Re: JkSetEnv and Servlet Filters
Keith Ealanta wrote: Rainer Jung wrote: Keith Ealanta schrieb: public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { log.debug(\nAttributes ... begin.\n); Enumeration attributeNames = servletRequest.getAttributeNames(); while(attributeNames.hasMoreElements()) { String attributeName = (String) attributeNames.nextElement(); log.debug(attributeName + + servletRequest.getAttribute(attributeName)); } log.debug(\nAttributes ... end.\n); etc. } Aha! This unfortunately doesn't work. The attributes coming in via the AJP protocol can be retrieved via request.getAttribute(), but are not (!) shown in getAttributeNames(). Bingo. Thank-you. That fixed it. Do you know if this is for some good and clever reason? If it is we should probably note this limitation in the doco. If it's not, then should I raise it as a bug on tomcat? I'll add a note to the JkSetEnvVar docs, but you should raise a TC bug in bugzilla, so we can discuss. At least for me it is violating the spec. I assume there's no clever reason for it, but the handling of the request attributes in the AJP case is somewhat delicate. Regards (and further thanks) Keith Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat problem on a multiple CPU system
I open 8 IE on a remote computer, basically once a JSP is called, the browser is just waiting the process to be done. -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: 4 mai 2008 23:00 To: Tomcat Users List Subject: Re: Tomcat problem on a multiple CPU system Can you describe how you open the 8 browser windows and what browser you are using? I ask because those 8 browser windows may be coming from one process and using at most 2 connections, hence the slower processing. Firefox normally only has one process no matter how you open the new windows. IE can be 8 separate processes if you launch each separately from Explorer (ie the Start button or desktop shortcut) and not use the new window menu option or ctrl-n. --David Gilbert, Antoine wrote: Well, each process is a image rendering process. But my point is, if I launch 8 threads directly in a JVM outside of tomcat, it run faster and use 100% of the 8 CPU... If I make a Servlet (or a JSP) who will start a process each time I call it (I call it 8 times). So, the big question is, why It's fast directly on the JVM and it's slow on Tomcat ? Why with Tomcat It's not possible to use 100% of all the 8 CPU ? There is no data transfer between client and server, in both case the images are rendered on the disk. I just made this rendering test to expose the fact that I'm unable to make my tomcat use efficiently all my CPU. So the big question, why these 8 processes run betters than these 8 process within Tomcat ? -Original Message- From: Alan Chaney [mailto:[EMAIL PROTECTED] Sent: 4 mai 2008 17:33 To: Tomcat Users List Subject: Re: Tomcat problem on a multiple CPU system Hi Antoine The thing to remember is that this is a system which has (at least) four main parts: 1. Tomcat 2. The operating system 3. A network connection 4. Your application (and potentially) 5. A database (but you didn't mention that) Here are some questions. 1. How do you make the connection to the servlet. Does the browser run on the same machine as the application? 2. Does you application create network traffic? If so, how many bytes are transferred to the browser? Each servlet thread will have to wait until the application has transferred all the data out. 3. What kind of disk activity does your application generate? Is it different when the app is running from the servlet? Probably somewhere your servlet threads are sleeping waiting for a resource. You could do a thread dump to see what is happening (I don't use Windows so I can't remember how you do that with the Win setup) In the end, you'll need to profile the system to work out where the bottlenecks are. You'll need to use network analysers and probably Java profilers to track down what's happening such as when packets are received, when the replies are generated and maybe profile what your app. is doing. HTH Alan Chaney Gilbert, Antoine wrote: Hi I have a 2x quad core (8 cpu units) server. If I start a java program and this one is launching (at the same time) 8 thread doing some CPU intensive jobs, all the CPU are used at 100%, and that's what I'm expecting.. But, if I am using tomcat, and I call a servlet 8 times to process these 8 jobs, it take longer to execute these same 8 jobs and all the CPU are not used at 100%, it's more like 30%... Any idea about this problem or behavior ? I'm using Tomcat 5.5.17, windows, JDK 1.6 Antoine !DSPAM:481e1bf27941527717022! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Smith Network Operations Supervisor Department of Entomology Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: (607) 255-9571 Fax: (607) 255-0940 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat problem on a multiple CPU system
Gilbert, Antoine wrote: I open 8 IE on a remote computer, basically once a JSP is called, the browser is just waiting the process to be done. Use ieHttpHeaders, the AccessLogValve or similar to check when the requests are actually being sent. I suspect that, as David suggested that you have no more than two requests running in parallel. You can tweak the registry to increase the concurrent connection limit or use a test tool like JMeter to increase the number of parallel requests. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat problem on a multiple CPU system
I think I found the problem, but not the solution :( I have the same problem on my local 2 cpu computer, if I start Tomcat in server (-server) mode I have exactly the same problem, i.e. Tomcat doesn't want to use all CPU resources.. If I start my Tomcat in client (-client) mode, my processes run faster by using 100% of all CPU... But, my server is 64 bit, I'm using all the 64 bit stuff, and JDK 1.5 and 1.6 can only be started in server mode... But I still don't understand why it's fast without Tomcat even in server mode since this is the default and only one mode... -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: 5 mai 2008 07:26 To: Tomcat Users List Subject: Re: Tomcat problem on a multiple CPU system Gilbert, Antoine wrote: I open 8 IE on a remote computer, basically once a JSP is called, the browser is just waiting the process to be done. Use ieHttpHeaders, the AccessLogValve or similar to check when the requests are actually being sent. I suspect that, as David suggested that you have no more than two requests running in parallel. You can tweak the registry to increase the concurrent connection limit or use a test tool like JMeter to increase the number of parallel requests. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Accessing SSO from another host
Hi, I´m using Tomcat with a custom single-sign-on valve. Is there a chance to access the sso-valve from another tomcat instance running on another server? Currently I´m setting a cookie as soon as the sso has been performed and check values from that cookie in my other applications. But right now I would have to sign on at another link first, so that a cookie is written and then access the application on the other host. What I would like to do is the following, when accessing my application: Check if SSO has been performed already. If not, access the SSO-valve from the tomcat running the sso-module for authentification, so that sso will be performed and the application can be accessed. Is there a chance to do so? Any help would be greatly appriciated. Thomas
mod_jk 1.2.5: workers are not balanced in the defined relation
Hello, with Apache 1.3.26 and mod_jk 1.2.5 (Debian Woody) and two workers on Tomcat 5.5.20 I defined a load balancing worker: worker.router.type=lb worker.router.balanced_workers=worker1,worker2 with both workers like this (they are on different hosts): worker.worker1.port=8009 worker.worker1.host=hostname{1|2}.domain worker.worker1.type=ajp13 worker.worker1.lbfactor=5 worker.worker1.socket_keepalive=1 worker.worker1.socket_timeout=30 so the load balancing should be in the relation 5:5 = 1:1 But in fact it's 14:10 (1,4) The one worker gets 1,4x more requests than the other. The two workers are identically both hardware and software and webapps. Is this a known bug within mod_jk or what might I have done false? Thanks! P.S. Yes, I know Woody is a little bit out of date... -- 249 Spiele für nur 1 Preis. Die GMX Spieleflatrate schon ab 9,90 Euro. Neu: Asterix bei den Olympischen Spielen: http://flat.games.gmx.de - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: authenticated but not authorized -- blank page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lloyd, DIGLLOYD INC wrote: | I don't read schemas well. Perhaps if you would be so kind as to | explain why it's wrong? Is it because there is more than one | role-name specified eg it needs to be: | | security-role |role-nameguest1/role-name | /security-role | security-role | role-nameguest2/role-name | /security-role That's exactly right. security-role looks like this in DTD-speak: !ELEMENT security-role (description?, role-name) The idea is that you can enumerate the roles and give them human-readable descriptions. The servlet specification also states that roles used in other places must be defined in a security-role section, but most servers ignore this requirement. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfENUACgkQ9CaO5/Lv0PCSnQCfc44V5ZIMQBQeTsjRtF8/3wP1 SYsAoIsdtg4QLzjmx5rjpFyHIxGtfIzE =ClD/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: authenticated but not authorized -- blank page
From: DIGLLOYD INC [mailto:[EMAIL PROTECTED] Subject: Re: authenticated but not authorized -- blank page Is it because there is more than one role- name specified eg it needs to be: security-role role-nameguest1/role-name /security-role security-role role-nameguest2/role-name /security-role Yes, the javaee schema allows only one role-name element within a security-role. Tomcat seems to allow multiple role-name elements here, but I don't know if it does anything useful with the extras. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat problem on a multiple CPU system
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gilbert, Gilbert, Antoine wrote: | My english is not very good, I'll try to explain again | | For example, my test outside of Tomcat | | for(int i=0;i8;i++){ | Thread t = new Thread(new Runner()); | t.setDaemon(true); | t.start(); | if(i==7) | t.join(); | } | | My Runner class do some image rendering test... | | If I run this directly using Java.exe all is fine, 100% of the 8 CPU are | used and it run fast.. | | If I create a JSP and put the Runner code in it, I open 8 browser | windows to launch 8 process via Tomcat, it run slow and it's using like | 30% of all CPU... Er... if you run that code above 8 times, you're running 64 image rendering operations, not 8. Is that what you meant to do? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfEuYACgkQ9CaO5/Lv0PDBOgCePe1BSqxvMRdmK4Dik6kduhBY uNYAniKp/nwyaInZYy3ptbHXINwLiJIk =DyJ7 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk 1.2.5: workers are not balanced in the defined relation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephanie, Stephanie Wullbieter wrote: | with Apache 1.3.26 and mod_jk 1.2.5 Stop right there. If possible, upgrade to mod_jk 1.2.26 (the current version). There should be no compatibility problems between 1.2.5 and 1.2.26 but a /lot/ of things have been improved and fixed since then. Repeat your tests with 1.2.26 and let us know if anything changed. If you can't upgrade, please explain why. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfFAgACgkQ9CaO5/Lv0PDuuQCeMH/3hT22kdJy65FbCfFGxnwB VYkAoJkBwXpbVC9s4bDbKNwWH3ToeqnB =IrdB -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TOMCAT CLUSTERING HOWTO
Hi How to test TOMCAT CLUSTERING with out Load balancer As Per the Tomcat 5.5.23 Cluster HowTo Documents I have only tried to Cluster 2 TOMCATS on SAME Machine , Sharing same JVM. but not able to test the clustering Am i on doing some thing wrong in here.? with regards Karthik Landon Fabbricino wrote: I honestly have not tried clustering tomcat without Apache before. Just recently I set up a server farm with apache on one server and tomcat on two other servers (so 3 physical machines) Apache contains the logic to handle the load balancing between the two tomcats: jk.conf JkWorkersFile conf/workers.properties JkLogFile logs/jk_conn.log JkLogLevel error JkMount /loadbalance-test* loadbalancer workers.properties ### Load Balancer Instances worker.tomcat1.type=ajp13 worker.tomcat1.host=server1.domain.com worker.tomcat1.port=8009 #AJP Port worker.tomcat1.lbfactor=1 worker.tomcat4.type=ajp13 worker.tomcat4.host=server2.domain.com worker.tomcat4.port=8010#AJP Port worker.tomcat4.lbfactor=1 ### Define Mount Points # Load Balance # worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=tomcat1,tomcat2 worker.loadbalancer.sticky_session=False worker.loadbalancer.method=B ### Load Mount Points worker.list=loadbalancer karthikn [EMAIL PROTECTED] 4/30/2008 10:57:51 PM Hi As Per the Tomcat 5.5.23 Cluster HowTo Documents I have only tried to Cluster 2 TOMCATS on SAME Machine , Sharing same JVM. Could you provide your apache's worker.properties file? I have so far not used any APACHE Http Server for Load Balancing with regards Karthik Landon Fabbricino wrote: Could you provide your apache's worker.properties file? karthikn [EMAIL PROTECTED] 4/30/2008 8:05:02 AM Hi Any more suggestions ? with regards Karthik karthikn wrote: Hi distributable/ I have already added the same in my application's web.xml, but still no improvement. with regards Karthik Landon Fabbricino wrote: If I am not mistaken, you will need to add the following tag to your web.xml CATALINA_HOME/webapps/your_app_name/WEB-INF/web.xml !-- Required for session-replication in clustering mode -- distributable/ Landon Fabbricino IT Applications Phone: 403.225.7515 Fax: 403.225.7604 [EMAIL PROTECTED] karthikn [EMAIL PROTECTED] 4/28/2008 11:34:43 PM Hi The Following was done for the Clustering (2 tomcats ) Values TOMCAT5523_ITOMCAT5523_II Startup 80818082 ShutDown80078008 APJ 80098010 TCP Listener40014002 tcpListenAddressautoauto jvmRoutenode01 node02 Delpoyment of a war file on TOMCAT5523_I displays in console as INFO: Starting clustering manager at /DATAGRID Apr 29, 2008 10:17:59 AM org.apache.catalina.cluster.session.DeltaManager getAll ClusterSessions WARNING: Manager [/DATAGRID], requesting session state from org.apache.catalina. cluster.mcast.McastMember[tcp://10.10.16.63:4002,catalina,10.10.16.63,4002, aliv e=17593]. This operation will timeout if no session state has been received with in 60 seconds. Apr 29, 2008 10:18:59 AM org.apache.catalina.cluster.session.DeltaManager waitFo rSendAllSessions SEVERE: Manager [/DATAGRID]: No session state send at 4/29/08 10:17 AM received, timing out after 60,109 ms. TOMCAT5523_II displays on console as INFO: Replication member added:org.apache.catalina.cluster.mcast.McastMember[tcp ://10.10.16.63:4001,catalina,10.10.16.63,4001, alive=16] Apr 29, 2008 10:17:59 AM org.apache.catalina.cluster.session.ClusterSessionListe ner messageReceived SEVERE: Context manager doesn't exist:/DATAGRID Am i missing something while clustering with regards Karthik karthikn wrote: Hi I have few Questions which i was not able to get TOMCAT CLUSTERING HOWTO and form. a) Clustering 1) Do we need to deploy the war files on each individual Tomcat when joined the clustering. deploy your apps only to one server, and the cluster will distribute the deployments across the entire cluster. This does not seems to work, after following the steps for 2 Tomcats (or am i missing some thing in here.) 2) Is this a must do configuration Make sure that all nodes have the same time and sync with NTP service! for the clusters to start functioning. b) Load balancing 1) Using Using the balancer webapp , redirects to different URL's is done, Can we use the same to redirect to the clustered TOMCATs to do the load balancing internally based on RoundRobinRule, RandomRedirectRule Any URL or blog (other then
Re: Where to find mod_jk ?
Hi Can i use mod_jk.so for Windows 2000 Apache 2.2 server Which one to use http://mirrors.sirium.net/pub/apache/tomcat/tomcat-connectors/jk/binaries/win32/ or http://mirrors.sirium.net/pub/apache/tomcat/tomcat-connectors/jk/binaries/win64/ with regards Karthik Mark Thomas wrote: karthikn wrote: Hi Can some body on form tell me where can i find ? Load Balacing mod_jk for Apache2.2 http server to Tomcat 5.5.23 connectors. OS = Win 2000 ,UNIX 11 pa I could not find one on apache mirror sites ... http://tomcat.apache.org/download-connectors.cgi Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS authenticated user fails authorization check
I have written a JAAS-enabled web-app that successfully uses my LDAP service to authenticate a user and populate the Subject with several Principals. I have set up my web-app to use FORM based authentication and can successfully use request.isUserInRole(rolename) to authorize my user against the Principals. However, when I declare a protected resource declaratively, and specify that the resource is protected with rolename, Tomcat fails to authorize the user for that resource. The logging messages I receive are as follows: 2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase - Checking constraint 'SecurityConstraint[Login Page]' against GET /home.vm -- false 2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase - Checking constraint 'SecurityConstraint[Protected Velocity pages]' against GET /home.vm -- true 2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase - User data constraint has no restrictions 2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase - Checking roles CN=user1,OU=Active,OU=Users,OU=companyname,DC=domainname,DC=com 2008-05-05 11:41:34,967 2406495 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase - No role found: rolename I notice that the Catalina source code does not use the isUserInRole method to authorize and I wonder why that's the case? More importantly, I wonder why my user cannot access a protected resource when that resource is protected by a security-constraint, when I can use a filter and programmatically check for that same role and succeed. I am running Tomcat 5.5.12 with Sun 1.4.2_17 JVM. Thanks for any and all help. Robin.
url-pattern not working with AxisServlet
Not seeing the AxisServlet being invoked for /services/* url-pattern... Web.xml *** servlet servlet-nameAxisServlet/servlet-name display-nameApache-Axis Servlet/display-name servlet-classorg.apache.axis2.transport.http.AxisServlet/servlet-clas s init-param /init-param load-on-startup1/load-on-startup /servlet servlet-mapping servlet-nameAxisServlet/servlet-name url-pattern/servlet/AxisServlet/url-pattern /servlet-mapping servlet-mapping servlet-nameAxisServlet/servlet-name url-pattern*.jws/url-pattern /servlet-mapping servlet-mapping servlet-nameAxisServlet/servlet-name url-pattern/services/*/url-pattern /servlet-mapping mime-mapping extensioninc/extension mime-typetext/plain/mime-type /mime-mapping servlet servlet-nameaction/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet-class init-param /init-param load-on-startup2/load-on-startup /servlet servlet-mapping servlet-nameaction/servlet-name url-pattern*.do/url-pattern /servlet-mapping *** EOF ** Apache access INFO 127.0.0.1 - - [05/May/2008:12:05:30 -0400] GET /services/TestService HTTP/1.1 404 306 Note there is no corresponding entry in the TOMCAT access log. Interestingly, we are also using struts, which has a url-pattern*.do/url-pattern this produces some odd results... If I execute the following URL http://localhost//test/foo.do?SERIALNUMBER=XXXSTATUS=2 the appropriate struts action gets called... however If I do this http://localhost//services/foo.do http://localhost/services/foo.do I end up in my AxisServlet break point. Which is where I want to be, but not using the *.do Any ideas or help is much appreciated. Kurt
Re: Where to find mod_jk ?
karthikn wrote: Hi Can i use mod_jk.so for Windows 2000 Apache 2.2 server Which one to use http://mirrors.sirium.net/pub/apache/tomcat/tomcat-connectors/jk/binaries/win32/ Those are for 32 Bit Windows (that's what you have most likely, if you don't know otherwise). or http://mirrors.sirium.net/pub/apache/tomcat/tomcat-connectors/jk/binaries/win64/ Those are for 64 Bit Windows (that's the more unusual variant, at least nowadays). with regards Karthik Regards, Rainer Mark Thomas wrote: karthikn wrote: Hi Can some body on form tell me where can i find ? Load Balacing mod_jk for Apache2.2 http server to Tomcat 5.5.23 connectors. OS = Win 2000 ,UNIX 11 pa I could not find one on apache mirror sites ... http://tomcat.apache.org/download-connectors.cgi Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS authenticated user fails authorization check
From: Robin Coe [mailto:[EMAIL PROTECTED] Subject: JAAS authenticated user fails authorization check However, when I declare a protected resource declaratively, and specify that the resource is protected with rolename, Tomcat fails to authorize the user for that resource. Post your web.xml for the webapp, since this works fine for everyone else and we need to see what you really have configued. Also post the relevant parts of server.xml so we can see how the realm is set up. Finally, what file does the system property java.security.auth.login.config point to and what are the contents of that file? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk 1.2.5: workers are not balanced in the defined relation
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephanie, Stephanie Wullbieter wrote: | with Apache 1.3.26 and mod_jk 1.2.5 Stop right there. If possible, upgrade to mod_jk 1.2.26 (the current version). There should be no compatibility problems between 1.2.5 and 1.2.26 but a /lot/ of things have been improved and fixed since then. Yes, yes, yes. Especially the balancer has been rewritten completely. Repeat your tests with 1.2.26 and let us know if anything changed. If you can't upgrade, please explain why. - -chris It is very unlikely that you'll find someone willing to discuss 1.2.5 balancing problems, because only few users will use that code and it changed a lot since then. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS authenticated user fails authorization check
Thanks for the response. I tried to keep the original post simple, to see if there was a known problem with declaring realms in Tomcat. I've attached the most relevant parts of my web-app below. I included the part of web.xml that defines the security constraints; the context.xml contents, which sets up the JAASRealm; my LoginModule's commit() method, and the output from Tomcat for the full authentication handshake. I tested the implementation of isUserInRole() by wild-carding the role, to force Tomcat to authenticate but not authorize: security-constraint web-resource-collection web-resource-nameVelocity templates/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint Then I used a filter to intercept my request check for my roles. After authentication, the request gets to my authorization check, whereby I tested my Subject for its Principals: boolean test = request.isUserInRole( landscape ); After my login module authenticates me, test == true. However, as you can see from the Tomcat debug messages, attached below, Tomcat fails to see that my Subject holds the landscape Principal, even though a previous message shows that this Principal was added to my Subject. Again, I appreciate any help and will try to add whatever info is asked for. As a side note, I wrote my own implementation of the login process, using a servlet to hook into my login module, thus avoiding the declarative security. However, while this works, I am left with the fact that the user's credentials are easily discovered by a misplaced logging message, whereas it's much trickier to get the credentials when using Tomcat's implementation. The real pain, though, is that I would have to manage my own mappings between resources and roles. Thanks again for any and all help. Here's the relevant part to the web.xml (This section is actually much longer but I removed all the other url-patterns, as they obfuscated the part that I am testing): !-- Define Security Constraints -- security-constraint web-resource-collection web-resource-nameProtected Velocity pages/web-resource-name url-pattern/home.vm/url-pattern /web-resource-collection auth-constraint role-namelandscape/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config security-role descriptionRole required to see reports/description role-namelandscape/role-name /security-role My context.xml: ?xml version=1.0? Context Realm className=org.apache.catalina.realm.JAASRealm appName=landscape userClassNames=com.kaleidescape.logdb.webapp.security.auth.UserPrincipal roleClassNames=com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal useContextClassLoader=false / /Context The JAAS module is not based on a security policy file, I wrote it to work from a database. The login() method calls to my LDAP service provider and successfully authenticates me, returning my DN from the Active Directory server. The commit() method of my login module looks like: public boolean commit() throws LoginException { if( m_authenticated ) { //add the user principal to the subject UserCredential usercred = new UserCredential( m_uid ); m_subject.getPublicCredentials().add( usercred ); UserPrincipal user = new UserPrincipal( m_username ); m_subject.getPrincipals().add( user ); //add the entitlements (i.e., roles) that the user belongs to try { Set entitlements = AuthUtil.getUserEntitlements( m_username ); Iterator it = entitlements.iterator(); while( it.hasNext() ) { Entitlement entitlement = (Entitlement)it.next(); UserGroupPrincipal group = new UserGroupPrincipal( entitlement.getName() ); m_subject.getPrincipals().add( group ); } } catch( KException e ) { throw new LoginException( Error while attempting to retrieve group + names from the database. ); } } // we can get the username from the codeSubject/code, so cleanup the reference m_username = null; return true; } The full debug stack during the login in phase looks like: 2008-05-05 13:08:49,534 7641062 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm - JAASRealm login requested for username
RE: JAAS authenticated user fails authorization check
From: Robin Coe [mailto:[EMAIL PROTECTED] Subject: RE: JAAS authenticated user fails authorization check It appears that the problem is you haven't fully configured the JAAS environment. See below for details. I tested the implementation of isUserInRole() by wild-carding the role, to force Tomcat to authenticate but not authorize: It doesn't work that way. A role-name of * means that authorization is allowed for any of the listed security-roles, not that authorization is ignored. As a side note, I wrote my own implementation of the login process, using a servlet to hook into my login module, thus avoiding the declarative security. Why did you choose to reinvent the wheel here? Use the declarative security - it's much easier. Context Realm className=org.apache.catalina.realm.JAASRealm appName=landscape The appName is not some arbitrary value; it needs to point to the entry in the file pointed to by the java.security.auth.login.config system property (see below). The JAAS module is not based on a security policy file, I wrote it to work from a database. Not relevant to the discussion. You still have to tell Tomcat's JAASRealm what your LoginModule class name is via the file pointed to by the java.security.auth.login.config system property. For example, here's ours: -Djava.security.auth.login.config=conf/security/tomcatLogin.config The conf/security/tomcatLogin.config file contains: TomcatLogin { com.unisys.os2200.security.TomcatLoginModule required; }; Have you done that? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS authenticated user fails authorization check
I did that part programmatically: public AppConfigurationEntry[] getAppConfigurationEntry( String applicationName ) { if( m_appConfig == null ) { if( applicationName == null ) { throw new NullPointerException( Could not retrieve security configuration. + Application name was not specified. ); } if( m_dbkey == null ) { throw new NullPointerException( The application, \ + applicationName + \, + does not have a security configuration entry + defined in + this.getClass().getName() + . ); } String[] parms = { applicationName }; String sql = MessageFormat.format( SECURITY_CONFIGURATION_SQL, parms ); Connection dbConn = null; Statement stmt = null; ResultSet rs = null; ArrayList modules = new ArrayList(); try { dbConn = ConnectionFactory.getConnection( m_dbkey ); stmt = dbConn.createStatement(); rs = stmt.executeQuery( sql ); while( rs.next() ) { String loginClass = rs.getString( LoginModuleClass ); String cFlag = rs.getString( ControlFlag ); DEBUG_MODE = rs.getBoolean( DebugFlag ); HashMap options = new HashMap(); options.put( debug, String.valueOf( DEBUG_MODE ) ); AppConfigurationEntry.LoginModuleControlFlag controlFlag = resolveControlFlag( cFlag ); AppConfigurationEntry appEntry = new AppConfigurationEntry( loginClass, controlFlag, options ); modules.add( appEntry ); m_appConfig = (AppConfigurationEntry[])modules.toArray( new AppConfigurationEntry[modules.size()] ); } } catch( SQLException e ) { Logger.log( Logger.ERROR, getClass() + .getAppConfigurationEntry, e ); return null; } catch( KException e ) { Logger.log( Logger.ERROR, getClass() + .getAppConfigurationEntry, e ); return null; } finally { SQLUtil.close( dbConn, stmt, rs ); rs = null; stmt = null; dbConn = null; } } return m_appConfig; } The hook into the login module is created when the context listener for the web-app is initialized. The initialization parameters come from the database, which is what I was referring to, as opposed to a policy file. What I find strange is that the authentication piece works perfectly. Tomcat calls my login module, does it's work and build a Subject that is consistent with what I expect. The question is, why am I able to call request.isUserInRole(landscape) when Tomcat's internal call to the roles in my Subject uses something else? The Tomcat code that is failing for my auth check is (http://kickjava.com/src/org/apache/catalina/realm/RealmBase.java.htm): } else if(!denyfromall) { 787 788 for (int j = 0; j roles.length; j++) { 789 if (hasRole(principal, roles[j])) 790 status = true; 791 if( log.isDebugEnabled() ) 792 log.debug( No role found: + roles[j]); 793 } 794 } public boolean hasRole(Principal JavaDoc principal, String JavaDoc role) { 851 852 // Should be overriten in JAASRealm - to avoid pretty inefficient conversions 853 if ((principal == null) || (role == null) || 854 !(principal instanceof GenericPrincipal)) 855 return (false); 856 857 GenericPrincipal gp = (GenericPrincipal) principal; 858 if (!(gp.getRealm() == this)) { 859 if(log.isDebugEnabled()) 860 log.debug(Different realm + this + + gp.getRealm());// return (false); 861 } 862 boolean result = gp.hasRole(role); 863 if (log.isDebugEnabled()) { 864 String JavaDoc name = principal.getName(); 865 if (result) 866 log.debug(sm.getString(realmBase.hasRoleSuccess, name, role)); 867 else 868 log.debug(sm.getString(realmBase.hasRoleFailure, name, role)); 869 } 870 return (result); 871 872 } So, what works in the one case, i.e., request.isUserInRole(landscape), fails when using Tomcat's role checking, i.e., hasRole(principal, roles[j]). So,
RE: JAAS authenticated user fails authorization check
From: Robin Coe [mailto:[EMAIL PROTECTED] Subject: RE: JAAS authenticated user fails authorization check I did that part programmatically: Just for grins, try replacing your programmatic approach with the configuration settings. If that works, then it shows you're missing something in setting up the necessary internal structures. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS authenticated user fails authorization check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robin, Robin Coe wrote: | The Tomcat code that is failing for my auth check is | (http://kickjava.com/src/org/apache/catalina/realm/RealmBase.java.htm): Are you sure this is your version? The 5.5.17 version of this file is available here: http://svn.apache.org/repos/asf/tomcat/container/tags/tc5.5.x/TOMCAT_5_5_12/catalina/src/share/org/apache/catalina/realm/RealmBase.java |} else if(!denyfromall) { | 787 | 788 for (int j = 0; j roles.length; j++) { | 789 if (hasRole(principal, roles[j])) | 790 status = true; | 791 if( log.isDebugEnabled() ) | 792 log.debug( No role found: + roles[j]); | 793 } | 794 } The above code does not match what I see in the version from SVN, but it close enough. You're right: it calls hasRole, and the hasRole implementation is as shown below: | public boolean hasRole(Principal JavaDoc principal, String JavaDoc role) { | 851 | 852 // Should be overriten in JAASRealm - to avoid pretty inefficient conversions | 853 if ((principal == null) || (role == null) || | 854 !(principal instanceof GenericPrincipal)) | 855 return (false); etc. Assuming that the code continues beyond this point, /some/ type of log message should be expected. Given that no output is between the Checking roles log statement and No role found: statement, it looks like the Principal object might not be a GenericPrincipal. JAASRealm.createPrincipal returns a GenericPrincipal object, so this should be okay. Given than you are doing a lot of stuff through software and not configuration, is it possible that you are creating your own Principal object that is not checkable by RealmBase? | org.apache.catalina.realm.JAASRealm - Checking Principal landscape [com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal] Yup. Looks like you are using a Principal not supported by RealmBase. Does UserGroupPrincipal extent GenericPrincipal? If not, you should ensure that it does, and that it properly implements hasRole(). | Since my UserGroupPrincipal implements Principal, it is castable to | GenericPrincipal. Not true, unless UserGroupPrincipal also extends GenericPrincipal. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfWAMACgkQ9CaO5/Lv0PDjjwCfWZ7D9/43x03H0KkZMDik57kk mo8AoLtTo321eLx4AFzGQi/xGF/GgUK7 =5INN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS authenticated user fails authorization check
Thanks Chris, that must be it. Can't believe I missed that. Unfortunately, this class is part of the Catalina codebase, which makes it necessary to use a runtime check and invoking a GenericPrincipal subclass when running inside Tomcat. I don't want to include the Catalina jar or be dependent on running Tomcat exclusively. I find it strange that the code works by calling request.isUserInRole(), when using a class that implements the Principal interface, but fails when using declared roles. It's annoying that the Tomcat docs don't mention the necessity of extending GenericPrincipal when rolling your own implementation. Thanks to you guys for helping me out! Robin. -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 2:55 PM To: Tomcat Users List Subject: Re: JAAS authenticated user fails authorization check -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robin, Robin Coe wrote: | The Tomcat code that is failing for my auth check is | (http://kickjava.com/src/org/apache/catalina/realm/RealmBase.java.htm): Are you sure this is your version? The 5.5.17 version of this file is available here: http://svn.apache.org/repos/asf/tomcat/container/tags/tc5.5.x/TOMCAT_5_5_12/catalina/src/share/org/apache/catalina/realm/RealmBase.java |} else if(!denyfromall) { | 787 | 788 for (int j = 0; j roles.length; j++) { | 789 if (hasRole(principal, roles[j])) | 790 status = true; | 791 if( log.isDebugEnabled() ) | 792 log.debug( No role found: + roles[j]); | 793 } | 794 } The above code does not match what I see in the version from SVN, but it close enough. You're right: it calls hasRole, and the hasRole implementation is as shown below: | public boolean hasRole(Principal JavaDoc principal, String JavaDoc role) { | 851 | 852 // Should be overriten in JAASRealm - to avoid pretty inefficient conversions | 853 if ((principal == null) || (role == null) || | 854 !(principal instanceof GenericPrincipal)) | 855 return (false); etc. Assuming that the code continues beyond this point, /some/ type of log message should be expected. Given that no output is between the Checking roles log statement and No role found: statement, it looks like the Principal object might not be a GenericPrincipal. JAASRealm.createPrincipal returns a GenericPrincipal object, so this should be okay. Given than you are doing a lot of stuff through software and not configuration, is it possible that you are creating your own Principal object that is not checkable by RealmBase? | org.apache.catalina.realm.JAASRealm - Checking Principal landscape [com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal] Yup. Looks like you are using a Principal not supported by RealmBase. Does UserGroupPrincipal extent GenericPrincipal? If not, you should ensure that it does, and that it properly implements hasRole(). | Since my UserGroupPrincipal implements Principal, it is castable to | GenericPrincipal. Not true, unless UserGroupPrincipal also extends GenericPrincipal. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfWAMACgkQ9CaO5/Lv0PDjjwCfWZ7D9/43x03H0KkZMDik57kk mo8AoLtTo321eLx4AFzGQi/xGF/GgUK7 =5INN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat was shutdown by self
I have a problem with Tomcat on Solaris 10. 2-4 times in a week (24x7) - random, Tomcat was shutdown by self. Can you help me? Thank you. Regards, Ronny Sisworo @+628122696200
Re: Tomcat was shutdown by self
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ronny, Ronny Sisworo wrote: | I have a problem with Tomcat on Solaris 10. What version of Tomcat? | 2-4 times in a week (24x7) - random, Tomcat was shutdown by self. Why do you think Tomcat shuts itself down? What is in the log files? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfzeoACgkQ9CaO5/Lv0PCH6QCgpO7Rn+ZWfov5eQVwfpgQqDmS fWsAoJm0r8hMPnxv0S2kKQI37JLjZFPX =Usmz -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: url-pattern not working with AxisServlet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kurt, Kurt Kavanaugh wrote: | Not seeing the AxisServlet being invoked for /services/* url-pattern... [snip] | servlet-mapping | servlet-nameAxisServlet/servlet-name | url-pattern/services/*/url-pattern | /servlet-mapping [snip] | Apache [httpd] access INFO | | 127.0.0.1 - - [05/May/2008:12:05:30 -0400] GET /services/TestService | HTTP/1.1 404 306 404, eh? | Note there is no corresponding entry in the TOMCAT access log. No corresponding Tomcat access log entry, eh? | http://localhost//test/foo.do?SERIALNUMBER=XXXSTATUS=2 | the appropriate struts action gets called... however If I do this Other URLs work, eh? Sounds like you are missing a JkMount /services/* myWorker in your Apache httpd config file. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfzvIACgkQ9CaO5/Lv0PBM0QCgqzbtnTkMl7HyPSdtZNhcRRU7 QBcAn1KulzOgCD0iisSLtwLcjsfaOD2D =yqJ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]