Socket level communications from within Tomcat?
Is it possible to start a socket server from code called by Tomcat? Specifically, is it possible to run the server side of RMI communication from code called by ServletContainerListener.contextInitialized()? I seem to recall that an old version of Tomcat did not allow this. Is this still true of Tomcat 5.*? I believe this issue is documented, but I can't find it. Thanks, bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Where is Digester?
Could some tell me which jar file contains org/apache/commons/digester/Digester and where the path to it gets specified in server.xml (Tomcat 5)? I've added a second service to my server.xml file (to support a second IP address). When Tomcat starts, the second service is throwing a java.lang.NoClassDefFoundError: org/apache/commons/digester/Digester (FYI the problem probably has to do with how I specified the Engine and Hostname. On the first service I used 'localhost', in the second I used the actual domain name. Tomcat is able to server html from the second, so the domain name is correct.) Thanks, bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do I associate a web app with a specific IP (connector)?
I'm going to be running Tomcat with two IP addresses (each has its own domain name). How do I associate some web apps with one and some with the other? From my reading of the /Server Configuration Reference/ (but no experience yet), I gather that I should create a connector for each IP address. But I don't see how to associate a web app with a particular connector. Do I need to create separate Host elements and use separate appBases? Or is there another way altogether? Thanks, bw
Re: How do I associate a web app with a specific IP (connector)?
Thanks. That looks simple enough. Does this mean that I don't need an extra connector for the IP? Patrick Willart wrote: There is probably more than one way to do this, but one is by defining multiple hosts and using an alias to bind the host to an IP. You could end up with something like this: Host name=yourdomain1 debug=0 appBase=webapps1 unpackWARs=true autoDeploy=true xmlValidation=true xmlNamespaceAware=true Alias127.0.0.1/Alias Aliasyourdomain1.com/Alias /Host Host name=yourdomain2 debug=0 appBase=webapps2 unpackWARs=true autoDeploy=true xmlValidation=true xmlNamespaceAware=true Alias127.0.0.2/Alias Aliasyourdomain2.com/Alias /Host grts, Patrick -Original Message- From: Barnet Wagman [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 5:27 PM To: Tomcat Users List Subject: How do I associate a web app with a specific IP (connector)? I'm going to be running Tomcat with two IP addresses (each has its own domain name). How do I associate some web apps with one and some with the other? From my reading of the /Server Configuration Reference/ (but no experience yet), I gather that I should create a connector for each IP address. But I don't see how to associate a web app with a particular connector. Do I need to create separate Host elements and use separate appBases? Or is there another way altogether? Thanks, bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable session serialization?
Thanks. An example of the Manager .../ element was not included in the sample server.xml in Tomcat 5.0.19 FYI (and for the archives) in Tomcat 5 (which I think has slightly different parameters than Tomcat 4), the following seems to work (although it's hard to test): Manager classname=org.apache.catalina.session.StandardManager distributable=false pathname=/dev/null / I put it in the Host ... element (the Tomcat documentation was a bit opaque on this) and that seems to work. bw Tim Funk wrote: (I have not tested this, but try) Manager pathname=/dev/null/ Or the example server.xml in tomcat4.1 has this: Manager className=org.apache.catalina.session.PersistentManager debug=0 saveOnRestart=true maxActiveSessions=-1 minIdleSwap=-1 maxIdleSwap=-1 maxIdleBackup=-1 Store className=org.apache.catalina.session.FileStore/ /Manager Change saveOnRestart=true to saveOnRestart=false -Tim Barnet Wagman wrote: Is there an example of Manager element anywhere on the web? (Neither the Tomcat documentation nor the sample server.xml that comes with Tomcat has an example as far as I can tell) Thanks Tim Funk wrote: http://jakarta.apache.org/tomcat/faq/misc.html#persist -Tim Barnet Wagman wrote: Is it possible to disable session serialization? If so how is it done, and is it bad idea? Is this documented anywhere? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Very sporatic problem of OLD value request.getQueryString()
I've run into a /very/ sporatic problem and was wondering if anyone has had a similar problem (Tomcat 5.0.19). I have a servlet that reads the query string from HttpServletRequest (ie. HttpServletRequest.getQueryString()). Occasionally it seems to get an old version. This only occurs at the beginning of a new session and only happens once per session. After the first error, everything seems ok. However, it does not occur at the beginning of every session. Most of the time it doesn't happen. Whether or not Tomcat has just been restarted does not seem to matter. I've tested this servlet with the same version of Tomcat on two systems, a SuSE 9.1 system with Java build 1.4.2-b2 and a Redhat 9.0 system (which has slower hardware) with Java build 1.4.2_02-b03. The error only occurs on the Redhat system. I am /not/ suggesting that the problem has anything to do with Redhat (that seems extraordinarily unlikely) or the different Java builds (which also seems extraordinarily unlikely). If you've had a similar experience or any thoughts about what might be going on, please let me know. Thanks, bw PS I have session serialization turned off.
Re: Disable session serialization?
Is there an example of Manager element anywhere on the web? (Neither the Tomcat documentation nor the sample server.xml that comes with Tomcat has an example as far as I can tell) Thanks Tim Funk wrote: http://jakarta.apache.org/tomcat/faq/misc.html#persist -Tim Barnet Wagman wrote: Is it possible to disable session serialization? If so how is it done, and is it bad idea? Is this documented anywhere? Thanks, bw PS the archives has several posting asking this question but no answer. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Disable session serialization?
Is it possible to disable session serialization? If so how is it done, and is it bad idea? Is this documented anywhere? Thanks, bw PS the archives has several posting asking this question but no answer. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
David Smith wrote: Let's see if I can offer a direct answer. I don't believe tomcat is insecure, but there are always those holes that haven't been found yet and a chance that the bad guys will find them first. The best practice approach to system security is to run all processes (tomcat included) at the minimum privilege level necessary to function. That way if an as yet unknown vulnerability is discovered and the attacker achieves the same privilege level as the service, he/she still shouldn't be able to get very far. The only benefit I've ever seen to running as root is the ability to bind to privilege ports below 1024 (web port 80 is one of them). In my opinion, not a big enough gain to warrant root privilege on the tomcat process. Good point - I'm convinced. I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. I wasn't aware of the jsvc, which answers my needs very well. Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
Roger wrote: Okay, I suppose you all are right saying that it's better not to run as root. But does the same apply to Windows? We're using Tomcat 4.1.24 on Windows 2000 Server, and up till now we've always run Tomcat as root. I don't see a jvsc-script or directory. Do I need to upgrade to TC5 to be able to use the script? Roger I believe that the Win version is called procrun. (jsvc and procrun are part of Apache's commons daemon project.) See http://jakarta.apache.org/commons/daemon/index.html bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can webapps 'share' a security-constraint?
I'd like users to be able to login once and get access to several web apps. Is it possible for web apps to 'share' a security-contraint? I've tried putting the constraint into conf/web.xml That applies the constraints to all the specified web apps managed by the server, but users still need to log into each web app separately. I.e. if conf/web.xml contains a security constraint that such as security-constraint display-nameSite access constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/WebApp_A/*/url-pattern url-pattern/WebApp_B/*/url-pattern /web-resource-collection auth-constraint role-namea_defined_role/role-name /auth-constraint /security-constraint (webapps/Web_App_A/WEB-INF/web.xml and webapps/Web_App_B/WEB-INF/web.xml do not contain a security-constraint.) (By the way, I don't know if putting a security constraint in conf/web.xml is legitimate.) The constraint will apply to WebApp_A and WebApp_B When a user access a page in WebApp_A, she is required to login. If, after a successful login, she accesses a page in WebApp_B, she will have to log in again. Is there a way to force the first login to apply to all the listed web-apps? Thanks, bw
Tomcat as 'root' insecure? (again)
This issue has been (tangentially) addressed in a number of threads on several lists, but the answers I've found are not exactly consistent. I'd appreciate this list's opinion. So, is it insecure to run standalone Tomcat as a root process on a Linux system? By 'running Tomcat as a root process', I mean running the startup.sh script while logged in as the su (presumably with nohup). Some people seem to think that running a server as a root process in inherently insecure. But I've also seen it argued that because standalone Tomcat runs in Java sandbox, it is very secure independent of how its running. This makes sense to me, but I'm not very knowledable about this sort of things. Thanks, bw PS The purpose of running as root is, of course, so that Tomcat can listen to ports 80 and 443. I know that there are other ways of accomplishing this (using netfilter, etc.) but I'd prefer to avoid them if possible. I need to run Tomcat in an evironment that I don't know very well (a vps under redhat) - so the less I have to screw around with the operating system the better. Setting Tomcat to listent to port 80, etc. is simple and portable, which is a big advantage for me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Bug in Tomcat 5 realm example (j_security_check, again)
This really concerns using j_security_check. (I know there have been many posts on this subject but I haven't seen the answer I need and I haven't found much in the way of documentation on j_security_check). Tomcat 5 comes with a simple example of how to use j_security_check for form based login ( http://localhost:8080/jsp-examples/security/protected/, as referred to in the Realm Configuration HOW-TO); The example fails to redirect correctly after a failed login. That is, if the user enter a valid username/password combination on the first try, everything is fine. If not, the user gets the error page, which has link back to the login page. If she then enters the correct username/password, she is redirected to the /login page/. It appears that the user now is logged in. I.e. she can now access protected pages. In other words, the login page - error page - login page redirection is 'losing' the url of the originally requested page. I suspect that a simple modification to login.jsp and error.jsp would fix this, but that requires knowing where j_security_check put the url of the originally requested page. I haven't founded any documentation on that. If you know, or have any other ideas on fixing this, please let me know. Thanks, bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Default persistence/serialization?
Does Tomcat, by default, serialize a session (or anything else)? I'm getting a NotSerializableException when attempting to perform a HttpServletRequest.forward() from inside a servlet. The NotSerializableException refers to a java bean that is called from the JSP page that is the object of the forward(). The jsp:useBean ... call specifies the bean's scope as request. The class in question is not serializable, but it should not be (at least not as far a my code is concerned). This servlet is working properly with other JSP pages and other beans that are not serializable. Of course, I could declare it serializable but it really shouldn't ever be serialized and I'd like to understand what's going on. I haven't found anything relevant in the servlet spec. I'm currently running Tomcat/5.0.19 as a standalone server. For what it's worth, the error message (from the logfile) is below.* *I'd appreciate any thoughts on this matter. Thanks, bw May 23, 2004 2:00:12 PM org.apache.catalina.session.StandardManager start SEVERE: Exception loading sessions from persistent storage java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: beaststore.SupplierOrder at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1278) at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1845) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1769) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1646) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1274) at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1603) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1271) at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1845) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1769) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1646) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1274) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:324) at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1376) at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:920) at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:463) at org.apache.catalina.session.StandardManager.load(StandardManager.java:390) at org.apache.catalina.session.StandardManager.start(StandardManager.java:704) at org.apache.catalina.core.ContainerBase.setManager(ContainerBase.java:542) at org.apache.catalina.startup.ContextConfig.managerConfig(ContextConfig.java:348) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:652) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:253) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:866) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:850) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:638) at org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.java:320) at org.apache.catalina.core.StandardHost.install(StandardHost.java:875) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:727) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:477) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1008) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:394) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1134) at org.apache.catalina.core.StandardHost.start(StandardHost.java:832) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1126) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:521) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2345) at org.apache.catalina.startup.Catalina.start(Catalina.java:594) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398) Caused by: java.io.NotSerializableException: beaststore.SupplierOrder at
Changing the 'ROOT' webapp (newbie question)
By default, when Tomcat gets a request for something like http://www.some_domain_name.com/ or http://www.some_domain_name.com it serves the file webapps/ROOT/index.jsp What is the preferred way of getting it return the index file of a different wep app? I haven't found anything in the conf xml files, the documentation, or the archives about this (which doesn't mean it isn't there, just that I didn't see it). Of course I could just change the contents of webapps/ROOT, but I suspect there's a better way. Thanks, bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
(newbie q) Connector vs running standalone Tomcat as root
I'd like to hear people's opinions on the best way to have Tomcat accessible via standard ports (80 and 443). As I understand it, under Linux (and other unixes), ports 1000 must be run as root. I've also read that there are some difficulties running Tomcat as root. I gather that the alternative is to run Tomcat via a connector from Apache. I have no particular need to run Apache - nearly everything on the site I'm putting together requires Tomcat. Is running Tomcat as a root process really impossible and/or problematic (under Linux)? Are there any other downsides to running Tomcat as a standalone server? Thanks bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
ssl-only access to a page?
Is it possible to make a page accessible only via an ssl port? Of course I can (and will) check for the protocol in a servlet (and re-direct if necessary), but it would be nice to prevent non-ssl access to certain pages altogether. Thanks, bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to set autodeploy?
In Tomcat 4.1.27, where and how do you set autodeploy to true? I thought that autodeploy=true was the default, but it does not appear to be working in my newly installed copy. (This must be in the documentation a somewhere but I haven't been able to find it and there's nothing for autodeploy in the archive.) Thanks, bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]