Re: Security manager and request.getParameter() access error

[Glenn Nielsen]

Check your catalina.policy and see if the following 4 permissions are
granted in the default policy:

  // Required for sevlets and JSP's
  permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util;
  permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*;
  permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util;
  permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util.*;

Java 1.4 is more picky about the RuntimePermission accessClassInPackage and
defineClassInPackage permissions.

Regards,

Glenn

Dala wrote:

When I use the security manager in Tomcat (4.1.12-LE-jdk1.4) some  strange
problems occur.
When I execute the following simple JSP code:
% request.getParameter(foo); %

I get the following exception:
org.apache.jasper.JasperException: org/apache/catalina/util/ParameterMap
	at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2
48)
	at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain
...

I also start tomcat with security debub info enabled (i.e.
CATALINA_OPTS=-Djava.security.debug=failure) but the log files do not
report any errors, except for the exception of course.

I use the standard policy rules as stated in the file catalina.policy. I
even tried to grant the additional following rules, but nothing have helped
so far:
   permission java.lang.RuntimePermission
accessClassInPackage.javax.servlet;
   permission java.lang.RuntimePermission
accessClassInPackage.javax.servlet.*;

If I grant all permissions (i.e. permission java.security.AllPermission;) to
my code base, then everything works fine.

What is the problem?
Have I missed something obvious here?

/Tommy


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org





--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Re: Ajp13Processor starting background threads under low load

[Glenn Nielsen]

Once an Apache process opens a socket connection to Tomcat for Ajp that
connection remains open until that httpd process dies.  That way the
httpd process can reuse that connection.  For Apache 1.3 there is a
one to one mapping between apache httpd processes and Tomcat Ajp13Processors.
You can end up with as many Ajp13Processors as you have httpd processes.
So the MaxProcessors config needs to be greater than the max number
of httpd processes used by apache.  And each Ajp13Processor runs in
its own thread waiting for a request from Apache.

Regards,

Glenn



Lindsay Patten wrote:

Thanks for the pointer Glenn, it was much appreciated!

So, I've been doing thread stacktrace dumps, but what I found doesn't 
make a lot of sense to me.
After restarting tomcat there were 5 processor threads all blocked on a 
monitor:

Ajp13Processor[8085][0] daemon prio=1 tid=0x0x4f801b28 nid=0x45ae 
waiting on m
onitor [bd9ff000..bd9ff8ac]
   at java.lang.Object.wait(Native Method)
   - waiting on 0x446602c0 (a org.apache.ajp.tomcat4.Ajp13Processor)
   at java.lang.Object.wait(Object.java:426)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.await(Ajp13Processor.java:305)
   - locked 0x446602c0 (a org.apache.ajp.tomcat4.Ajp13Processor)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:490)
   at java.lang.Thread.run(Thread.java:536)

I presume these are waiting for the scheduler thread to pass them a 
request.

A while later a bunch of background threads get spawned and I do another 
dump/trace,
now there are a whole bunch of threads in a runnable state trying to 
read request packets:

Ajp13Processor[8085][21] daemon prio=1 tid=0x0x8289b38 nid=0x70d6 
runnable [ba
fff000..bafff8ac]
   at java.net.SocketInputStream.socketRead0(Native Method)
   at java.net.SocketInputStream.read(SocketInputStream.java:116)
   at org.apache.ajp.Ajp13.readN(Ajp13.java:429)
   at org.apache.ajp.Ajp13.receive(Ajp13.java:469)
   at org.apache.ajp.Ajp13.receiveNextRequest(Ajp13.java:274)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:371
)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
   at java.lang.Thread.run(Thread.java:536)

Despite the name receiveNextRequest, it looks like that method is being 
called to receive each request including the first. So, the ajp13 
processor is sitting blocked waiting for a full ajp13 packet from apache 
and apache is not sending data and not closing the connection/socket. 
 From the comments in the code it sounds like apache restarts 
periodically, closing the sockets and unblocking the read calls, at 
which point these processors return to the pool - so if apache restarts 
before you reach your threads limit you are ok.

What I don't understand is how apache can be starting up ajp13 
connections to tomcat and then not sending a full packet without this 
causing user visible failures. Shouldn't there be users getting page 
loads timing out on them?  That doesn't seem to be happening.

Does this indicate a fault in apache or is it normal for apache to send 
partial requests without closing the connection?

Any further guidance?

Thanks,
   Lindsay


Glenn Nielsen wrote:

One way to start debugging this type of problem is to tell the java
process running Tomcat to do a Thread Stacktrace Dump.

kill -QUIT java processid

Then analyze the stack traces for all threads.

Regards,

Glenn


Lindsay Patten wrote:


Hi,
I thought I would take a different tack on my problem with the 
Ajp13Processor using up all of its threads problem.
Does anyone know if the Ajp13Processor has a timeout when it is 
looking for a worker to handle a request? If the worker threads were 
all swapped out and taking a long time to get going and respond, 
would the main thread start a new background thread instead of 
waiting? Or does it just have a list of available workers and blocks 
until the worker it selects responds?
If it is the former that would explain my problem since I have 
experienced my processes getting swapped out and taking a long time 
to respond. The question would then become: is a way to specify how 
long the scheduler should wait before starting a new thread? At least 
I would have something I could take to my service provider. On the 
other hand if I knew for sure that the scheduler thread didn't have a 
timeout on worker threads than I could concentrate on looking 
elsewhere.  Does anyone know? Or know where to look or ask short of 
reading the source?

Thanks,
   Lindsay

Lindsay Patten wrote:

Hi,
I am having a problem where tomcat keeps intermitantly starting new 
ajp13 processor threads, eventually it reaches the max and starts 
refusing connections. My hosting provider (linux machine) provides a 
private version of tomcat for each user with a single apache web 
server, there are typically a large number of processes on the 
machine (4000). My particular tomcat server (v4.0.3) is not being 

Admin/Manager problems

[James D. Whittington]

Ok here it goes... I am a real newbie to java and tomcat, so please forgive
my ignorance.

I have tomcat 4.1.12 installed on a Mandrake 9.0 machine using the java sdk
version 1.4.1.01. Everything seems to be running ok, tomcat starts and stops
with out errors. I can access the tomcat server page on port 8080, but when
I try to access the admin or the manager pages. When I try the password is
not accepted. I have checked and modified the tomcat4-users.xml to no avail.

When I try the admin page I enter the user name tomcat and the same for the
password, I get this back.
HTTP Status 403 - Access to the requested resource has been denied




type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.





Apache Tomcat/4.1

I have tried several variations, creating new users that are the same as
local users on this box. I have looked for more information but I haven't
had any luck.

Can someone point me in the right direction?

James Whittington



--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

dont know whats happening :-(

[Maninder S Batth]

in server.xml i tried to configure AJP1.3 connector to listen on 12009 
port by the following entry in server.xml, but what ever value i enter 
there for port
tomcat still uses 8009 .where is it picking that value from ???
   Connector className=org.apache.coyote.tomcat4.CoyoteConnector
  port=12009 minProcessors=5 maxProcessors=75
  enableLookups=true redirectPort=8443
  acceptCount=10 debug=0 connectionTimeout=2
  useURIValidationHack=false
  
protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler/



--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

RE: RE: John Turner or someone who responsible for Posting -- Re: How to Apache2, Tomcat4.1.2, JK2 ?

[Jerry Birchler]

I have a working example of Apache 2.0.43 with Tomcat 4.1.2 using JK2 on Red
Hat Linux 8.0. I had to fallback to methods used on a previous integration
of Apache 1.3.24 with Tomcat 4.0.4 after looking at the Howtos that came
with the 4.1.2 documentaton. That enabled me to quickly put together a
workers.properties file. I can see why people might want to have some
examples. Please let me know if you're interested in a separate post with
what I did. After rebuilding apache, I was up and running in just a few
minutes.


-Original Message-
From: yoom nguyen [mailto:ynguyen;e-integration.net]
Sent: Friday, October 18, 2002 1:15 PM
To: Tomcat Users List
Subject: Re: RE: John Turner or someone who responsible for Posting --
Re: How to Apache2, Tomcat4.1.2, JK2 ?


John

I will be reading Craig McClannahan's email soon.
Thanks for the link

Yoom

- Original Message -
From: Turner, John [EMAIL PROTECTED]
Date: Friday, October 18, 2002 8:54 am
Subject: RE: John Turner or someone who responsible for Posting -- Re:
How to Apache2, Tomcat4.1.2, JK2 ?


 I think what Robert is saying is that there doesn't have to be a big,
 organized effort in addition to the big, organized effort that is
 alreadyrunning.

 There is already a dev team doing documentation.  While not
 perfect, they
 have a significant amount of documentation already completed.
 Starting a
 new project from scratch would be redundant.  I think it would be more
 effective to contribute to the existing project as needed.  Doing
 so doesn't
 require an organized group...everyone is welcome to get involved
 on their
 own, that is the nature of open source.

 Here is Craig McClanahan's reply on how to get involved in the already
 existing documentation effort:

 http://marc.theaimsgroup.com/?l=tomcat-devm=103357462430275w=2

 John


  -Original Message-
  From: yoom nguyen [mailto:ynguyen;e-integration.net]
  Sent: Friday, October 18, 2002 12:04 AM
  To: Tomcat Users List
  Subject: Re: John Turner or someone who responsible for Posting -
 - Re:
  How to Apache2, Tomcat4.1.2, JK2 ?
 
 
 
  Robert
 
  Are you going to assist me to get this going?  I would like
  to get as many volunters as possible if we are going to do this.
  We want to get it up and running instead of drag it on for
  many months
  to come, just because I am not a coder, but I am willing to
  learn.  It
  sounds do able as Robert Sowders described but I definely need
 some
  help.  Please send me an email if you know that you can help.
 
  Thanks, Yoom
 
  - Original Message -
  From: Robert L Sowders [EMAIL PROTECTED]
  Date: Thursday, October 17, 2002 10:46 pm
  Subject: Re: John Turner or someone who responsible for
  Posting -- Re:
  How to Apache2, Tomcat4.1.2, JK2 ?
 
   Oops, forgot to mention.
  
   Once you set everything up as xml then changing the docs to
   different
   formats is pretty much a snap.  Transformers for http, text,
 and
   pdf are
   very common and available.  You could conceivably make the
 docs
   available
   in any format known.  Or language for that matter, but that is
   another
   topic.
  
   rls
  
  
  
  
  
  
   Robert L Sowders [EMAIL PROTECTED]
   10/17/2002 07:24 PM
   Please respond to Tomcat Users List
  
  
  To: Tomcat Users List tomcat-
 [EMAIL PROTECTED] cc:
  Subject:Re: John Turner or someone who
 responsible
   for Posting -- Re: How to
   Apache2, Tomcat4.1.2, JK2 ?
  
   Hi Again,
  
   I had this discussion a couple of weeks ago and there was
 allot of
   interest in helping with the docs.  The stumbling point as I
 see
   it is
   people just don't know how to submit changes to existing
 material
   or for
   that matter new material.
  
   If you want to write whole chapters then;
   Basically, very basically, what you do is get the tools
 necessary
   to
   participate in a xml documentation project.  Then you'll need
 the
   DTDs and
  
   style templates that are already being used for the current
   documentation.
  
   These are available via anonymous cvs.  If you are making new
   pages or
   chapters then you'll need the above stuff to view it locally
 and
   see if
   it's correct.  Then you'll have to post it to the Tomcat-dev
 list
   and
   someone there will review it and commit it, if it applies.
  
   If your just correcting or extending an existing page;
   All you need to do is download your target via cvs, do your
   corrections
   with any text editor and then diff it using cvs and post it to
 the
   Tomcat-dev mailing list.  Someone there with commit privs will
   look at it
   and commit it, if it's deemed ok.
  
   Actually the dev list people are pretty good about accepting
 the
   changes
   when they get them, but there is a gap in showing everyone how
 to
   contribute, so they just don't get much to work with.
  
   So if you want to start your OWN documentation effort then the
   first thing
  
   you need to do is set up a cvs server.  

Realm Screen

[Chandrasekhar Lanka]

hi...
I am facing problem to access the realm screen in apache tomcat. I have
installed tomact 4.0.4 in htdocs of apache1.3. I am able to get the realm
screen when i access the following link in the location bar
http://localhost/tomcat4.0/webapps/test/test.jsp; but I could not access my
jsp files because the web context is set to webapps/test directory.

But my requirement is to get the realm screen (basic authentication is done
by Apcahe) when i try to access the following address
http://localhost/test/test.jsp; (the web context for jsp files is set to
webapps/test directory that is in server.xml).I have set the attribute
tomcatAuthentication=false in server.xml of tomcat4.0.4.
I have also tried installing tomcat4.0 outside apache, still the same issue

U can find my addintions in these files with the string CLanka

The following are my httpd.conf and server.xml
*httpd.conf
=
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See URL:http://www.apache.org/docs/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# After this file is processed, the server will look for and process
# C:/Apache/conf/srm.conf and then C:/Apache/conf/access.conf
# unless you have overridden these with ResourceConfig and/or
# AccessConfig directives here.
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as
a
# whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default'
server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with / (or drive:/ for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with /, the value of ServerRoot is prepended -- so logs/foo.log
# with ServerRoot set to /usr/local/apache will be interpreted by the
# server as /usr/local/apache/logs/foo.log.
#
# NOTE: Where filenames are specified, you must use forward slashes
# instead of backslashes (e.g., c:/apache instead of c:\apache).
# If a drive letter is omitted, the drive on which Apache.exe is located
# will be used by default.  It is recommended that you always supply
# an explicit drive letter in absolute paths, however, to avoid
# confusion.
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerType is either inetd, or standalone.  Inetd mode is only supported
on
# Unix platforms.
#
ServerType standalone

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot C:/Apache

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile logs/httpd.pid

#
# ScoreBoardFile: File used to store internal server process information.
# Not all architectures require this.  But if yours does (you'll know
because
# this file will be  created when you run Apache) then you *must* ensure
that
# no two invocations of Apache share the same scoreboard file.
#
ScoreBoardFile logs/apache_status

#
# In the standard configuration, the server will process httpd.conf,
# srm.conf, and access.conf in that order.  The latter two files are
# now distributed empty, as it is recommended that all directives
# be kept in a single file for simplicity.  The commented-out values
# below are the built-in defaults.  You can have the server ignore
# these files altogether by using /dev/null (for Unix) or
# nul (for Win32) for the arguments to the directives.
#
#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to Off to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We reccomend you leave this number high, for 

servlets stoped working but jsp works

[Alexander Piavka]

 Hi, i'm using tomcat 4.1.12 and mod_jk
For some strange reason all servlets stoped working and return messages
like:
 description The requested resource
 (/catalina/examples/servlet/RequestInfoExample) is not available
when called. But the jsp pages work fine(within the same contexts in
which servlets don't work).
 I have NOT changed the mod_jk and the xml files. Also i do not find any
error messages in the logs.
 Does anyone have an idea what could go wrong?
 Thanks.


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Re: Ajp13Processor starting background threads under low load

[Lindsay Patten]

Thanks again Glenn!

Now I've got something concrete to take to my service provider for 
resolution.

Cheers,
   Lindsay

Glenn Nielsen wrote:

Once an Apache process opens a socket connection to Tomcat for Ajp that
connection remains open until that httpd process dies.  That way the
httpd process can reuse that connection.  For Apache 1.3 there is a
one to one mapping between apache httpd processes and Tomcat 
Ajp13Processors.
You can end up with as many Ajp13Processors as you have httpd processes.
So the MaxProcessors config needs to be greater than the max number
of httpd processes used by apache.  And each Ajp13Processor runs in
its own thread waiting for a request from Apache.

Regards,

Glenn



Lindsay Patten wrote:

Thanks for the pointer Glenn, it was much appreciated!

So, I've been doing thread stacktrace dumps, but what I found doesn't 
make a lot of sense to me.
After restarting tomcat there were 5 processor threads all blocked on 
a monitor:

Ajp13Processor[8085][0] daemon prio=1 tid=0x0x4f801b28 nid=0x45ae 
waiting on m
onitor [bd9ff000..bd9ff8ac]
   at java.lang.Object.wait(Native Method)
   - waiting on 0x446602c0 (a 
org.apache.ajp.tomcat4.Ajp13Processor)
   at java.lang.Object.wait(Object.java:426)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.await(Ajp13Processor.java:305)
   - locked 0x446602c0 (a org.apache.ajp.tomcat4.Ajp13Processor)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:490)
   at java.lang.Thread.run(Thread.java:536)

I presume these are waiting for the scheduler thread to pass them a 
request.

A while later a bunch of background threads get spawned and I do 
another dump/trace,
now there are a whole bunch of threads in a runnable state trying to 
read request packets:

Ajp13Processor[8085][21] daemon prio=1 tid=0x0x8289b38 nid=0x70d6 
runnable [ba
fff000..bafff8ac]
   at java.net.SocketInputStream.socketRead0(Native Method)
   at java.net.SocketInputStream.read(SocketInputStream.java:116)
   at org.apache.ajp.Ajp13.readN(Ajp13.java:429)
   at org.apache.ajp.Ajp13.receive(Ajp13.java:469)
   at org.apache.ajp.Ajp13.receiveNextRequest(Ajp13.java:274)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:371
)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
   at java.lang.Thread.run(Thread.java:536)

Despite the name receiveNextRequest, it looks like that method is 
being called to receive each request including the first. So, the 
ajp13 processor is sitting blocked waiting for a full ajp13 packet 
from apache and apache is not sending data and not closing the 
connection/socket.  From the comments in the code it sounds like 
apache restarts periodically, closing the sockets and unblocking the 
read calls, at which point these processors return to the pool - so 
if apache restarts before you reach your threads limit you are ok.

What I don't understand is how apache can be starting up ajp13 
connections to tomcat and then not sending a full packet without this 
causing user visible failures. Shouldn't there be users getting page 
loads timing out on them?  That doesn't seem to be happening.

Does this indicate a fault in apache or is it normal for apache to 
send partial requests without closing the connection?

Any further guidance?

Thanks,
   Lindsay


Glenn Nielsen wrote:

One way to start debugging this type of problem is to tell the java
process running Tomcat to do a Thread Stacktrace Dump.

kill -QUIT java processid

Then analyze the stack traces for all threads.

Regards,

Glenn


Lindsay Patten wrote:


Hi,
I thought I would take a different tack on my problem with the 
Ajp13Processor using up all of its threads problem.
Does anyone know if the Ajp13Processor has a timeout when it is 
looking for a worker to handle a request? If the worker threads 
were all swapped out and taking a long time to get going and 
respond, would the main thread start a new background thread 
instead of waiting? Or does it just have a list of available 
workers and blocks until the worker it selects responds?
If it is the former that would explain my problem since I have 
experienced my processes getting swapped out and taking a long time 
to respond. The question would then become: is a way to specify how 
long the scheduler should wait before starting a new thread? At 
least I would have something I could take to my service provider. 
On the other hand if I knew for sure that the scheduler thread 
didn't have a timeout on worker threads than I could concentrate on 
looking elsewhere.  Does anyone know? Or know where to look or ask 
short of reading the source?

Thanks,
   Lindsay

Lindsay Patten wrote:

Hi,
I am having a problem where tomcat keeps intermitantly starting 
new ajp13 processor threads, eventually it reaches the max and 
starts refusing connections. My hosting provider (linux machine) 
provides a private version of tomcat for each user with a 

Re: problem with session tracking and redirection http--- https

[Jon Eaves]

Henrik Bentel wrote:

One of my problems is that I can't find anything in the servlet or 
tomcat documentation that mentiones any of this behaviour. If there is 
any, please send me the link.


Hi Henrik,

I couldn't find anything specific in the Servlet Spec, but in general
it's just not a good idea, as you may as well not use https at all.
It's not just the servlet spec that you need to be aware of, but this
is a more general HTTP/HTTPS problem.

RFC2109 is not really clear on the topic, other than section 8.3 which
talks about Unexpected Cookie Sharing.  However there is an extension to
this RFC, RFC2965 Port Sensitive Cookies.

Basically, you can't guarantee that the browser is going to send back
the cookie if the ports are different



Also, since any time session tracking is used it can be picked up by 
someone, all use of https should stay strictly under https(ok, I'm over 
doing it). So basically if a webapp has any sensitive information, it 
should solely use https protocol for all transmissions, if using session 
tracking?

You're not over doing it.  If you want to provide some security or
protection of authentication then the entire session _must_ be
encrypted or you may as well not bother.



I don't see why the servlet container should force this behaviour.


You can do your own session tracking if you want to.  Just set your
own cookies and use that.  The servlet container provides a very
convenient way of doing it.  Of course, you'll have the same
transition problems that the inbuild session management has.



Shouldn't it be up to the developer to determine what is a security 
issue and not? Just like JSP doesn't neccesseraly force the separation 
of business logic and content, just allowing it, should the servlet 
container force a restrictive behaviour of session tracking?
A lot of web sites don't want the over head of sending everything over 
https. Only parts of it for secure user validation. But they still want 
session tracking.

They may do, but they're broken if they don't keep an authentication
session safe under ssl.  Of course the session tracking can be used
at different times for non crucial session tracking.



Just as a simple example:
So let's say you use the existence of an http session as a validation 
for a logged in user, but you don't store any vital information.
And you only allow http sessions to be created under https protocol to 
secure the submition of password. Beyond that point, no sensitive data 
is shared, so users can be redirected back to http protocol.

You really need to read up on how HTTP and the servlet spec says sessions
are done.  Basically HTTP is stateless and sessions are faked by
transferring chunks of data between the client and the server.  This may
be via cookies or URL rewriting.   For the sake of convenience, we'll use
the cookie method in the example, but this is _not_ necessarily the only
way that sessions may be tracked.

So, you login securely under username and password admin/secret and
those pieces of information are gone and lost forever.  However, to
maintain the session over the stateless protocol the server sets a
cookie in the browser SECRET_COOKIE=aaa56722derf.  Now, as you
transition to HTTP that piece of information is sent to the server
in plain text that anybody can read.

So, me being the evil wily hacker grabs that information, and sets a
cookie in my evil hacked mozilla browser which will allow me to set
arbitrary cookies and bingo, I'm now you.



With tomcat 4, the only way to use the same method would be to create a 
http seesion for every http request, then redirect to https, add some 
kind of validation flags in the session object, then redirect back. This 
to me is worse, as a DoS attack could force the servlet container to 
create a http session for every Request, really putting a strain on 
your container.

I can't possibly think of any circumstance where you would need to
perform such a contrived mechanism.  In fact, I can't even understand
what you're trying to do here.

[ snip of rest of post ]

--
Jon Eaves [EMAIL PROTECTED]
http://www.eaves.org/jon/


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

PropertyChangeSupport with tomcat

[Markus Keller]

Hello List

I am new with JSP and I have tomcat 4.1.12 running with apache 2.0, IBM 
JDK 1.3 and mod_webapp under Debian Linux. Now I have written two simple 
beans to test the PropertyChangeSupport  feature of the Java beans. One 
bean fires a property change and the other bean ist the listener, that 
should receive the change. Unfortunately it seems to me that this 
feature is not supported by tomcat. I load both beans in a jsp with the 
usebean directive (scope='session'). The beans work fine, I can set and 
get properties but the PorpertyChangeSupport doesn't work. I even do not 
now whether the property change event ist fired or not. Do I have to do 
some special confiuration to use the PropertyChangeSupport with tomcat 
or isn't it possible at all. I am thankful for every kind of help.

best regards

markus


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Help: Tomcat not reloading classes

[Carson, Chuck]

I have the following line in server.xml:
Context path= docBase=ROOT debug=0 reloadable=true/

This seems to work for jsp files in $TOMCAT_HOME/webapps/ROOT but is not
working for class file in $TOMCAT_HOME/webapps/ROOT/WEB-INF/classes

Did I miss something? This is tomcat 4.1.2 using jdk 1.3.1_05.

Thanks,
CC


--
This message contains confidential information and is intended only for
the individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. The sender therefore does not accept liability for any
errors or omissions in the contents of this message, which arise as a
result of e-mail transmission. If verification is required please
request a hard-copy version. 

--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Cannot serve a WAV file from a 4.1.12 web application

[Ann Marie Carulli]

Hello,

I'm developing a web application running under Tomcat 4.1.12. When I try to serve a 
WAV file from the initial JSP file, the file is not heard. This line was used in the 
JSP file:

EMBED src=/voting/audio/startpage/startpage.wav HIDDEN=true 
autostart=true/EMBED

If I try to access the WAV file directly under IE 5.5, the error is that resource not 
available. 

Some possibly relevant facts:

- If I put a TXT or GIF file in that same directory under the web app, it is served.
- There is no security explicitly set up at this point.
- If a WAV file smaller than 4K is used, it does not work either.
- I did put a mime-mapping entry into the web.xml file, but it did not work either.
- The audio portion of this web app does work under JRun 4.1.

Thanks,
Ann

Re: Ajp13Processor starting background threads under low load

[Lindsay Patten]

Thanks for the pointer Glenn, it was much appreciated!

So, I've been doing thread stacktrace dumps, but what I found doesn't 
make a lot of sense to me.
After restarting tomcat there were 5 processor threads all blocked on a 
monitor:

Ajp13Processor[8085][0] daemon prio=1 tid=0x0x4f801b28 nid=0x45ae 
waiting on m
onitor [bd9ff000..bd9ff8ac]
   at java.lang.Object.wait(Native Method)
   - waiting on 0x446602c0 (a org.apache.ajp.tomcat4.Ajp13Processor)
   at java.lang.Object.wait(Object.java:426)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.await(Ajp13Processor.java:305)
   - locked 0x446602c0 (a org.apache.ajp.tomcat4.Ajp13Processor)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:490)
   at java.lang.Thread.run(Thread.java:536)

I presume these are waiting for the scheduler thread to pass them a request.

A while later a bunch of background threads get spawned and I do another 
dump/trace,
now there are a whole bunch of threads in a runnable state trying to 
read request packets:

Ajp13Processor[8085][21] daemon prio=1 tid=0x0x8289b38 nid=0x70d6 
runnable [ba
fff000..bafff8ac]
   at java.net.SocketInputStream.socketRead0(Native Method)
   at java.net.SocketInputStream.read(SocketInputStream.java:116)
   at org.apache.ajp.Ajp13.readN(Ajp13.java:429)
   at org.apache.ajp.Ajp13.receive(Ajp13.java:469)
   at org.apache.ajp.Ajp13.receiveNextRequest(Ajp13.java:274)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:371
)
   at 
org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
   at java.lang.Thread.run(Thread.java:536)

Despite the name receiveNextRequest, it looks like that method is being 
called to receive each request including the first. So, the ajp13 
processor is sitting blocked waiting for a full ajp13 packet from apache 
and apache is not sending data and not closing the connection/socket. 
From the comments in the code it sounds like apache restarts 
periodically, closing the sockets and unblocking the read calls, at 
which point these processors return to the pool - so if apache restarts 
before you reach your threads limit you are ok.

What I don't understand is how apache can be starting up ajp13 
connections to tomcat and then not sending a full packet without this 
causing user visible failures. Shouldn't there be users getting page 
loads timing out on them?  That doesn't seem to be happening.

Does this indicate a fault in apache or is it normal for apache to send 
partial requests without closing the connection?

Any further guidance?

Thanks,
   Lindsay


Glenn Nielsen wrote:

One way to start debugging this type of problem is to tell the java
process running Tomcat to do a Thread Stacktrace Dump.

kill -QUIT java processid

Then analyze the stack traces for all threads.

Regards,

Glenn


Lindsay Patten wrote:


Hi,
I thought I would take a different tack on my problem with the 
Ajp13Processor using up all of its threads problem.
Does anyone know if the Ajp13Processor has a timeout when it is 
looking for a worker to handle a request? If the worker threads were 
all swapped out and taking a long time to get going and respond, 
would the main thread start a new background thread instead of 
waiting? Or does it just have a list of available workers and blocks 
until the worker it selects responds?
If it is the former that would explain my problem since I have 
experienced my processes getting swapped out and taking a long time 
to respond. The question would then become: is a way to specify how 
long the scheduler should wait before starting a new thread? At least 
I would have something I could take to my service provider. On the 
other hand if I knew for sure that the scheduler thread didn't have a 
timeout on worker threads than I could concentrate on looking 
elsewhere.  Does anyone know? Or know where to look or ask short of 
reading the source?

Thanks,
   Lindsay

Lindsay Patten wrote:

Hi,
I am having a problem where tomcat keeps intermitantly starting new 
ajp13 processor threads, eventually it reaches the max and starts 
refusing connections. My hosting provider (linux machine) provides a 
private version of tomcat for each user with a single apache web 
server, there are typically a large number of processes on the 
machine (4000). My particular tomcat server (v4.0.3) is not being 
loaded at all but the ajp13processor threads don't seem to not get 
reused under some circumstances that I don't understand. I have 
added logging statements in my jsp pages and the pages appear to run 
to completion. Each jsp page accesses some info from a mysql db and 
displays it (*Summary) or takes some data from a form and sticks it 
in the db (Page). The system will often run for several hours and 
hundreds of requests without starting any threads, but then 
sometimes, as below, it starts new threads for almost every request 
for a while. Is there a way to determine if the 

Re: problem with session tracking and redirection http--- https

[Maninder S Batth]

my 2 cents:

encrypting session information such as encrypted urls or  cookies dont 
buy anything. they can be sniffed , and sent back. or worse things can 
happen.  Security is not cheap so forget finding an inexpensive way. 
thats one big problem with open protocols, you know exactly where to 
get the information and the stucture of information. SSL seems to be the 
cheapest way of doing business online as of now.

Re: My Start and Stop Tomcat windows do not stay up

[Maninder S Batth]

i get this error when my server.xml is not properly configuered. did u 
add context element to ur server.xl ?
if i am correct, this exception is saying that your server.xml doesnt 
adheres to dtd. so pls check it



[EMAIL PROTECTED] wrote:

Hi

I have installed Tomcat 4.1.12 on my XP machine.  I got the screen telling me 
that Tomcat was installed successfully.  However, neither the Start or Stop 
DOS windows stay up.  I understand that this problem could be overcome by 
increasing Initial Environment field to 4096.  In order to do this, I need to 
right click the DOS window and click on Properties and then the Memory tab.  
In Windows XP right clicking on the DOS window and clicking on properties 
does not bring up a Memory tab.  How do I increase the Initial Environment in 
XP?

Also, I checked the logs folder to see if I could get some further 
information on the state of Tomcat and found the following in the stderr 
file.  Can you tell me what this means and how I can correct it?  

It appears that logs are written whenever I do a cold start of my PC.  Is 
this correct? 

Thanks - I am a new user of Tomcat and am taking a course on Internet Server 
Programming so any help you can give me would be greatly appreciated.

Ann 


Oct 20, 2002 12:53:44 PM org.apache.commons.digester.Digester error
SEVERE: Parse Error at line 17 column 11: The content of element type 
web-app must match 
(icon?,display-name?,description?,distributable?,context-param*,filter*,filte

r-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,w

elcome-file-list?,error-page*,taglib*,resource-env-ref*,resource-ref*,security

-constraint*,login-config?,security-role*,env-entry*,ejb-ref*,ejb-local-ref*)

.
org.xml.sax.SAXParseException: The content of element type web-app must 
match 
(icon?,display-name?,description?,distributable?,context-param*,filter*,filte

r-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,w

elcome-file-list?,error-page*,taglib*,res
ource-env-ref*,resource-ref*,security-constraint*,login-config?,security-role*

,env-entry*,ejb-ref*,ejb-local-ref*).
   at 
org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandle

rWrapper.java:232)
   at 
org.apache.xerces.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:173)

   at 
org.apache.xerces.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:362)

   at 
org.apache.xerces.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:296)

   at 
org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(XMLDTDValidator.ja

va:1953)
   at 
org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(XMLDTDValidator.java:878

)
   at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.handleEndElement(XMLDocu

mentFragmentScannerImpl.java:1144)
   at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocume

ntFragmentScannerImpl.java:987)
   at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatche

r.dispatch(XMLDocumentFragmentScannerImpl.java:1445)
   at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocument

FragmentScannerImpl.java:333)
   at 
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:524)
   at 
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:580)
   at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
   at 
org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1169)

   at org.apache.commons.digester.Digester.parse(Digester.java:1495)
   at 
org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java

:282)
   at 
org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639)
   at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:24

3)
   at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.

java:166)
   at 
org.apache.catalina.core.StandardContext.start(StandardContext.java:3493)
   at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:821

)
   at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:579)
   at 
org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.jav

a:257)
   at org.apache.catalina.core.StandardHost.install(StandardHost.java:772)
   at 
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:569)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:411)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:879)
   at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:368)
   at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.

java:166)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1196)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:738)
   at 

Re: Multiple Tomcat Security Realms

[Craig R. McClanahan]

On Sat, 19 Oct 2002, grenoml wrote:

 Date: Sat, 19 Oct 2002 13:33:16 -0700 (PDT)
 From: grenoml [EMAIL PROTECTED]
 Reply-To: Tomcat Users List [EMAIL PROTECTED]
 To: Tomcat Users List [EMAIL PROTECTED]
 Subject: Re: Multiple Tomcat Security Realms

 I went through the REALM HOW-TO also.  It just tells
 you how to setup the various realm types but not how
 to configure multiple realms.


It's there, but sort of subtle.

The key point is that you can nest a Realm element in three different
places in server.xml, to get three different results:

* Nest inside Engine to affect all webapps on all virtual hosts.
  This is how things are set up in the default Tomcat server.xml file.

* Nest inside Host to affect all webapps on that virtual host,
  but no others.

* Nest inside Context to affect only that single webapp.

The search for the relevant realm is hierarchical, starting from the most
specific to the least specific.  So, one way to deal with your scenario
would be to simply leave the default setup alone (so that it supports the
admin and manager webapps as it does currently), then define a Context
element for each of your specific applications -- and nest a Realm
inside each of those Context elements to configure its own security
setup.

An alternate approach would be appropriate if you wanted to use the same
JDBCRealm for all apps *except* admin and manager:

* Move the existing Realm element from inside the Engine to inside
  new Context elements for the admin and manager webapps

* Make your JDBCRealm the default one (nested in the Engine element)
  for all other apps.

Craig


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

RE: there are type: HTTP Status 404 -/tomcat-docs...

[rdevine]

Yufeng,
I'm pretty new to this so others may have better info.  Check
your path to make sure that tomcat-docs is in the webapps folder
[%CATALINA_HOME\webapps\tomcat-docs] and that you have a WEB-INF in your
tomcat-docs folder.

Hope that helps..experienced ones please correct me if needed.

Bob 

-Original Message-
From:   [mailto:czyf2001;hotmail.com] 
Sent: Sunday, October 20, 2002 3:37 AM
To: [EMAIL PROTECTED]
Subject: there are type: HTTP Status 404 -/tomcat-docs...




hi tomcat,

  when I saw tomcat's index.jsp and there is  
If you're seeing this page via a web browser, it means you've setup
Tomcat 
successfully. Congratulations!
till I click Tomcat Documentation 
.there are type: 
HTTP Status 404 - /tomcat-docs





type Status report

message /tomcat-docs

description The requested resource (/tomcat-docs) is not available.






Apache Tomcat/4.1.12-LE-jdk14

what shall i do?Could you will give me some advice and help me to
configue 
it right!!

thanks! I will glad to hear form you.
   
yours 
   yufeng




_
ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger:
http://messenger.msn.com/lccn/ 


--
To unsubscribe, e-mail:
mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail:
mailto:tomcat-user-help;jakarta.apache.org



--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Does tc-4.12 have bugs with nested jsp tags?

[Zsolt Koppany]

Hi,

my nested JSP tags (nesting level 3-4) work fine under tc-4.0.4 but they seem 
to be bugy with tc-4.12. Are there known JSP issues with tc-4.12?


Zsolt

--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Re: problem with session tracking and redirection http--- https

[Craig R. McClanahan]

On Sat, 19 Oct 2002, Henrik Bentel wrote:

 Date: Sat, 19 Oct 2002 19:08:35 +
 From: Henrik Bentel [EMAIL PROTECTED]
 Reply-To: Tomcat Users List [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: problem with session tracking and redirection http--- https

 One of my problems is that I can't find anything in the servlet or tomcat
 documentation that mentiones any of this behaviour. If there is any, please
 send me the link.


It's not specific to servlets at all ... it's a fundamental issue for
anything running across http/https that wants to do the equivalent of
sessions.

 Also, since any time session tracking is used it can be picked up by
 someone, all use of https should stay strictly under https(ok, I'm over
 doing it). So basically if a webapp has any sensitive information, it should
 solely use https protocol for all transmissions, if using session tracking?


Not necessarily.

Consider an ecommerce site.  You'd typically maintain the shopping cart as
some sort of collection in a session attribute.  You could easily make the
case that this information is not particularly sensitive (especially if
you haven't collected any personal identification information yet).  So,
it's quite reasonable to run this part of the app across http.

However, once you go to the checkout phase of the app, you should switch
to https for the screen that submits the credit card details and that sort
of thing, so that nobody can snoop that data as it's being transmitted.

However, you are not done yet.  Once a particular session has been
switched from http to https, it MUST contain logic to never accept a
subsequent request (for that session) from http again.  Otherwise, your
app is subject to attacks like repeatedly submitting the Purchase
Confirmation form again, and causing multiple orders to be submitted.

 I don't see why the servlet container should force this behaviour. Shouldn't
 it be up to the developer to determine what is a security issue and not?

The http-https transition is supported by the servlet spec (and by
Tomcat).  That's what the transport-guarantee element in a security
constraint is for.

The https-http transition is not supported because it is fundamentally
flawed, and it would be irresponsible for the container to allow naive
developers to unknowningly create vulnerable applications.

 Just like JSP doesn't neccesseraly force the separation of business logic
 and content, just allowing it, should the servlet container force a
 restrictive behaviour of session tracking?
 A lot of web sites don't want the over head of sending everything over
 https. Only parts of it for secure user validation. But they still want
 session tracking.

 Just as a simple example:
 So let's say you use the existence of an http session as a validation for a
 logged in user, but you don't store any vital information.
 And you only allow http sessions to be created under https protocol to
 secure the submition of password. Beyond that point, no sensitive data is
 shared, so users can be redirected back to http protocol.


No you *cannot* do this safely (from a security perspective).

The reason is that the session id *itself* is security sensitive
information (because you stored state information in the session that
login was successful).  Once you switch back into http, the session id is
transmitted in clear text, and is subject to hijacking.  Anyone on the
internet can submit requests using that session id, and the requsts will
be executed by your app as if they were submitted by the person who was
originally authenticated.

Developers who feel that it's sufficient to use https only for the login
screen, but want to use http for the rest of the session, are fooling
themselves that they have accomplished anything useful (from a security
perspective).

 With tomcat 4, the only way to use the same method would be to create a http
 seesion for every http request, then redirect to https, add some kind of
 validation flags in the session object, then redirect back. This to me is
 worse, as a DoS attack could force the servlet container to create a http
 session for every Request, really putting a strain on your container.

 The example probably isn't a good example for how a typical website enforces
 secure validation, but I just want to raise the point that the hole is
 still there, since sessions created under http are available in all schemes.
 It could just as easily be misused by a developer.


You are correct that the restriction I'm talking about doesn't deal with
DoS attacks based on causing lots of sessions to be created.  It deals
with a completely different issue.

Craig


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

there are type: HTTP Status 404 -/tomcat-docs...

[ ]

hi tomcat,

 when I saw tomcat's index.jsp and there is  
If you're seeing this page via a web browser, it means you've setup Tomcat 
successfully. Congratulations!
till I click Tomcat Documentation 
.there are type: 
HTTP Status 404 - /tomcat-docs




type Status report

message /tomcat-docs

description The requested resource (/tomcat-docs) is not available.





Apache Tomcat/4.1.12-LE-jdk14

what shall i do?Could you will give me some advice and help me to configue 
it right!!

thanks! I will glad to hear form you.
  
   yours 
  yufeng




_
ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.msn.com/lccn/ 


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Error handling in ServletContextListener/investigating tomcat startup errors

[garrett smith]

Hey,

If I have problems in an implementation of ServletContextListener, TC refuses
to give me a reason. How can I log the error message? To generate an error, I
divided by zero. A more likely (and less avoidable) exception is
NamingException (what I expect). 



[code]
public void contextInitialized(ServletContextEvent event) {

try{
Database.init();
Mailer.init();
int i = 0;
int j = 1/i;
}
catch (Exception ne){

// doesn't do anything. 
System.err.println(ne.fillInStackTrace());
//ne.printStackTrace();
}
}
[/code]

Here's the log file:

2002-10-20 03:25:07 [org.apache.catalina.connector.warp.WarpConnector] Error
accepting requests
java.net.SocketException: Software caused connection abort
at java.net.PlainSocketImpl.socketAccept(Native Method)
at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:421)
at java.net.ServerSocket.implAccept(ServerSocket.java:243)
at java.net.ServerSocket.accept(ServerSocket.java:222)
at
org.apache.catalina.connector.warp.WarpConnector.run(WarpConnector.java:590)
at java.lang.Thread.run(Thread.java:496)

In general, it is annoying when TC refuses to start. I'd like to have some sort
of meaningful message as to why.

How can I get a meaningful exception/error msg?

=
Garrett Needs A Job

__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Re: My Start and Stop Tomcat windows do not stay up

[Homer Junior]

Hello AnnWenzel,

Are you sure that Tomcat isn't already running as a service?  If
Tomcat is already listening to the ports that a new instance would
try to listen to, then you would get that behavior.  The window would
just close.  For easier debugging, you might want to open a command
prompt and cd to where the tomcat startup batch files are and run them
via the command line rather than double clicking the batch files.
That way, you should see some error messages in the console.

Jake

Sunday, October 20, 2002, 2:52:55 PM, you wrote:

 Hi

 I have installed Tomcat 4.1.12 on my XP machine.  I got the screen telling me 
 that Tomcat was installed successfully.  However, neither the Start or Stop 
 DOS windows stay up.  I understand that this problem could be overcome by 
 increasing Initial Environment field to 4096.  In order to do this, I need to 
 right click the DOS window and click on Properties and then the Memory tab.  
 In Windows XP right clicking on the DOS window and clicking on properties 
 does not bring up a Memory tab.  How do I increase the Initial Environment in 
 XP?

 Also, I checked the logs folder to see if I could get some further 
 information on the state of Tomcat and found the following in the stderr 
 file.  Can you tell me what this means and how I can correct it?  

 It appears that logs are written whenever I do a cold start of my PC.  Is 
 this correct? 

 Thanks - I am a new user of Tomcat and am taking a course on Internet Server 
 Programming so any help you can give me would be greatly appreciated.

 Ann 


 Oct 20, 2002 12:53:44 PM org.apache.commons.digester.Digester error
 SEVERE: Parse Error at line 17 column 11: The content of element type 
 web-app must match 
 (icon?,display-name?,description?,distributable?,context-param*,filter*,filte

 r-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,w

 elcome-file-list?,error-page*,taglib*,resource-env-ref*,resource-ref*,security

 -constraint*,login-config?,security-role*,env-entry*,ejb-ref*,ejb-local-ref*)

 .
 org.xml.sax.SAXParseException: The content of element type web-app must 
 match 
 (icon?,display-name?,description?,distributable?,context-param*,filter*,filte

 r-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,w

 elcome-file-list?,error-page*,taglib*,res
 ource-env-ref*,resource-ref*,security-constraint*,login-config?,security-role*

 ,env-entry*,ejb-ref*,ejb-local-ref*).
 at 
 org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandle

 rWrapper.java:232)
 at 
 org.apache.xerces.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:173)

 at 
 org.apache.xerces.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:362)

 at 
 org.apache.xerces.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:296)

 at 
 org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(XMLDTDValidator.ja

 va:1953)
 at 
 org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(XMLDTDValidator.java:878

 )
 at 
 org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.handleEndElement(XMLDocu

 mentFragmentScannerImpl.java:1144)
 at 
 org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocume

 ntFragmentScannerImpl.java:987)
 at 
 org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatche

 r.dispatch(XMLDocumentFragmentScannerImpl.java:1445)
 at 
 org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocument

 FragmentScannerImpl.java:333)
 at 
 org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:524)
 at 
 org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:580)
 at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
 at 
 org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1169)

 at org.apache.commons.digester.Digester.parse(Digester.java:1495)
 at 
 org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java

 :282)
 at 
 org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639)
 at 
 org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:24

 3)
 at 
 org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.

 java:166)
 at 
 org.apache.catalina.core.StandardContext.start(StandardContext.java:3493)
 at 
 org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:821

 )
 at 
 org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807)
 at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:579)
 at 
 org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.jav

 a:257)
 at org.apache.catalina.core.StandardHost.install(StandardHost.java:772)
 at 
 org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:569)
 at 

My Start and Stop Tomcat windows do not stay up

[AnnWenzel]

Hi

I have installed Tomcat 4.1.12 on my XP machine.  I got the screen telling me 
that Tomcat was installed successfully.  However, neither the Start or Stop 
DOS windows stay up.  I understand that this problem could be overcome by 
increasing Initial Environment field to 4096.  In order to do this, I need to 
right click the DOS window and click on Properties and then the Memory tab.  
In Windows XP right clicking on the DOS window and clicking on properties 
does not bring up a Memory tab.  How do I increase the Initial Environment in 
XP?

Also, I checked the logs folder to see if I could get some further 
information on the state of Tomcat and found the following in the stderr 
file.  Can you tell me what this means and how I can correct it?  

It appears that logs are written whenever I do a cold start of my PC.  Is 
this correct? 

Thanks - I am a new user of Tomcat and am taking a course on Internet Server 
Programming so any help you can give me would be greatly appreciated.

Ann 


Oct 20, 2002 12:53:44 PM org.apache.commons.digester.Digester error
SEVERE: Parse Error at line 17 column 11: The content of element type 
web-app must match 
(icon?,display-name?,description?,distributable?,context-param*,filter*,filte

r-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,w

elcome-file-list?,error-page*,taglib*,resource-env-ref*,resource-ref*,security

-constraint*,login-config?,security-role*,env-entry*,ejb-ref*,ejb-local-ref*)

.
org.xml.sax.SAXParseException: The content of element type web-app must 
match 
(icon?,display-name?,description?,distributable?,context-param*,filter*,filte

r-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,w

elcome-file-list?,error-page*,taglib*,res
ource-env-ref*,resource-ref*,security-constraint*,login-config?,security-role*

,env-entry*,ejb-ref*,ejb-local-ref*).
at 
org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandle

rWrapper.java:232)
at 
org.apache.xerces.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:173)

at 
org.apache.xerces.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:362)

at 
org.apache.xerces.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:296)

at 
org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(XMLDTDValidator.ja

va:1953)
at 
org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(XMLDTDValidator.java:878

)
at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.handleEndElement(XMLDocu

mentFragmentScannerImpl.java:1144)
at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocume

ntFragmentScannerImpl.java:987)
at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatche

r.dispatch(XMLDocumentFragmentScannerImpl.java:1445)
at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocument

FragmentScannerImpl.java:333)
at 
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:524)
at 
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:580)
at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
at 
org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1169)

at org.apache.commons.digester.Digester.parse(Digester.java:1495)
at 
org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java

:282)
at 
org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639)
at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:24

3)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.

java:166)
at 
org.apache.catalina.core.StandardContext.start(StandardContext.java:3493)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:821

)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:579)
at 
org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.jav

a:257)
at org.apache.catalina.core.StandardHost.install(StandardHost.java:772)
at 
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:569)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:411)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:879)
at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:368)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.

java:166)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1196)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:738)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347)
at 

problem building mod_jserv.so

[Aman Kapoor]

Hi

I have been trying to build mod_jserv.so

ld -G -o mod_jserv.so mod_jserv.o jserv_wrapper_win.o 
jserv_wrapper_unix.o jserv_wrapper.o jserv_watchdog.o 
jserv_utils.o jserv_status.o jserv_protocols.o jserv_mmap.o 
jserv_image.o jserv_balance.o jserv_ajpv12.o jserv_ajpv11.o 
autochange.o
apxs:Break: Command failed with rc=16777215

this is what i get...

can anyone help

--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Apache + SSL + TOMCAT4 + mod_jk : problem (Socket Timeout) : Help

[rami rosen]

Hello, 
 I have surfed the net thourouly, including 
 Tomcat NessGroups, and did not find 
 an answer to my problem ;
 May I ask :
  I am running  Tomcat4 + Apache + SSL + Mod _JK 
 on RH 8.0; I had configure Apache 
 to and Tomcat to use SSL (including 
 uncommenting the SSL connector lines 
 in server.xml of tomcat , and creating a changeit
 with alias tomcat with -keytool .
 
 
 I am using the (default) 8543. 
 
 
 I am creating an SLLSocket on this port from the client
 side ; when I am sending a post request. 
 I see (while debugging) that there is a SocketTimeOut 
 exception. (This happens when HttpProcessor 
 calls parseRequest() and we reach the readRequestLine()
 in the SocketInputStream. 
 
 When I set connectionTimeout to -1 , to disable 
 timeout , I do not have this Exception , but 
 I see that the data in the input stream 
 does not exist.
 
 When I run the same code and 
 just cretae a Non-SSL socket (on a 
 different port, 8180) everyhting is OK. 
 
 Do you have any idea what the problen can be ?
 
 rr





___
Sent by TalkMil WEBMail Server 
MailVision Inc.
http://www.mailvision.net



--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Re: servlets stoped working but jsp works

[Jacob Kjome]

You need to pay attention to the security notices:

http://jakarta.apache.org/site/news.html#0924.1

The invoker servlet has been disabled by default to close a security 
hole.  Basically, the source of your JSP page could be revealed via a 
specially crafted URL.

If you *really* need to enable the servlet invoker, go into 
$CATALINA_HOME/conf/web.xml and uncomment the servlet-mapping for the 
invoker servlet.  Then restart Tomcat.  However, you should be providing 
servlet mappings for servlet you want to run.  Look into an MVC framework 
like Struts or Barracuda to see how you can map a single servlet which then 
invokes all your other servlets.

Jake

At 03:10 PM 10/20/2002 +0200, you wrote:

 Hi, i'm using tomcat 4.1.12 and mod_jk
For some strange reason all servlets stoped working and return messages
like:
 description The requested resource
 (/catalina/examples/servlet/RequestInfoExample) is not available
when called. But the jsp pages work fine(within the same contexts in
which servlets don't work).
 I have NOT changed the mod_jk and the xml files. Also i do not find any
error messages in the logs.
 Does anyone have an idea what could go wrong?
 Thanks.


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Re: Cannot serve a WAV file from a 4.1.12 web application

[Ann Marie Carulli]

Honesty compels me to say that the solution is to make sure the the filename
is cased correctly. Tomcat is on Linux, JRun is on Windows 2000, and the
files were named *.WAV. 'Nuff said.-)))

Thanks,
Ann

- Original Message -
From: Ann Marie Carulli [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, October 20, 2002 12:30 AM
Subject: Cannot serve a WAV file from a 4.1.12 web application


Hello,

I'm developing a web application running under Tomcat 4.1.12. When I try to
serve a WAV file from the initial JSP file, the file is not heard. This line
was used in the JSP file:

EMBED src=/voting/audio/startpage/startpage.wav HIDDEN=true
autostart=true/EMBED

If I try to access the WAV file directly under IE 5.5, the error is that
resource not available.

Some possibly relevant facts:

- If I put a TXT or GIF file in that same directory under the web app, it is
served.
- There is no security explicitly set up at this point.
- If a WAV file smaller than 4K is used, it does not work either.
- I did put a mime-mapping entry into the web.xml file, but it did not work
either.
- The audio portion of this web app does work under JRun 4.1.

Thanks,
Ann



--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org

Sendmail error

[BC]

While attempting to test the sendmail.jsp example from a Tomcat 4.1.12
installation I keep running the following error:

ENCOUNTERED EXCEPTION: javax.mail.SendFailedException: Sending failed;
nested exception is: javax.mail.MessagingException: Could not connect to
SMTP host: home.hitokiri.com, port: 25; nested exception is:
java.net.ConnectException: Connection refused

Where would I check to resolve this issue?  I don't understand why the
connection is being refused since I use the same SMTP host name to send
email out from from my email program.  And there's no authentication needed
to send out emails from that host (which is localhost anyway).  Any ideas?

-Ben


--
To unsubscribe, e-mail:   mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org