permissions itself. I have been able to solve this by including the new permissions in the default grant block. Of course, this not only grants those permissions to the JSP but also to all code in the JVM. I'm wondering if it is possible to grant permissions only to JSPs or a subset of JSPs. It's not clear to me how to do this in catalina.policy. Do you have any ideas as to how this might be done? Thanks for your consideration. - Matt Munz [EMAIL PROTECTED]
Re: Can we use output/extras/tomcat-juli.jar by default?
ok, found the following: http://issues.apache.org/bugzilla/show_bug.cgi?id=26372 http://issues.apache.org/bugzilla/show_bug.cgi?id=27371 (depended-on) is that the one you mean? we use commons-logging so we've never encountered any of these issues, but now I know a good reason not to use log4j on tomcat, thanks! Mark Thomas wrote: Matthew Kerle wrote: let me know if I read that right... Bill Barker wrote: When you have the log4j jar in WEB-INF/lib, the it ends up being used by Tomcat for some of it's logging. As a result, it can cause memory leaks and other weird errors when a context is stopped and started. This isn't a problem with j.u.l since the classes are loaded by the system classloader. That is why Tomcat decided to use j.u.l for it's internal logging by default. does this mean that including log4j in my deployment WAR could potentially cause memory leaks and problems with tomcat? I've never heard of this, I thought that log4j played well with others, has anyone else experienced this / are there any links that describe this problem/ Yes. Have a look in Bugzilla for details. Most have been fixed but I think there are still a few scenarios that can cause trouble. FWIW, I use log4j in my own web apps at work and they stay up for months with a fair number of reloads and no obvious memory leaks. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- * Matthew Kerle * * IT Consultant * * Canberra, Australia* Mobile: +61404 096 863 Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web: Matthew Kerle http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBC driver of class '' for connect URL 'null' in Tomcat 5.5.12
Hi chris Christopher Schultz wrote: IIRC, JBoss used to use Tomcat as its servlet container. Maybe that's no longer the case. it still is. after my post I had a read through the jboss docs, and apparently it uses embedded tomcat internally as a web container, then the jboss code does all the extra j2ee app server goodness. http://docs.jboss.org/jbossas/getting_started/v4/html/tour.html#d0e627 But I'm a big believer in FOSS the community, so I'd love the chance to contribute something to the tomcat docs, especially if it makes life easier for other hackers like me... JBoss counts as FOSS, right? yup! not criticising jboss at all, and disclaimerI haven't used it yet /disclaimer, but if it already uses tomcat internally and if you're just doing a simple java web app with no ejb etc, then *my opinion* is that tomcat is pretty much the go. Jetty or glassfish may sway me later, but not for a while... thanks! that's just the pointer I need. Question but, if the war is outside the auto-deploy'ing webapps dir, then how do you auto-deploy new wars? You can't. That's one of the prices you pay for playing outside the rules. I don't believe you can, for instance, use the manager app to deploy a WAR along with a separate context.xml file. hmm, ok let's agree to disagree on this point. You have to do it entirely yourself. You'll have to check, but it's possible that Tomcat won't even do auto-redeploy if you update the WAR. There's been a long thread about the (separate) context.xml file being deleted during auto-deploy of outside WAR files (if I understand the thread, which I'm not really following). You might want to read through that for more information. yes, we got bitten by this. we were pretty stumped until we realised that tomcat auto-deletes context.xml on undeploy. bit of a gotcha that one... have you ever used OC4J? Nope. I've been off Oracle since they stopped shipping the JDBC driver as a ZIP file ;) that's a bad thing? I was relieved when they changed to a .jar! (around 9ir2 i think they did that..?) - -chris ps - nice web site, bet you're glad the kitchens done! -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat benchmark
I assume you've already Googled what you're looking for and not found anything? What are you after exactly, performance or feature comparison? please be more specific... I assume you're after more than this: http://en.wikipedia.org/wiki/Comparison_of_application_servers Andrew Hole wrote: Someone have a case study wich compare Tomcat with others application servers? Thanks a lot Andrew -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
ClassCastException trying to cast MemoryUserDatabase to UserDatabase
(see below for message context) Ok, I've decided on using Http Basic authentication for my web service, and successfully configured tomcat to authenticate against the tomcat-users.xml file to the point where I can access a valid principal. But now I've got another problem.. :-) I tried accessing the userDatabase which represents the memoryrealm, and got the below exception. I don't understand this as according to the API doc MemoryUserDatabase is an implementation of UserDatabase, and this is confirmed by looking at the source code for MemoryUserDatabase, which *does* implement that interface! I'm stumped, does anyone know why this might be happening? Or am I doing something the wrong way... //code to get tomcat UserDatabase, copied from ManagerServlet.roles(PrintWriter) from tomcat manager application. Context ic = new InitialContext(); UserDatabase userdb = (UserDatabase )ic.lookup(java:comp/env/users); // - this line causes ClassCastException SEVERE: Fault occurred! java.lang.ClassCastException: org.apache.catalina.users.MemoryUserDatabase cannot be cast to org.apache.catalina.UserDatabase at myapp.service.webservice.ImageServiceImpl.EnumerateLOV(ImageServiceImpl.java:88) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) // stack trace elided... at org.codehaus.xfire.transport.http.XFireServlet.doPost(XFireServlet.java:116) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) // stack trace elided... at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1286) at java.lang.Thread.run(Thread.java:619) //my context.xml Context path=/myapp !-- get access to the tomcat-users.xml database -- ResourceLink name=users global=UserDatabase type=org.apache.catalina.UserDatabase/ /Context Matthew Kerle wrote: Hi all I'm developing a web service with xFire 1.2.3 / tomcat 5.5.23 / Java 1.6.0_01, and we need to authenticate access by client applications coming in over SOAP. We're looking at using the tomcat-users.xml file to store user/pwd/role data until the customers Single Sign-On service is ready (which will be when pigs fly, if it keeps going as it has). The application will be deployed internally so we don't need any SSL or digest authentication, we're looking at simple HTTP BASIC or SOAP headers for the client to pass through their auth details. The complication is that we want to allow default access as well as authenticated access, and authenticate against the tomcat-users file. eg - un-authenticated clients can still access the web service url, but get a public role, and authenticated clients get a privileged role. I'm thinking we might be able to do part of that with the following tomcat-users.xml config by having an empty user declaration: tomcat-usersc role rolename=privileged/ user name= password= roles=PUBLIC / user name=priv_user1 password=tomcat roles=privileged / /tomcat-users The question is how to authenticate against the tomcat-user database? I've read the tomcat docs on memory realm: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#MemoryRealm, and I want to expose the org.apache.catalina.UserDatabase class to the web service context via a ResourceLink I'd like to be able to authenticate users without having to add a security-constraint to my web.xml, so that unauthenticated clients can still connect. Am I on the right track? Or is there a much easier way than what I'm trying to do... thanks! -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
oops, also here is my resource definition from my web.xml: !-- Define reference to the user database for looking up roles -- resource-env-ref description Link to the UserDatabase instance from which we request lists of defined role names. Typically, this will be connected to the global user database with a ResourceLink element in server.xml or the context configuration file for the Manager web application. /description resource-env-ref-nameusers/resource-env-ref-name resource-env-ref-type org.apache.catalina.UserDatabase /resource-env-ref-type /resource-env-ref Matthew Kerle wrote: (see below for message context) Ok, I've decided on using Http Basic authentication for my web service, and successfully configured tomcat to authenticate against the tomcat-users.xml file to the point where I can access a valid principal. But now I've got another problem.. :-) I tried accessing the userDatabase which represents the memoryrealm, and got the below exception. I don't understand this as according to the API doc MemoryUserDatabase is an implementation of UserDatabase, and this is confirmed by looking at the source code for MemoryUserDatabase, which *does* implement that interface! I'm stumped, does anyone know why this might be happening? Or am I doing something the wrong way... //code to get tomcat UserDatabase, copied from ManagerServlet.roles(PrintWriter) from tomcat manager application. Context ic = new InitialContext(); UserDatabase userdb = (UserDatabase )ic.lookup(java:comp/env/users); // - this line causes ClassCastException SEVERE: Fault occurred! java.lang.ClassCastException: org.apache.catalina.users.MemoryUserDatabase cannot be cast to org.apache.catalina.UserDatabase at myapp.service.webservice.ImageServiceImpl.EnumerateLOV(ImageServiceImpl.java:88) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) // stack trace elided... at org.codehaus.xfire.transport.http.XFireServlet.doPost(XFireServlet.java:116) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) // stack trace elided... at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1286) at java.lang.Thread.run(Thread.java:619) //my context.xml Context path=/myapp !-- get access to the tomcat-users.xml database -- ResourceLink name=users global=UserDatabase type=org.apache.catalina.UserDatabase/ /Context Matthew Kerle wrote: Hi all I'm developing a web service with xFire 1.2.3 / tomcat 5.5.23 / Java 1.6.0_01, and we need to authenticate access by client applications coming in over SOAP. We're looking at using the tomcat-users.xml file to store user/pwd/role data until the customers Single Sign-On service is ready (which will be when pigs fly, if it keeps going as it has). The application will be deployed internally so we don't need any SSL or digest authentication, we're looking at simple HTTP BASIC or SOAP headers for the client to pass through their auth details. The complication is that we want to allow default access as well as authenticated access, and authenticate against the tomcat-users file. eg - un-authenticated clients can still access the web service url, but get a public role, and authenticated clients get a privileged role. I'm thinking we might be able to do part of that with the following tomcat-users.xml config by having an empty user declaration: tomcat-usersc role rolename=privileged/ user name= password= roles=PUBLIC / user name=priv_user1 password=tomcat roles=privileged / /tomcat-users The question is how to authenticate against the tomcat-user database? I've read the tomcat docs on memory realm: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#MemoryRealm, and I want to expose the org.apache.catalina.UserDatabase class to the web service context via a ResourceLink I'd like to be able to authenticate users without having to add a security-constraint to my web.xml, so that unauthenticated clients can still connect. Am I on the right track? Or is there a much easier way than what I'm trying to do... thanks! -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
//code Object o = ic.lookup(java:comp/env/users); System.out.println(o.getClass().getName()); // prints : org.apache.catalina.users.MemoryUserDatabase doing instanceof tests on the returned object for MemoryUserDatabase UserDatabase all fail, even though in debug that's clearly what it identifies as. could this be a security manager thing? I notice that in the tomcat manager deployment descriptor it has privileged=true in the Context tag. Are only privileged applications allowed access to the UserDatabase? (this would make sense as you could enumerate all users passwords...) Gregor Schneider wrote: InitialContext.lookup() gives you a simple object: so change your code to Context ic = new InitialContext(); Object o = ic.lookup(java:comp/env/users); set a breakpoint and see, what type of object you're getting back. hth gregor -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
this is weird, check this out: //code (tomcat 5.5.23) java.security.Principal p = request.getUserPrincipal(); System.out.println(p.getClass().getName().equals(MemoryUser.class.getName())); // prints true System.out.println(p.getClass().equals(MemoryUser.class)); //prints false So what this is saying is that the *names* of the classes are the same, but the actual classes are different. this is crazy... Good news is that p.toString() prints out that users details in the form user username=user1 password=pass roles=public/, so I can hack the role names out of that. but that's a very dirty hack and I'm amazed that this is so hard... Does anyone have any input on why this might be so, and/or a better solution to convert the request principal to something I can get rolenames out of? thanks! Matthew Kerle wrote: //code Object o = ic.lookup(java:comp/env/users); System.out.println(o.getClass().getName()); // prints : org.apache.catalina.users.MemoryUserDatabase doing instanceof tests on the returned object for MemoryUserDatabase UserDatabase all fail, even though in debug that's clearly what it identifies as. could this be a security manager thing? I notice that in the tomcat manager deployment descriptor it has privileged=true in the Context tag. Are only privileged applications allowed access to the UserDatabase? (this would make sense as you could enumerate all users passwords...) -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBC driver of class '' for connect URL 'null' in Tomcat 5.5.12
*** end server.xml *** *** App web.xml except *** resource-ref description JNDI DataSource for [appname] database. (From Oreilly JavaServer Pages, Bergsten, 2nd Ed., page 485) /description res-ref-namejdbc/oponline/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref *** end web.xml *** Thanks Ian -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
Peter, you're exactly right. ***code*** Class c1 = request.getUserPrincipal().getClass(); //get the class of the Principal that tomcat created , which is a MemoryUser instance Class c2 = MemoryUser.class; // get the class loaded by the current loader System.out.println(c1.getClassLoader().getClass.getName()); //prints org.apache.catalina.loader.StandardClassLoader System.out.println(c2.getClassLoader().getClass.getName()); //prints org.apache.catalina.loader.WebappClassLoader Great, so now I've got two different classloaders. Do you know if there's any way I can cast the Principal to a Memoryuser object and use it? do I have to load the MemoryUser class in the current classloader? full kudos for figuring out the problem exactly, I never would have thought of that! ps - This would be entertaining, if only I was the one who got to watch someone else wade through this! Peter Crowther wrote: From: Matthew Kerle [mailto:[EMAIL PROTECTED] So what this is saying is that the *names* of the classes are the same, but the actual classes are different. this is crazy... I suspect the two classes are being loaded by different classloaders - a common and entertaining* problem in Tomcat and other servlet containers. You can find out by asking each for its classloader and comparing. - Peter * Depending on whether you're watching someone else try to solve the problem, or having to wade through it yourself. Best of luck! -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
you're exactly right again. I just checked my project settings, I had to add catalina.jar to the project libraries to get the class to compile, but I'd forgotten to prevent it from being deployed, so there was a copy of catalina.jar in my /WEB-INF/lib, doh! So I configured it to not be deployed, and deleted the existing jar, so now I get a new problem, a NoClassDefFoundError on the MemoryUser class, which is referenced by my code. So now my class doesn't even load!! I have a feeling someone's gone to a fair bit of trouble to make sure I can't load this class! the MemoryUser class is in catalina.jar, which is in the server/lib folder. would I be right in saying that web application code is barred from loading any classes from the server/lib directory? any ideas Peter? org.codehaus.xfire.XFireRuntimeException: Error invoking 'myapp.service.webservice.ImageService.enumerateLOV(java.lang.String)'. Nested exception is java.lang.reflect.InvocationTargetException: null java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.codehaus.xfire.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:59) ... elided at org.codehaus.xfire.transport.http.XFireServlet.doPost(XFireServlet.java:116) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) ... elided at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1286) at java.lang.Thread.run(Thread.java:619) Caused by: java.lang.NoClassDefFoundError: org/apache/catalina/users/MemoryUser at myapp.service.webservice.ImageServiceImpl.enumerateLOV(ImageServiceImpl.java:67) ... 31 more Peter Crowther wrote: Right. So request.getUserPrincipal() returns a class that's loaded by one of Tomcat's classloaders. You need to make sure that when you reference MemoryUser, it's loaded by the same classloader. Thinking aloud here, so apologies to the more experienced folks in the community who will have better ideas... Is MemoryUser.class in any of the jars in your webapp? I'm not entirely sure why there's a second copy of it, loaded by the webapp's classloader, in the system. I'd expect the webapp's classloader to be unable to find the class as your webapp loads and punt the request for the class up the classloader chain, returning the standard classloader's class. But I may be misunderstanding Tomcat's classloaders. - Peter -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
Hi Chris I naively tried relocating the catalina.jar to /common/lib, and got the below error. Peter has a good comment to this problem in his reply, so I'll continue the thread in response to his mail. many thanks! cmd /c C:\servers\apache-tomcat-5.5.23\bin\catalina.bat run Using CATALINA_BASE: C:\Documents and Settings\mkerle\.IntelliJIdea60\system\tomcat_Unnamed_cb722476 Using CATALINA_HOME: C:\servers\apache-tomcat-5.5.23 Using CATALINA_TMPDIR: C:\servers\apache-tomcat-5.5.23\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0 Connected to the target VM, address: '127.0.0.1:4958', transport: 'socket' java.lang.NoClassDefFoundError: org/apache/tomcat/util/log/SystemLogHandler at java.lang.Class.getDeclaredConstructors0(Native Method) at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389) at java.lang.Class.getConstructor0(Class.java:2699) at java.lang.Class.newInstance0(Class.java:326) at java.lang.Class.newInstance(Class.java:308) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:225) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:410) Disconnected from the target VM, address: '127.0.0.1:4958', transport: 'socket' Disconnected from server Christopher Schultz wrote: Matt, So, the class names are the same, but not the classes. This indicates that you have the same class loaded using two different ClassLoaders. Do you have a JAR file from the Tomcat distro sitting in your webapp's WEB-INF/lib directory? If so, you'll need to figure out how to deploy the JAR in one place but use it everywhere ($CATALINA_HOME/common/lib for TC 5.5 and, I think, just $CATALINA_HOME/lib for TC 6.0). - -chris -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
no, see my previous reply, tomcat fails to bootstrap if catalina.jar is not in server/lib... Christopher Schultz wrote: Peter, Shouldn't it be acceptable to simply move catalina.jar from server/lib to common/lib? Sure, you'll still have a non-standard install, but it's easier to script a setup like that than pulling specific classes out of the distro (which may change from version to version). -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
I agree, the Principal interface is verily hobbled and almost useless (Go Sun!). The catalina implementations are much more user-friendly, but unfortunately difficult to access. I can't really justify making the tomcat install non-standard (also probably not possible as it's owned by the client, not me) just to get access to this class. I'll go with another hack, in that although I can't refer directly to MemoryUser, I can still call it's toString() method, which prints out the user tag in it's entirety, which I can then munge for role names. I can't believe something this simple is so hard, far out. thanks so much for your help Peter, I would've been totally stuck without it! Peter Crowther wrote: From: Matthew Kerle [mailto:[EMAIL PROTECTED] the MemoryUser class is in catalina.jar, which is in the server/lib folder. would I be right in saying that web application code is barred from loading any classes from the server/lib directory? (light bulb comes on) Ah yes, I remember this now from some ancient history on another project. It's a real pain, principally because the Principal interface is IMO too limited. We ended up with the horrible, horrible hack of pulling the class out of catalina.jar, putting it in its own jar, and deploying that in common/lib. This, of course, means you no longer have a default Tomcat install... but we couldn't find another way round the problem. - Peter -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
just downloaded security filter and had a look, it looks very cool. If I had more robust requirements for my authentication (and more time!) I would probably use it. At the moment though I've got a workable work-around in using the toString() method, so I'll just use that instead. thanks Chris! Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, Why not just use the built-in authentication and authorization mechanism instead of trying to use Tomcat's built-in classes to roll your own? A more flexible option is to use securityfilter (http://securityfilter.sourceforge.net) to handle everything. securityfilter allows you to use Tomcat realms by dropping catalina.jar into your webapp's library directory. Since securityfilter runs entirely in your webapp, there are no classloading problems (even though Tomcat's internal classes are used, they are loaded by the webapp's ClassLoader, and are insulated from Tomcat, so they're safe). - -chris -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
http://tomcat.apache.org/tomcat-5.5-doc/class-loader-howto.html this is why I can't reference any classes loaded from server/lib in my webapp, the server/lib classes are loaded by the web application classloader's uncle, so to speak, the sibling of it's parent. so it makes sense that no web application has access to the server/lib jars. doh...! Peter Crowther wrote: From: Matthew Kerle [mailto:[EMAIL PROTECTED] the MemoryUser class is in catalina.jar, which is in the server/lib folder. would I be right in saying that web application code is barred from loading any classes from the server/lib directory? (light bulb comes on) Ah yes, I remember this now from some ancient history on another project. It's a real pain, principally because the Principal interface is IMO too limited. We ended up with the horrible, horrible hack of pulling the class out of catalina.jar, putting it in its own jar, and deploying that in common/lib. This, of course, means you no longer have a default Tomcat install... but we couldn't find another way round the problem. - Peter -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ClassCastException trying to cast MemoryUserDatabase to UserDatabase
Mario, you are a hero. do women come and worship you in the street? they should! Using reflection to break into an object of a foreign class is just...genius! this is the sort of thing that Ruby programmers do all the time, but is very hard to do in Java... my final code (in the context of a ServiceImpl class for an xFire webservice, exception-handling error-checking elided) //get Role from security Principal, which we 'happen to know', is // an instance of catalina MemoryUser. HttpServletRequest request = XFireServletController.getRequest(); Principal principal = request.getUserPrincipal(); String rolename = null; if(principal != null){ if(principal.getClass().getName().equalsIgnoreCase(org.apache.catalina.users.MemoryUser)){ Iterator it =(Iterator) principal.getClass().getMethod(getRoles).invoke(principal); Object role = it.next(); String role1 = (String)role.getClass().getMethod(getRolename).invoke(role); int i = 0; }else{ String xml = principal.toString(); rolename = xml.split(\)[3]; // [1]=username, [2]=pass, [3]=roles } }else{ rolename = public; } Mario Ivankovits wrote: Hi! A more flexible option is to use securityfilter (http://securityfilter.sourceforge.net) to handle everything. If you are already using spring have a look at ACEGI. It is not really easy to install, but allows you to e.g. have different login methods within the same webapp. Regarding the principal. Remember, you can always use reflection to break into an object (given you use no securitymanager or a liberal configured one). For example, I used for a while: try { Method hasRoleMeth = principal.getClass().getMethod(hasRole, String.class); return (Boolean) hasRoleMeth.invoke(principal, role); } catch (NoSuchMethodException e) { log.error(e.getLocalizedMessage(), e); } catch (IllegalAccessException e) { log.error(e.getLocalizedMessage(), e); } catch (InvocationTargetException e) { log.error(e.getLocalizedMessage(), e); } Ciao, Mario -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBC driver of class '' for connect URL 'null' in Tomcat 5.5.12
Hi David David Smith wrote: My only editorial comment on the page is to NOT place your Resource.../ or Context .../ definition in server.xml as recommended on the page. Place it in context.xml or myapp.xml as I describe above. Just quickly, I was wondering why you recommend this? I know the tomcat docs have changed to reflect the deprecation of defining the Resource.../ or Context .../ definition in server.xml, but I never understood why, and personally doing things that way is a serious pain for me since it means I need to build a separate deployment descriptor for dev, test prod, which means I need to know the prod database details. which I don't want. Is there a better way that the sysadmin can setup a JNDI datasource so that deployed war's don't have to contain database-specific details? the only way I've seen so far is to configure that in the server.xml... cheers! -- Matthew Kerle IT Consultant Canberra, Australia Mobile: +61404 096 863 Email : [EMAIL PROTECTED] Web : http://threebrightlights.blogspot.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBC driver of class '' for connect URL 'null' in Tomcat 5.5.12
looks like your xml doc has an un-closed tag or similar, hate to suggest this but maybe can you recheck your change to make sure this isn't the case? I'd suggest going with David's suggestion, and put your context .../ definition in a separate file called 'context.xml'. Explode your WAR, put this in /META-INF/ folder (create if doesn't exist), then re-deploy. your context.xml should look like this (tomcat 5.5+): **start context.xml** !-- Tomcat 5.5. -- Context path=/myapp !-- set the JNDI Datasource -- Resource name=jdbc/APP_USERDS auth=Container type=javax.sql.DataSource maxActive=0 maxIdle=10 maxWait=500 username=dbuser password=dbuserpass driverClassName=oracle.jdbc.OracleDriver url=jdbc:oracle:thin:@server:1521:SID/ /Context ** end context.xml** [EMAIL PROTECTED] wrote: Thanks for your advice so far I've upgraded to the latest Oracle ojdbc14.jar and placed it the myapp\WEB-INF\lib folder, I also tried it the Tomcat\common\lib for for good measure but still got the same results. I'll continue to use ojdbc14.jar from now though. I've change the ResourceParams name to just Resource name but this causes Tomcat not to startup, the logs show the following trace... *** Excerpt Tomcat 5.5.12 logs *** 16-Aug-2007 16:08:32 org.apache.tomcat.util.digester.Digester endElement SEVERE: End event threw exception java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) *** end *** Does this mean it's now reading the context Resource element. ? Thanks Ian Quoting ashish shrivastava [EMAIL PROTECTED]: check this http://evolutionnext.com/blog/2005/10/13/1129259088959.html On 8/16/07, Matthew Kerle [EMAIL PROTECTED] wrote: hmm, you have an interesting problem! first thing I'd say is use this opportunity to upgrade to the ojdbc14.jar, which is the latest oracle jdbc driver and allows lots of nice enhancements. second, I'm assuming that since the error is a servlet exception, that there's some servlet code manually handling a database connection (no comment *cough* *cough*) that it gets from a JNDI lookup? third, try changing the ResourceParams tag to a plain Resource tag, this is the Resource tag that I use in my app (and it works). caveat: I declare this in /META-INF/context.xml inside the context tag. Resource name=jdbc/my_USERDS auth=Container type=javax.sql.DataSource maxActive=0 maxIdle=10 maxWait=500 username=db_user password=db_pass driverClassName=oracle.jdbc.OracleDriver url=jdbc:oracle:thin:@server:1521:ORA_SID/ can you try this and let us know how it goes? cheers! [EMAIL PROTECTED] wrote: I'm upgrading from tomcat 4.1.24 to tomcat 5.5.12 on WinXP. I have three applications that are deployed from this server, two of which work fine with tomcat 5.5.12, however the third which uses an oracle 9i database gives me the following error javax.servlet.ServletException: Cannot create JDBC driver of class '' for connect URL 'null' . Basically I've included the same details form the Tomcat4 server.xmlfile into the tomcat 5.5 server.xml, rediting where necessary. Things I have tried.. Placing the context into fragment files located either inside the applications META-INF folder or under tomcat\conf\Catalina\localhost. Neither of these seemd to work for me as Tomcat could not find the apps, so I've left the context back in server.xml. Rewriting the Resource params parameter as elements i.e.factory= com.ora.jsp.sql.DataSourceFactory Checked changed location of the JDBC jar file. classes12.jarcatalina_home\common\lib\ AND catalina_home\webapps\[appname]\WEB-INF\lib Checked changed the server.xml service-name and engine name to match previous TC4 server.xml version. Added a Resourcelink element to the context - this is not present on the TC4 version Checked Tomcat logs. I think that Tomcat is not able to read the ResourceParams element, which is why the URL and driverClass are NULL. Which When I checked the Tomcat log files shows ... 16-Aug-2007 09:25:46 org.apache.catalina.core.ApplicationContext log SEVERE: action: Cannot create JDBC driver of class '' for connect URL 'null' Background info Using Apache 2.0 with mod_JK to serve pages on port 80 Java version 1.5 server.xml !-- Tomcat 5.5 Example Server Configuration File -- Server port=8005 shutdown=SHUTDOWN debug=0 Listener className= org.apache.catalina.mbeans.ServerLifecycleListener debug=0
Re: JDBC driver of class '' for connect URL 'null' in Tomcat 5.5.12
now that sounds good! the only thing is I don't see how that maps to a DataSource declaration, the Resource element in GlobalNamingResources doesn't seem to allow the full range of properties that you need to define a database connection, eg - username/password/driverClassName/url etc... Where would you define these? David Smith wrote: In my experience, a resource is usually only relevant to one webapp. There's no need to put it in server.xml as a GlobalNamingResource unless you want that resource available in all your webapps. Moving the resource to the Context block of a context.xml file also makes it so resources can come and go with deployment of an individual webapp without restarting tomcat and disrupting all the webapps. Developers could define their Resources in the GlobalNamingResources ... /GlobalNamingResources block of server.xml and then add a ResourceLink element to the context.xml file. That'll get you out of having database specific information in the Context / element. See this page for further details on that: http://tomcat.apache.org/tomcat-5.5-doc/config/globalresources.html --David - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]