Re: JNDI frustration
Take a look at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29255. Benson Margulies wrote: Tomcat 5.0.25 JDK 1.4.1 I'm following the instructions to create a custom bean factory for use with JNDI. At server initialization, the MBean code calls into my ObjectFactory to create, successfully, the first bean. Then, my webapp has a resource manager listener. It tries to use the standard lookup mechanism, and gets a NamingException, with no interesting details, with no call to my ObjectFactory. I followed all the instructions with respect to the web.xml and server.xml contents. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client Authorization
According to this link http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html possible values are true, want, and (I presume) false. I use client authentication in (non-embedded) Tomcat, and true does indeed require client authentication. -Jim Sander Smith wrote: Doug, Thanks for your help but this isn't what I need. Yes, I want the client to present a certificate for validation during the SSL handshake, but your solution is not available to me. You suggest putting something in a config file, but I'm running Tomcat embedded, so all of the configuration is happening programmatically. I have a org.apache.coyote.tomcat5.CoyoteConnector and I call setKeystoreFile(...), setKeyAlias(...), etc. to set up the server side SSL, and this is working great. When I want to request a client certificate I would expect to call setClientAuth(...) to do this. However, I'd expect to pass a boolean into this method, but instead, the interface requires a String!!! To make matters worse, there's no documentation to say what this string is. Does anyone know how to do this programmatically?? Sander Smith At 08:20 AM 6/1/2004 -0400, you wrote: Sander, If what you want is to have the client present a certificate for validation, then in your connector have something like clientAuth=true See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html If you are looking for something different let us know. Doug www.parsonstechnical.com - Original Message - From: Sander Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 6:29 AM Subject: SSL Client Authorization I'm writing an application with SSL that's been working fine, and would like to enable client authorization. It seemed like the thing to do was go to my connector (org.apache.coyote.tomcat5.CoyoteConnector) and enable it there. Lo and behold there is a method (setClientAuth) that seems to do what I want, but for some strange reason it takes a string as an argument instead of a boolean. What am I missing here?? How do I enable this? Sander Smith - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificates and SSL Authentication
See Certificate Chains in http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html#Certificates. Sander Smith wrote: I'm a bit confused concerning SSL certificates, and hope someone can shed some light. In reading through the SSL spec concerning the SSL handshake, it appears to me that the certificate that authenticates my server must be signed by a certificate that is known to the client's browser. This would preclude the following scenario: (Root Certificate) = (Intermediate Cert1) = (Intermediate Cert2) = www.mysite.com Where (Root Certificate) is known to the client but the intermediate certificates are not. My certificate SHOULD be considered to be okay since it is traceable back to a trusted certificate, but the SSL handshake seems to say that this is not the case. However, in looking at some real sites that have real certificates, I see the opposite happening. In particular I see the folowing: Verisign = (Intermediate) = www.somesite.com Where Verisign is known to my browser, but the intermediate certificate is not. It is of the fom: www.verisign.com/CPS Incorp.by Ref. ... (some ofther stuff) What is going on here? Is there a way for the the browser to get a copy of the intermediate certificate if it isn't already known to it as a trusted certificate? Sander Smith - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificates and SSL Authentication
SSL v2 could only send 1 certificate. SSL v3 and TLS can send arbitrarily-length certificate chains (the client doesn't ask for it, the server sends the entire chain as part of the handshake; if you're using client authentication then the server sends a certificate request to the client and the client sends its certificate chain during the handshake). You're right that the client works it way up thru the intermediate certificates and will accept the server certificate if it trusts the cert at the end of the chain. For the gory details you can read the specs; I use the book SSL and TLS: Designing and Building Secure Systems by Eric Rescorla and like it alot. -Jim Sander Smith wrote: Thanks for your help but my question wasn't answered. I understand certificate chains - I even created some long ones. My question is about SSL specifically. The way I understand the SSL handshake, the server only sends a certificate to the client - there is no provision to send a certificate chain. This means that if the client only trusts the root certificate (a reasonable assumption) and the root does not directly sign the server certificate (eg there are intermediate certificates in the chain) then the client cannot authenticate the server. This is what I understand from reading the specs, but common sense tells me that there must be some way for the client to retrieve those intermediate certificates so that the server is authenticated. My belief is supported by what I've seen in the real world - real sites that have a certificate chain 3 certificates long that get authenticated by my browser. From what I see, the middle certificate is not known beforehand to my browser, so my question is how does this work? Thanks for any help, Sander At 03:25 PM 5/26/2004 -0700, you wrote: See Certificate Chains in http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html#Certificates. Sander Smith wrote: I'm a bit confused concerning SSL certificates, and hope someone can shed some light. In reading through the SSL spec concerning the SSL handshake, it appears to me that the certificate that authenticates my server must be signed by a certificate that is known to the client's browser. This would preclude the following scenario: (Root Certificate) = (Intermediate Cert1) = (Intermediate Cert2) = www.mysite.com Where (Root Certificate) is known to the client but the intermediate certificates are not. My certificate SHOULD be considered to be okay since it is traceable back to a trusted certificate, but the SSL handshake seems to say that this is not the case. However, in looking at some real sites that have real certificates, I see the opposite happening. In particular I see the folowing: Verisign = (Intermediate) = www.somesite.com Where Verisign is known to my browser, but the intermediate certificate is not. It is of the fom: www.verisign.com/CPS Incorp.by Ref. ... (some ofther stuff) What is going on here? Is there a way for the the browser to get a copy of the intermediate certificate if it isn't already known to it as a trusted certificate? Sander Smith - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: converting a certificate for use on Tomcat
Hi Chris- It depends on what you're trying to do. If all you're trying to do is put the certificate in the keystore as a Trusted Certificate Entry, you can use keytool to do that (check the openssl doc to see how to export the cert in DER format). This is typically done when you're using client authentication on the SSL connection (i.e., the client must present a certificate to your server that has been signed by a CA that your server finds acceptable). This is pretty uncommon for public webservers, though. The much more common situation is the server using the certificate *and the corresponding private key* to prove to clients that the server is who it says it is. This is what happens when you generate a private key and a Certificate Signing Request (CSR) for the server, send the CSR off to a CA like Verisign or Thawte, and then get back a certificate signed by the CA. In this case, you need to import *both* the certificate and its private key into the keystore, because Tomcat needs both to do SSL server authentication. This is where keytool is annoyingly broken. keytool can generate a private key and CSR and import the cert that the CA gives you, but it cannot import a private key that it did not generate. The Java crypto api does support importing private keys into a keystore though, so you either need to write the code yourself or find the code elsewhere - that's what the website I gave below has. If you're not a Java programmer and can't cajole one into compiling it for you, you might check out http://www.lazgosoftware.com/kse/. It has a GUI-based keytool replacement, but it's not free. (The original version was open-source; it looks like that's been pulled in favor of the payware version. You may be able to find a copy of the open-source one somewhere.) -Jim Chris Purcell wrote: I want to make sure we're on the same page here. I have a certificate that looks like this... -BEGIN CERTIFICATE- MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC blablablabla /WeCY0ZzyRYuHhQYIm3R+A== -END CERTIFICATE- I copied it to a plain text file called domain.cert and then ran this command and received this below error... [EMAIL PROTECTED] root# /usr/java/bin/keytool -import -file domain.cert -storetype pkcs12 keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. Am I doing this right? Thanks, Chris I saw your original post but forgot to reply ... You can use keytool to import the certificate using pkcs12 certificate store (add a '-storetype pkcs12' to keytool's arguments), which is supported by tomcat. Also, if your certificate is signed by an intermediate CA (meaning more than 2 certs on the chain), you will have to give each cert an alias name when you export it from openssl, otherwise the keytool won't recognize the chain. This really took me a while to figure out ... HTH, Dennis On 5/25/2004 12:30 PM, Chris Purcell wrote: Thanks for the link Jim, I'm just getting around to this certificate now, I got swamped with some extra work that I had to complete first. I looked at the link you sent, but there is a small problem, I don't know anything about Java:) What do I do with the source code given on the page? Should I copy it into a text file and run it with the java command? The only programming language I'm familiar with is Perl. Thanks, Chris Hi Chris- I had to do this myself a month ago. You can't use Sun's keytool to import private keys into keystores. You'll need to use something else to load the private key and corresponding cert into a keystore which Tomcat can then read. See the program and notes at http://www.comu.de/docs/tomcat_ssl.htm - it will explain how to use openssl to convert an existing private key and cert into a format that can then be loaded (using source code they provide) into a Java JKS keystore. Let me know if you need more details. -Jim Chris Purcell wrote: I have an Apache server with an SSL certificate installed from a CA. Its just a plain text certificate that looks like this.. -BEGIN CERTIFICATE- MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC blablablba /WeCY0ZzyRYuHhQYIm3R+A== -END CERTIFICATE- I want to move this certificate to a new server that only runs Tomcat in standalone mode. I tried to convert it like this (below) but am getting an error... [EMAIL PROTECTED] cert# openssl pkcs12 -export -inkey host-privkey.pem -in server.cert -out host.foo.org.pfx [EMAIL PROTECTED] cert# /usr/java/bin/keytool -import -file host.foo.org.pfx Enter keystore password: changeit keytool error: java.lang.Exception: Input not an X.509 certificate Am I doing something wrong here? Thanks, Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL
Re: converting a certificate for use on Tomcat
Hi Chris- I had to do this myself a month ago. You can't use Sun's keytool to import private keys into keystores. You'll need to use something else to load the private key and corresponding cert into a keystore which Tomcat can then read. See the program and notes at http://www.comu.de/docs/tomcat_ssl.htm - it will explain how to use openssl to convert an existing private key and cert into a format that can then be loaded (using source code they provide) into a Java JKS keystore. Let me know if you need more details. -Jim Chris Purcell wrote: I have an Apache server with an SSL certificate installed from a CA. Its just a plain text certificate that looks like this.. -BEGIN CERTIFICATE- MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC blablablba /WeCY0ZzyRYuHhQYIm3R+A== -END CERTIFICATE- I want to move this certificate to a new server that only runs Tomcat in standalone mode. I tried to convert it like this (below) but am getting an error... [EMAIL PROTECTED] cert# openssl pkcs12 -export -inkey host-privkey.pem -in server.cert -out host.foo.org.pfx [EMAIL PROTECTED] cert# /usr/java/bin/keytool -import -file host.foo.org.pfx Enter keystore password: changeit keytool error: java.lang.Exception: Input not an X.509 certificate Am I doing something wrong here? Thanks, Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: parse error in application web.xml under 5.0.24 but not 5.0.19
The problem was my webapps needed to have the 'privileged' attribute set to true on the Context tag. Reading the doc on the privileged attribute on the Context tag, it says Set to true to allow this context to use container servlets, like the manager servlet. I've been unable to find any additional information on container servlets in the Servlet Spec, and searching the source code didn't lead to any insight. Which leads me to three questions: 1) What is a container servlet? 2) How does Tomcat determine that my webapp is a container servlet? 3) Why didn't I need to set the privileged attribute in 5.0.19? Thanks, Jim Jim Hopp wrote: I've just upgraded from 5.0.19 to 5.0.24. My webapps worked fine under 5.0.19, but Tomcat is throwing the exception below under 5.0.24 when it tries to start the webapp. (The apps also start properly under 5.0.20, but fail under 5.0.21 with the same exception so it appears that a change made in 5.0.21 is causing the problem.) My server.xml and web.xml follow the exception trace. May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: Starting tomcat.localhost./property.Context May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext createObjectNam e FINE: Registering j2eeType=WebModule,name=//localhost/property,J2EEApplication=n one,J2EEServer=none for null May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: Configuring default Resources May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: No realm for this host directory:type=Host,host=localhost,path=/property May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: Configuring non-privileged default Loader May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: Processing standard container startup May 10, 2004 3:33:31 PM org.apache.catalina.core.StandardContext setPublicId FINE: Setting deployment descriptor public ID to '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' May 10, 2004 3:33:31 PM org.apache.commons.digester.Digester endElement SEVERE: End event threw exception java.lang.ClassNotFoundException: org.apache.catalina.Container at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoa der.java:1340) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoa der.java:1189) at org.apache.commons.digester.SetNextRule.end(SetNextRule.java:243) at org.apache.commons.digester.Rule.end(Rule.java:276) at org.apache.commons.digester.Digester.endElement(Digester.java:1058) at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source ) at org.apache.xerces.impl.dtd.XMLDTDValidator.endNamespaceScope(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(Unknown S ource) at org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement( Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContent Dispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Un known Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.commons.digester.Digester.parse(Digester.java:1548) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextCo nfig.java:263) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:62 4) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfi g.java:216) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl eSupport.java:119) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4 268) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1083) at org.apache.catalina.core.StandardHost.start(StandardHost.java:789) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1083) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:478 ) at org.apache.catalina.core.StandardService.start(StandardService.java:4 76) at org.apache.catalina.core.StandardServer.start(StandardServer.java:229 8) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke
parse error in application web.xml under 5.0.24 but not 5.0.19
I've just upgraded from 5.0.19 to 5.0.24. My webapps worked fine under 5.0.19, but Tomcat is throwing the exception below under 5.0.24 when it tries to start the webapp. (The apps also start properly under 5.0.20, but fail under 5.0.21 with the same exception so it appears that a change made in 5.0.21 is causing the problem.) My server.xml and web.xml follow the exception trace. May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: Starting tomcat.localhost./property.Context May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext createObjectNam e FINE: Registering j2eeType=WebModule,name=//localhost/property,J2EEApplication=n one,J2EEServer=none for null May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: Configuring default Resources May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: No realm for this host directory:type=Host,host=localhost,path=/property May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: Configuring non-privileged default Loader May 10, 2004 3:33:30 PM org.apache.catalina.core.StandardContext start FINE: Processing standard container startup May 10, 2004 3:33:31 PM org.apache.catalina.core.StandardContext setPublicId FINE: Setting deployment descriptor public ID to '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' May 10, 2004 3:33:31 PM org.apache.commons.digester.Digester endElement SEVERE: End event threw exception java.lang.ClassNotFoundException: org.apache.catalina.Container at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoa der.java:1340) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoa der.java:1189) at org.apache.commons.digester.SetNextRule.end(SetNextRule.java:243) at org.apache.commons.digester.Rule.end(Rule.java:276) at org.apache.commons.digester.Digester.endElement(Digester.java:1058) at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source ) at org.apache.xerces.impl.dtd.XMLDTDValidator.endNamespaceScope(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(Unknown S ource) at org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement( Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContent Dispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Un known Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.commons.digester.Digester.parse(Digester.java:1548) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextCo nfig.java:263) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:62 4) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfi g.java:216) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl eSupport.java:119) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4 268) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1083) at org.apache.catalina.core.StandardHost.start(StandardHost.java:789) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1083) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:478 ) at org.apache.catalina.core.StandardService.start(StandardService.java:4 76) at org.apache.catalina.core.StandardServer.start(StandardServer.java:229 8) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:422) May 10, 2004 3:33:31 PM org.apache.catalina.startup.ContextConfig applicationCon fig SEVERE: Parse error in application web.xml java.lang.ClassNotFoundException: org.apache.catalina.Container at org.apache.commons.digester.Digester.createSAXException(Digester.java :2540) at org.apache.commons.digester.Digester.createSAXException(Digester.java :2566) at org.apache.commons.digester.Digester.endElement(Digester.java:1061) at
Re: Importing an existing ssl *KEY* into my keystore
Check out http://www.comu.de/docs/tomcat_ssl.htm -Jim Carl Howells wrote: Since my company use using SSL for several different functions on our target machine, we used openSSL to generate the key and certificate signing request that we got our signed certificate made from. Only after that did I discover that keytool is braindamaged, and it won't import a key into a keystore. It will only create a new key and import certificates. So how do I make this work? I've searched and searched, and found many people with the same problem, and no one's ever answered it. I have no great attachment to the JKS store format, and would use PKCS12, if I could find directions for building the PKCS12 file with the entire certificate chain in it. But a great deal of searching led me to nothing there, as well. Can anyone point me to instructions for getting either store format to work with an existing key? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SOLUTION: context mapping problem after upgrade from 4.1.29 to 4.1.30
I found the solution to this problem. The symptom was that ALL request URI's were treated as '' under 4.1.30, using the same server.xml file that had worked fine under 4.1.29. The solution was to add 'useURIValidationHack=false' to the each of the Connector statements. Apparently setting this attribute was optional under 4.1.29, but required under 4.1.30. -Jim Jim Hopp wrote: Greetings- I've just upgraded my development environment from Tomcat 4.1.29 to 4.1.30 (Win XP, jdk 1.4.2). It appears that my URI's are not mapped to the same context under 4.1.30 as they were under 4.1.29. I've made no changes to any of my config files; I simply upgraded Tomcat. Here's a snippet of my process log from 4.1.29, which works as I expect it to: 2004-03-30 11:52:59 StandardHost[localhost]: Mapping request URI '/fileupload/fileUpload.html' 2004-03-30 11:52:59 StandardHost[localhost]: Trying the longest context path prefix 2004-03-30 11:52:59 StandardHost[localhost]: Mapped to context '/fileupload' 2004-03-30 11:52:59 default: DefaultServlet.serveResource: Serving resource '/fileUpload.html' headers and data 2004-03-30 11:52:59 default: DefaultServlet.serveFile: lastModified='2004-03-30 11:48:46.455' 2004-03-30 11:52:59 default: DefaultServlet.serveFile: contentType='text/html' 2004-03-30 11:52:59 default: DefaultServlet.serveFile: contentLength=1830 Here's the same request under 4.1.30, not working as I expected it to: 2004-03-30 13:41:22 StandardHost[localhost]: Mapping request URI '' 2004-03-30 13:41:22 StandardHost[localhost]: Trying the longest context path prefix 2004-03-30 13:41:22 StandardHost[localhost]: Mapped to context '' Here's the Host section of the server.xml: Host name=localhost appBase=c:/tomcat/webapps workDir=c:/cvs-work/dvlp/temp/tomcat-ui/ui/localhost autoDeploy=false liveDeploy=false debug=10 deployXML=false Context path=/manager privileged=true docBase=c:/tomcat/server/webapps/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1/ /Context Context path= docBase=c:/cvs-work/dvlp/bin/ui reloadable=true Manager className=org.apache.catalina.session.PersistentManager checkInterval=60 maxInactiveInterval=120 saveOnRestart=false/ Parameter name=version value=dev/ Resource name=nyw/directory auth=Container type=nyw.dir.Directory/ ResourceParams name=nyw/directory parameter namefactory/name valuenyw.dir.DirectoryObjectFactory/value /parameter parameter nameurl/name valuehttp://localhost:13001/property/value /parameter /ResourceParams Resource name=nyw/xmltranslator auth=Container type=nyw.ui.XMLTranslator/ ResourceParams name=nyw/xmltranslator parameter namefactory/name valuenyw.ui.XMLTranslatorObjectFactory/value /parameter parameter namecache/name valuefalse/value /parameter parameter namexsltRoot/name valuejndi:/localhost//value /parameter parameter namefopUserConfig/name valuec:/cvs-work/dvlp/conf/tomcat-ui/conf/fopUserConfig.xml/value /parameter /ResourceParams Resource name=nyw/aodfactory auth=Container type=nyw.aod.comm.AODFactory/ ResourceParams name=nyw/aodfactory parameter namefactory/name valuenyw.aod.comm.AODFactoryObjectFactory/value /parameter /ResourceParams Resource name=nyw/performancemonitor auth=Container type=nyw.util.PerformanceMonitor/ ResourceParams name=nyw/performancemonitor parameter namefactory/name valuenyw.util.PerformanceMonitorObjectFactory/value /parameter /ResourceParams Resource name=mail/session auth=Container type=javax.mail.Session/ ResourceParams name=mail/session parameter namemail.smtp.host/name valuep1.netyourwork.com/value /parameter /ResourceParams /Context Context path=/fileupload docBase=c:/cvs-work/dvlp/bin/fileupload reloadable=true Resource name=nyw/directory auth=Container type=nyw.dir.Directory/ ResourceParams name=nyw/directory parameter namefactory/name valuenyw.dir.DirectoryObjectFactory/value /parameter parameter nameurl/name valuehttp://localhost:13001/property/value /parameter /ResourceParams Resource name=nyw/aodfactory
context mapping problem after upgrade from 4.1.29 to 4.1.30
Resource name=nyw/performancemonitor auth=Container type=nyw.util.PerformanceMonitor/ ResourceParams name=nyw/performancemonitor parameter namefactory/name valuenyw.util.PerformanceMonitorObjectFactory/value /parameter /ResourceParams /Context /Host I'm sure it's a configuration problem, but I haven't been able to discern any changes in Tomcat introduced in 4.1.30 that would cause this problem, and haven't found anything via Google or mailing list archive searches. Any ideas/pointers? Thanks, Jim Hopp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
context mapping problem after upgrade from 4.1.29 to 4.1.30
type=nyw.util.PerformanceMonitor/ ResourceParams name=nyw/performancemonitor parameter namefactory/name valuenyw.util.PerformanceMonitorObjectFactory/value /parameter /ResourceParams /Context /Host I'm sure it's a configuration problem, but I haven't been able to discern any changes in Tomcat introduced in 4.1.30 that would cause this problem, and haven't found anything via Google or mailing list archive searches. Any ideas/pointers? Thanks, Jim Hopp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: occasional ArrayIndexOutOfBoundsException in MsgAjp on linux
Sure - Here's a complete request dump. Feb 14, 2004 9:22:11 AM org.apache.jk.common.HandlerRequest invoke SEVERE: Error decoding request java.lang.ArrayIndexOutOfBoundsException: 29062 at org.apache.jk.common.MsgAjp.getInt(MsgAjp.java:233) at org.apache.jk.common.MsgAjp.getBytes(MsgAjp.java:257) at org.apache.jk.common.HandlerRequest.decodeRequest(HandlerRequest.java:502) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:365) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:673) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:615) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:786) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:666) at java.lang.Thread.run(Thread.java:534) 12 34 02 dd 02 02 00 08 48 54 54 50 2f 31 2e 31 | .4.?HTTP/1.1 00 02 02 00 11 00 08 48 54 54 50 2f 31 2e 31 00 | ...HTTP/1.1. 69 6d 67 2e 75 69 00 00 00 00 00 00 00 00 00 00 | img.ui.. 00 00 00 0b 00 23 2f 70 75 62 6c 69 63 2f 69 6d | .#/public/im 61 67 ff ff 2f 70 72 6f 76 69 64 65 64 5f 62 79 | ag??/provided_by 5f 6c 6f 67 6f 2e 67 69 66 00 00 00 00 00 00 00 | _logo.gif... 00 00 00 00 00 00 00 00 00 12 75 31 2e 6e 65 74 | ..u1.net 79 6f 75 72 77 6f 72 6b 2e 63 6f 6d 00 01 bb 00 | yourwork.com..?. 00 01 37 2e 31 36 39 2e 32 2e 33 35 00 00 ff ff | ..7.169.2.35..?? 00 00 00 12 75 31 2e 6e 65 74 79 6f 75 72 77 6f | u1.netyourwo 72 6b 2e 63 6f 6d 00 01 bb 01 00 03 2a 2f 2a 00 | rk.com..?...*/*. a0 01 00 03 2a 2f 2a 00 a0 0d a0 0d 00 25 00 25 | ?...*/*.?.?..%.% 68 74 74 70 73 3a 2f 2f 75 31 2e 6e 65 74 79 6f | https://u1.netyo 75 72 77 6f 72 6b 2e 63 6f 6d 2f 73 74 61 72 74 | urwork.com/start 2f 70 6c 65 63 00 00 00 00 00 00 00 00 00 00 00 | /plec... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 a0 04 a0 04 | ?.?. 00 05 65 6e 2d 75 73 00 73 00 00 00 00 00 00 00 | ..en-us.s... a0 03 00 00 00 0d 00 0d 67 7a 69 70 2c 20 64 65 | ?...gzip, de 66 6c 61 74 65 00 00 00 00 00 00 00 00 00 00 00 | flate... 00 00 00 00 a0 0e a0 0e 00 58 00 58 4d 6f 7a 69 | ?.?..X.XMozi 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 | lla/4.0 (compati 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 | ble; MSIE 6.0; W 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 2e | indows NT 5.1; . 4e 45 54 20 43 4c 52 20 31 2e 30 2e 33 37 30 35 | NET CLR 1.0.3705 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 | ; .NET CLR 1.1.4 33 32 32 29 00 00 00 00 00 00 00 00 00 00 00 00 | 322) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0b | ..?. 00 00 00 12 00 12 75 31 2e 6e 65 74 79 6f 75 72 | ..u1.netyour 77 6f 72 6b 2e 63 6f 6d 00 00 00 00 00 00 00 00 | work.com 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 a0 06 | ?.?. 00 0a 00 0a 4b 65 65 70 2d 41 6c 69 76 65 00 00 | Keep-Alive.. 00 00 00 00 00 00 00 00 00 00 a0 09 a0 09 00 2e | ..?.?... 00 2e 4a 53 45 53 53 49 4f 4e 49 44 3d 34 34 45 | ..JSESSIONID=44E 46 46 35 45 31 39 43 37 45 44 46 31 44 37 43 37 | FF5E19C7EDF1D7C7 34 38 36 41 43 38 42 41 42 31 45 33 31 2e 75 69 | 486AC8BAB1E31.ui 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | a0 08 00 01 30 00 05 ff 00 25 61 74 74 72 69 62 | ?...0..?.%attrib 75 74 65 3d 53 69 67 6e 6f 6e 5f 4c 6f 67 6f 26 | ute=Signon_Logo 63 75 73 74 6f 6d 65 72 49 64 3d 70 6c 65 63 00 | customerId=plec. ff | ? | | | | | | | | | | | | | | | | Bill Barker wrote: Could I see the rest of the request dump (the part after the 'snip')? Jim Hopp [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Greetings- We're running Apache
occasional ArrayIndexOutOfBoundsException in MsgAjp on linux
Greetings- We're running Apache 2.0.48, JK 1.2.5, and Tomcat 4.1.29, java java version 1.4.2 Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-b28) Java HotSpot(TM) Client VM (build 1.4.2-b28, mixed mode) on Linux 2.4.20 with glibc 2.3.2 in a production environment. We're not using the LD_ASSUME_KERNEL export since we're not running glibc 2.2. Two or three times a day, I'll see this exception in the Tomcat log: Feb 13, 2004 12:43:00 PM org.apache.jk.common.HandlerRequest invoke SEVERE: Error decoding request java.lang.ArrayIndexOutOfBoundsException: 11968 at org.apache.jk.common.MsgAjp.getInt(MsgAjp.java:233) at org.apache.jk.common.MsgAjp.getBytes(MsgAjp.java:257) at org.apache.jk.common.HandlerRequest.decodeHeaders(HandlerRequest.java:676) at org.apache.jk.common.HandlerRequest.decodeRequest(HandlerRequest.java:512) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:365) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:673) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:615) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:786) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:666) at java.lang.Thread.run(Thread.java:534) 12 34 05 17 02 02 00 08 48 54 54 50 2f 31 2e 31 | .4..HTTP/1.1 00 00 15 2f 69 6d 61 67 65 73 2f 72 65 6c 5f 74 | .../images/rel_t 61 73 6b 73 2e 67 69 66 00 00 0b 36 37 2e 31 36 | asks.gif...67.16 snip In the jk log I'll see [Fri Feb 13 12:43:00 2004] [jk_ajp_common.c (738)]: ERROR: can't receive the response message from tomcat, network problems or tomcat is down. err=-104 [Fri Feb 13 12:43:00 2004] [jk_ajp_common.c (738)]: ERROR: can't receive the response message from tomcat, network problems or tomcat is down. err=-1 [Fri Feb 13 12:43:00 2004] [jk_ajp_common.c (1290)]: ERROR: Receiving from tomcat failed, recoverable operation. err=0 [Fri Feb 13 12:43:00 2004] [jk_ajp_common.c (1290)]: ERROR: Receiving from tomcat failed, recoverable operation. err=0 The Apache child process then becomes unresponsive, and Apache starts another child process to service requests. The first child process immediately sucks up all of a CPU (we're running on a four-CPU box), and doesn't die until we restart Apache. Tomcat keeps going. The user simply hits refreshs their page, and this time the request goes through. Other than this, everything works great. I cannot find any mention of this error in Bugzilla or thru Google. Here's my workers.properties, and jk conf files: workers.properties: worker.list=ui, mrkt worker.ui.type=ajp13 worker.ui.host=127.0.0.1 worker.ui.port=8019 worker.ui.cachesize=10 worker.ui.cache_timeout=600 worker.ui.connect_timeout=500 worker.ui.prepost_timeout=500 worker.mrkt.type=ajp13 worker.mrkt.host=127.0.0.1 worker.mrkt.port=8029 worker.mrkt.cachesize=10 worker.mrkt.cache_timeout=600 worker.mrkt.connect_timeout=500 worker.mrkt.prepost_timeout=500 jk1.conf: (gets included in a vhost section): JkOptions -ForwardKeySize -ForwardDirectories -ForwardURICompat +ForwardURICompatUnparsed # note that the last JkLogFile set applies to all vhosts, not just this one. JkLogFile /var/log/httpd/jk-ui.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] # JkRequestLogFormat set the request format #JkRequestLogFormat %w %V %T JkRequestLogFormat %V %U %w %s %b %T JkMount /* ui jk2.conf (included in another vhost): JkOptions -ForwardKeySize -ForwardDirectories -ForwardURICompat +ForwardURICompatUnparsed # note that the last JkLogFile set applies to all vhosts, not just this one. JkLogFile /var/log/httpd/jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] # JkRequestLogFormat set the request format #JkRequestLogFormat %w %V %T JkRequestLogFormat %V %U %w %s %b %T JkMount /demoRegistration/mail.servlet mrkt JkMount /demoRegistration/ping.servlet mrkt JkMount /freeQBTrial/mail.servlet mrkt JkMount /freeQBTrial/ping.servlet mrkt JkMount /talkToUs/mail.servlet mrkt JkMount /talkToUs/ping.servlet mrkt JkMount /buyIt/mail.servlet mrkt JkMount /buyIt/ping.servlet mrkt JkMount /qbupload/qbupload.servlet mrkt JkMount /qbupload/ping.servlet mrkt I'd be grateful for any ideas/comments/things to try. -Jim Hopp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't load SVG pages
A bug introduced in 4.1.29 causes problems with SVGs (and a similar problem for PDF's). See http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24970 for a description and patch for 4.1.29. You can download a patched .class file as well; read the bug log for directions. -Jim xon wrote: Hello, I would like to know if there is a work around to get Tomcat 4.1 and Tomcat 5.0 to load SVG pages. I tried using %@ page contentType=image/svg+xml % and % response.setContentType(image/svg-xml); % This seems to work only in Tomcat 4.0. Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
jk2 and ip-based vhosts
I'm attempting to set up apache 2.0 and jk2 to use IP-based virtual
hosts, with no success. I'd love it if someone on the list could point
out what I'm doing wrong (or point me to some doc that shows how to do
this - I've had no luck googling).
I've got apache up and running on a machine with two IP addresses. I'd
like to run two tomcat instances, with exactly the same URI mapping, one
for each IP address. The problem is that jk2 doesn't appear to take the
IP address of the request into account - it simply routes the request to
the JkUriSet defined last in the httpd.conf file.
Google searches show examples of this working for jk, but I cannot find
any examples of this for jk2. If I can't figure this out I may have to
go back to jk.
Below are my jk2.conf, workers2.properties, and ssl.conf (which is
included into httpd.conf) files.
I'm running Apache 2.0.45, Tomcat 4.1.24, and jk2 from
jakarta-tomcat-connectors-4.1.24-src on RedHat 9.
jk2.conf:
JkOptions -ForwardKeySize -ForwardDirectories -ForwardURICompat
+ForwardURICompatUnparsed
JkWorkersFile conf/workers2.properties
JkLogFile /var/log/httpd/jk2.log
JkLogLevel debug
JkLogStampFormat [%d/%b/%Y %H:%M:%S]
# JkRequestLogFormat set the request format
JkRequestLogFormat %w %V %T
workers2.properties:
[logger]
level=DEBUG
[shm:]
info=Scoreboard. Required for reconfig info and status
file=/var/log/httpd/jk2.shm
size=100
debug=0
disabled=0
[workerEnv:]
info=Global Server options
timing=0
debug=1
[channel.socket:68.166.222.75:8019]
info=Ajp13 forwarding over socket for nywdev
debug=1
host=68.166.222.75
tomcatId=dev1:8019
[channel.socket:68.166.222.77:8029]
info=Ajp13 forwarding over socket for nywdev2
debug=1
host=68.166.222.77
tomcatId=dev2:8029
[status:]
info=Status worker, displays runtime info
ssl.conf vhost defns:
VirtualHost 68.166.222.77:443
TransferLog /var/log/httpd/dev.access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:!SSLv2
SSLCertificateFile /usr/local/etc/httpd/conf/httpd.crt
SSLCertificateKeyFile /usr/local/etc/httpd/conf/httpd.key
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ui.ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
Directory /
Order Deny,Allow
Deny from All
/Directory
Location /jkstatus/*
SSLRequireSSL
Order Allow,Deny
Allow from All
JkUriSet worker status:
/Location
Location /
SSLRequireSSL
Order Allow,Deny
Allow from All
JkUriSet worker ajp13:68.166.222.77:8029
/Location
/VirtualHost
VirtualHost 68.166.222.75:443
TransferLog /var/log/httpd/ui.access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:!SSLv2
SSLCertificateFile /usr/local/etc/httpd/conf/httpd.crt
SSLCertificateKeyFile /usr/local/etc/httpd/conf/httpd.key
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ui.ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
Directory /
Order Deny,Allow
Deny from All
/Directory
Location /jkstatus/*
SSLRequireSSL
Order Allow,Deny
Allow from All
JkUriSet worker status:
/Location
Location /
SSLRequireSSL
Order Allow,Deny
Allow from All
JkUriSet worker ajp13:68.166.222.75:8019
/Location
/VirtualHost
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
