Re: Converting to container based security.
On 19/7/09 04:56, Bill Davidson wrote: Tomcat 6.0.18 Java 1.6.0_14 RedHat 5.2 Server Oracle 10g I've got an old web app that was originally spec'd in 1999. Last year, I got it migrated from Tomcat 3.2.4 for 6.0.16 and more recently from Java 1.4.2 to 1.6. I'm gradually trying to modernize it. I just converted from using an old database connection pool library from that period to using a DataSource managed by Tomcat/DBCP (which was surprisingly easy). Now I want to tackle container based security. The app currently manages its own security. It's all servlets which do a little session magic on their own. The login servlet hits the database where the user names and password are. I want to start using JSP and/or maybe JSF, which is part of the reason I want to go to container based security. I'm thinking that the login.jsp can be set up with a bean to massage the session so that old servlets will still be satisfied that the session is legit. Newer servlets can dispense with that security and older ones can have it taken out gradually over time (over 200 of them). A servlet Filter that checks for the presence of the bean, (loads it if missing by checking the contents of the UserPrincipal), would be less intrusive and you can just remove it when all Servlets are updated. While it's actually just one web app, conceptually, it's two. There's one side which is an administrative side, and another for the general public. Some servlets are used by one side, other servlets are used by the other. They all use the same database, and share a lot of the same objects and data, however the user names and passwords are in different database tables. Also, the public side can be used anonymously (no need to log in). Login mainly gives the public side the ability to store preferences so that it doesn't need to be re-entered and keep track of history. Two Filters, if necessary, as they can be applied by selecting different classes. Hopefully your sub-apps operate on different paths. I've been going over the realm documentation, and it's a little confusing. I think that I'm actually going to need two realms, one for each side (remember that they use different tables). I'm not exactly sure how to set that up. There is/was a multi realm, but I think it's intended for use with an SSL cert Form auth combination. Check the source of the latest release: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/CombinedRealm.java You may be able to exploit this to do what you need. I'd like to use a DataSourceRealm, using the DataSource I've already set up, however I've also got the problem that the programmers who set this up stored the passwords UNIX/Linux style with a Java implementation of crypt(3), which doesn't seem to be one of the options for MessageDigest. I hope I'm wrong about that. Given how common it is in the UNIX/Linux world, I'd think that would be a good one to have (and please don't tell me that it's not that secure -- that's not the point -- this is a compatibility issue). Does this mean I'm going to need to write my own custom realm? That looks fairly confusing too. (Hopefully you've got a dev environment.) Start with a repackaged version of DataSourceRealm and make minimal changes to encrypt the password before sending it to the DB for matching. Modifying the realm a bit shouldn't be too tricky, find the method that sends the password to the DB to do the auth. If you've got code for the crypt implementation it may just worth bunging it into a static utility encrypting the password manually, inside the realm - just to get it working initially, so you can prove that it will work. Can someone please point me at a good overall strategy for how to tackle all of this, given these constraints? I've only spent a few hours trying to go through the docs but I'm feeling a bit overwhelmed and really need some perspective. Configure container based security. Get one Realm working for 1 part of the app. Add a Filter to handle the unmodified servlets. Add the Combined realm. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 database pooling causes HttpServlet class not found exception
On 19/7/09 05:13, Lucas Vickers wrote:
For what it's worth.
Every now and then tomcat throws that exception again.
I then shut down tomcat, touch the .policy file, start tomcat, and it works.
Are you using a repackaged Tomcat or have you downloaded and installed
it yourself?
How, exactly, are you starting and stopping it?
The permissions below shouldn't need setting, even if you're running a
SecurityManager. Not my area of expertise, but if this is the fix,
something else, somewhere, is horribly wrong.
Don't forget to check that you're not ending up with a servlet-api.jar
(or something similar, with the contained classes) in your
webapp/WEB-INF/lib.
Ending up with javax.servlet.* classes actually inside your webapp will
cause all manner of fail conditions.
p
On Sat, Jul 18, 2009 at 9:29 PM, Lucas Vickerslucasvick...@gmail.comwrote:
// == WEB APPLICATION PERMISSIONS
=
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
...
// Needed for TABS
permission java.util.PropertyPermission org.apache.tomcat.dbcp.*,
read;
permission java.util.PropertyPermission javax.servlet.*, read;
permission java.util.PropertyPermission javax.servlet.http.*, read;
was added. I tested by commenting out and then uncommenting. Works when
it's not commented out.
I run using catalina.sh start
if commented out, I get:
HTTP Status 500 -
--
*type* Exception report
*message*
*description* *The server encountered an internal error () that prevented
it from fulfilling this request.*
*exception*
javax.servlet.ServletException: Error allocating a servlet instance
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
java.lang.Thread.run(Thread.java:619)
*root cause*
java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet
java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(ClassLoader.java:621)
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
java.net.URLClassLoader.access$000(URLClassLoader.java:56)
java.net.URLClassLoader$1.run(URLClassLoader.java:195)
java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:188)
java.lang.ClassLoader.loadClass(ClassLoader.java:307)
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
java.lang.ClassLoader.loadClass(ClassLoader.java:252)
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1302)
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
java.lang.Thread.run(Thread.java:619)
*root cause*
java.lang.ClassNotFoundException: javax.servlet.http.HttpServlet
java.net.URLClassLoader$1.run(URLClassLoader.java:200)
java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:188)
java.lang.ClassLoader.loadClass(ClassLoader.java:307)
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
java.lang.ClassLoader.loadClass(ClassLoader.java:252)
java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(ClassLoader.java:621)
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
java.net.URLClassLoader.access$000(URLClassLoader.java:56)
java.net.URLClassLoader$1.run(URLClassLoader.java:195)
java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:188)
java.lang.ClassLoader.loadClass(ClassLoader.java:307)
osgi plugin for tomcat 6.0.18
Hi, An osgi plugin for tomcat-6.0.18 is now available to use. Key Features: - Full compatibility with tomcat - No more complex configuration for osgi environment - No more huge war packages as it supporting deploy osgi applications from repository by a deployment description file Reference guild online: http://extwind.googlecode.com/svn/doc/extwind/reference/reference.htm Google group: http://groups.google.com/group/extwind -- Regards, Donf Yang -- To be surprised,to wonder,is to begin to understand.
Re: Tomcat 6 database pooling causes HttpServlet class not found exception
I am starting using:
catalina.sh start
stopping with
catalina.sh stop
I don't even have a lib directory in my WEB-INF , just my class file :(
Does anyone on this list have any interest in being hired as a consultant?
At this point I have this security issue (which may or may not be a problem)
and a database memory leak that I can not figure out. Database pooling may
be a fix for that but I can not get that working either.
Lucas
On Sun, Jul 19, 2009 at 7:02 AM, Pid p...@pidster.com wrote:
On 19/7/09 05:13, Lucas Vickers wrote:
For what it's worth.
Every now and then tomcat throws that exception again.
I then shut down tomcat, touch the .policy file, start tomcat, and it
works.
Are you using a repackaged Tomcat or have you downloaded and installed it
yourself?
How, exactly, are you starting and stopping it?
The permissions below shouldn't need setting, even if you're running a
SecurityManager. Not my area of expertise, but if this is the fix,
something else, somewhere, is horribly wrong.
Don't forget to check that you're not ending up with a servlet-api.jar (or
something similar, with the contained classes) in your webapp/WEB-INF/lib.
Ending up with javax.servlet.* classes actually inside your webapp will
cause all manner of fail conditions.
p
On Sat, Jul 18, 2009 at 9:29 PM, Lucas Vickerslucasvick...@gmail.com
wrote:
// == WEB APPLICATION PERMISSIONS
=
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
...
// Needed for TABS
permission java.util.PropertyPermission org.apache.tomcat.dbcp.*,
read;
permission java.util.PropertyPermission javax.servlet.*, read;
permission java.util.PropertyPermission javax.servlet.http.*,
read;
was added. I tested by commenting out and then uncommenting. Works when
it's not commented out.
I run using catalina.sh start
if commented out, I get:
HTTP Status 500 -
--
*type* Exception report
*message*
*description* *The server encountered an internal error () that prevented
it from fulfilling this request.*
*exception*
javax.servlet.ServletException: Error allocating a servlet instance
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
java.lang.Thread.run(Thread.java:619)
*root cause*
java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet
java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(ClassLoader.java:621)
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
java.net.URLClassLoader.access$000(URLClassLoader.java:56)
java.net.URLClassLoader$1.run(URLClassLoader.java:195)
java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:188)
java.lang.ClassLoader.loadClass(ClassLoader.java:307)
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
java.lang.ClassLoader.loadClass(ClassLoader.java:252)
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1302)
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
java.lang.Thread.run(Thread.java:619)
*root cause*
java.lang.ClassNotFoundException: javax.servlet.http.HttpServlet
java.net.URLClassLoader$1.run(URLClassLoader.java:200)
java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:188)
java.lang.ClassLoader.loadClass(ClassLoader.java:307)
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
java.lang.ClassLoader.loadClass(ClassLoader.java:252)
java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(ClassLoader.java:621)
Re: tomcat 6 database pooling, DataSource returning NULL connection
I see now. thanks I refreshed the config file and I am still getting NULL connections to my database. Does anyone on this list have any interest in being hired as a consultant? At this point I have a strange catalina.policy security issue (which may or may not be a problem) and this database issue. Lucas On Sat, Jul 18, 2009 at 9:24 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Lucas Vickers [mailto:lucasvick...@gmail.com] Subject: Re: tomcat 6 database pooling, DataSource returning NULL connection I am doing a static install and restarting my tomcat each time I make a file change, so I do not think this is the issue. Actually, that's exactly the procedure that can cause the problem. When the webapp is first loaded, Tomcat copies the webapp's META-INF/context.xml file to conf/Catalina/[host]/[appName].xml. As long as the conf/Catalina/[host]/[appName].xml file exists, it will override the one in META-INF/context.xml. Proper undeployment will remove the copied Context element; just copying over a new version of the webapp will not. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 6 - setting classpath
We ran into an exact same problem. Our workarround hack classpath.bat and classpath.sh works perfectly. I also considered running down the ClassLoader route. That also works but it felt more wrong. I was just going to ask what the accepted way of doing this was but I think I've got my answer. Regards, Wesley Acheson On Wed, Jun 17, 2009 at 8:38 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tom, On 6/17/2009 7:43 AM, Tom Brown wrote: it is only configuration files - no jar changes. If your code uses getResourceAsStream(), then the classpath will be checked. The webapp's classpath will essentially be WEB-INF/classes:WEB-INF/lib:CATALINA_BASE/lib:JAVA_HOME/rt.jar So, putting your configuration files in CATALINA_BASE/lib should do it, unless you have those same configuration files in WEB-INF/classes (or a JAR in WEB-INF/lib) already, which it sounds like you /do/. Mikolaj's suggestion of using a custom classloader might be your only option, unless you can change your code to load the configuration files from a pre-defined location (or, even better, from a location specified in web.xml!). Note that your first solution was to modify web.xml which would, in turn, modify the WAR file. So, how was that one going to work? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko5OBoACgkQ9CaO5/Lv0PA7rQCgv2gBTk/RCpeRXFjSFX1VzJ4G WVsAn1cxUNlzZgDaFvvM1cTwz5oTPry3 =y0/Y -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 6 database pooling, DataSource returning NULL connection
Lucas Vickers wrote: I see now. thanks I refreshed the config file and I am still getting NULL connections to my database. Does anyone on this list have any interest in being hired as a consultant? At this point I have a strange catalina.policy security issue (which may or may not be a problem) and this database issue. http://wiki.apache.org/tomcat/SupportAndTraining Both of those companies employee Tomcat committers. (full disclosure - I work for SpringSource) Mark Lucas On Sat, Jul 18, 2009 at 9:24 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Lucas Vickers [mailto:lucasvick...@gmail.com] Subject: Re: tomcat 6 database pooling, DataSource returning NULL connection I am doing a static install and restarting my tomcat each time I make a file change, so I do not think this is the issue. Actually, that's exactly the procedure that can cause the problem. When the webapp is first loaded, Tomcat copies the webapp's META-INF/context.xml file to conf/Catalina/[host]/[appName].xml. As long as the conf/Catalina/[host]/[appName].xml file exists, it will override the one in META-INF/context.xml. Proper undeployment will remove the copied Context element; just copying over a new version of the webapp will not. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Converting to container based security.
Pid wrote: There is/was a multi realm, but I think it's intended for use with an SSL cert Form auth combination. No. Realms do not care about the authentication mechanism. The new (in 6.0.20) CombinedRealm [1] could be used to merge two DataSourceRealms. A combined Realm will work with *any* authentication mechanism. Alternatively, you could use a database view to present the two sets of users as a single table. [1] http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Converting to container based security.
Mark Thomas wrote: Alternatively, you could use a database view to present the two sets of users as a single table. What about duplicated user names between the two sides? There's also the need to make sure that the admin side servlets are not accessible to the public side and vice versa and that the public side servlets are accessible without authentication but the admin side servlets are not. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Apache httpd prefork versus worker MPM
mgainty wrote: the inherent problem with multi-threaded model vs prefork n processes http://blog.zakame.net/tips/apache2-worker-lowmem http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_24192924.html rule seems to be more than 1 CPU go with worker 1 CPU go with MPM once you set your path on Worker all modules and all binaries under Apache have to be multi-threaded YMMV Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Fri, 17 Jul 2009 21:17:51 -0400 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: [OT] Apache httpd prefork versus worker MPM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I've been working with Apache httpd and Tomcat together with mod_jk for about 10 years, and I've always been using the prefork MPM. I'm setting up a new development server with Debian Lenny and apt-get prefers to install the worker MPM. I can definitely install the prefork MPM if I want, but I figured I'd take this opportunity to ask about the worker MPM. Has anyone had any configuration problems when using the worker MPM? Any performance problems? The worker MPM is advertised as high-performance and I was wondering if it would be a PITA to use or anything like that. If the worker MPM really is higher performance, I'd prefer to use that, but only if there are no big gotchas that anyone can think of. I'd appreciate some feedback from folks that have used both the prefork and worker MPMs at one point, and might be able to comment on their different experiences. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkphIr8ACgkQ9CaO5/Lv0PCM8gCePSdyOk5U1rt5yndOsrta/E+B yuQAnjmhsTZn6s9Fg0Z8x3QgJRh9ejw7 =Fmnd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Windows Live™ SkyDrive™: Store, access, and share your photos. See how. http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009 My reading of it, which someone else on this list might be able to confirm, is that using mod_jk with worker MPM can potentially give lower memory usage on the machine. e.g. with IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 /IfModule That will potentially create 256 httpd processes, each consuming 10MB or so. Alternatively, IfModule worker.c StartServers 2 MaxClients 250 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 /IfModule That will potentially create 10 httpd processes, each capable of handling 25 requests. Assume that each process needs 30MB (I don't think it would, but I haven't measured it recently). The reduced memory requirement for this configuration might be a very attractive option for some environments. This assumes that mod_jk is thread-safe and doesn't suffer from the known problems with non-thread-safe modules in worker MPM. Can anyone confirm that's true? Cheers, James -- View this message in context: http://www.nabble.com/-OT--Apache-httpd-prefork-versus-worker-MPM-tp24543852p24559610.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Apache httpd prefork versus worker MPM
James Abley wrote: mgainty wrote: the inherent problem with multi-threaded model vs prefork n processes http://blog.zakame.net/tips/apache2-worker-lowmem http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_24192924.html rule seems to be more than 1 CPU go with worker 1 CPU go with MPM once you set your path on Worker all modules and all binaries under Apache have to be multi-threaded YMMV Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Fri, 17 Jul 2009 21:17:51 -0400 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: [OT] Apache httpd prefork versus worker MPM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I've been working with Apache httpd and Tomcat together with mod_jk for about 10 years, and I've always been using the prefork MPM. I'm setting up a new development server with Debian Lenny and apt-get prefers to install the worker MPM. I can definitely install the prefork MPM if I want, but I figured I'd take this opportunity to ask about the worker MPM. Has anyone had any configuration problems when using the worker MPM? Any performance problems? The worker MPM is advertised as high-performance and I was wondering if it would be a PITA to use or anything like that. If the worker MPM really is higher performance, I'd prefer to use that, but only if there are no big gotchas that anyone can think of. I'd appreciate some feedback from folks that have used both the prefork and worker MPMs at one point, and might be able to comment on their different experiences. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkphIr8ACgkQ9CaO5/Lv0PCM8gCePSdyOk5U1rt5yndOsrta/E+B yuQAnjmhsTZn6s9Fg0Z8x3QgJRh9ejw7 =Fmnd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Windows Live™ SkyDrive™: Store, access, and share your photos. See how. http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009 My reading of it, which someone else on this list might be able to confirm, is that using mod_jk with worker MPM can potentially give lower memory usage on the machine. e.g. with IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 /IfModule That will potentially create 256 httpd processes, each consuming 10MB or so. Alternatively, IfModule worker.c StartServers 2 MaxClients 250 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 /IfModule That will potentially create 10 httpd processes, each capable of handling 25 requests. Assume that each process needs 30MB (I don't think it would, but I haven't measured it recently). The reduced memory requirement for this configuration might be a very attractive option for some environments. This assumes that mod_jk is thread-safe and doesn't suffer from the known problems with non-thread-safe modules in worker MPM. Can anyone confirm that's true? Cheers, James Answering my own question; from the docs, it looks like mod_jk is built by default to be thread-safe, and you need to switch that off using the --enable-prefork option at build time. [1] [1] http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html#configure%20arguments -- View this message in context: http://www.nabble.com/-OT--Apache-httpd-prefork-versus-worker-MPM-tp24543852p24559768.html Sent from the Tomcat - User mailing list archive at Nabble.com.
Re: Converting to container based security.
On 19/7/09 18:52, Bill Davidson wrote: Mark Thomas wrote: Alternatively, you could use a database view to present the two sets of users as a single table. What about duplicated user names between the two sides? That might not be an issue if admin users don't use the public site, and vice versa. Be better to avoid that if possible though. Can you reassign admin user names? There's also the need to make sure that the admin side servlets are not accessible to the public side and vice versa and that the public side servlets are accessible without authentication but the admin side servlets are not. Container auth uses configurable roles to set authorization, which would handle this eventuality. Just set up two different security-constraint's. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat 6 database pooling, DataSource returning NULL connection
From: Lucas Vickers [mailto:lucasvick...@gmail.com]
Subject: Re: tomcat 6 database pooling, DataSource returning NULL
connection
I refreshed the config file and I am still getting NULL connections
to my database.
Just for completeness, check the security policy in the JRE/JDK you're using.
If someone has modified this in a restrictive fashion, your changes to
catalina.policy may have overridden them and allowed normal operation. The
default policy is located in jre/lib/security/java.policy; there may be an
additional policy file in ${user.home}/.java.policy. These locations are
specified in jre/lib/security/java.security; check that that file has not be
modified.
If you do find anything odd in the above files, you might want to reinstall the
JRE/JDK, just to make sure something else hasn't been fiddled with.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
