Re: Cleartrust RSA integration
Hi Martin could you briefly explain the need for 2 apache webservers? I wish I could :) We currently have our secure web apps fronted by an IBM product, which seems to be a munged version of Apache. This has the Cleartrust pluin in place and working fine. In the DMZ we have various web servers, and the system architects are insisting that these servers do an independent Cleartrust authentication. As we want to put a Tomcat machine or three in this zone, it would need to be fronted by Apache to acheive independent Cleartrust authentication. This sounds like overkill to me... Regards Ron - Original Message - From: Martin Gainty mgai...@hotmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Monday, June 21, 2010 11:45 PM Subject: RE: Cleartrust RSA integration could you briefly explain the need for 2 apache webservers? thanks, Martin _ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Mon, 21 Jun 2010 20:22:44 +1200 From: rmcnu...@clear.net.nz Subject: Re: Cleartrust RSA integration To: users@tomcat.apache.org Hi Andre Thanks for the reply. I had a long discussion with our architecture group today. Basically they want Cleartrust authentication at the web gateway (in place now) and again at the web server. The gateway (an Apache instance) and the Tomcat server would not be on the same physical box - they would be in separate security zones. An option is to use yet another Apache instance fronting Tomcat. I'm not sure what sort of performance hit this would be (i.e. Apache - Apache - Tomcat) - do you have any insight? Regards Ron - Original Message - From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, June 20, 2010 9:37 PM Subject: Re: Cleartrust RSA integration Ron McNulty wrote: Hi All We are thinking of bringing some of our apps off proprietary J2EE servers to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and Linux on a VM (not sure of versions). One of the requirements is to authenticate using RSA Cleartrust. From my reading, Tomcat does not support this. The recommended solution is to front Tomcat with Apache, and let Apache do the Cleartrust integration. The links I have found are a bit ancient - are my assumptions still correct? Also, our system architects seem to think this setup is insufficiently secure - comments? Assuming the Apache Cleartrust authentication is secure.. If Apache authenticates a request, and if the Apache/Tomcat connector is mod_jk, then the authenticated user-id is propagated from Apache to Tomcat (*). (Additionals info could be propagated via additional HTTP headers, or request attributes). If the link between Apache and Tomcat is secure (like for example both run on the same machine and the connection is purely internal), then there is no reason why this would be less secure. (*) whether Tomcat actually uses it, is determined by the tomcatAuthentication attribute of the AJP Connector. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' AGAIN!
tomcats!, clearly it is time to move onbecause there is a workaround to this issue by having hibernate manage it's own connection pool. I am not going to recheck my iurls again and jndi names because they are correct and my hosting provider has assisted me in checking and found no wrong. for future visitors to this thread, try allowing hibernate to manage own pool, it worked for me before i rwefactored my app in an attempt to gwt hibernate to use the tomcat pool. The guide over here: http://wiki.apache.org/tomcat/TomcatHibernate will still show you how to do that and is ver well written and overall the guide did allow me get hibernate to use my tomcat pool on my test rig but it failed with two production environments. I will try again to get it working on tomcat 7 in the future and report back here. -- From: David Smith david.sm...@cornell.edu Sent: Monday, June 21, 2010 2:54 PM To: Tomcat Users List users@tomcat.apache.org Subject: Re: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' AGAIN! I do not see the mistake that you see I didn't say I saw a mistake ... just listing stuff to look at in diagnosing this issue. The file permission issue can definitely contribute to what you were seeing. Other comments inline --David On 6/21/2010 8:32 AM, yucca...@live.co.za wrote: -- From: Martin Gainty mgai...@hotmail.com Sent: Monday, June 21, 2010 1:16 PM To: Tomcat Users List users@tomcat.apache.org Subject: RE: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' AGAIN! if you took time to look at tomcat-users archive you would've come across this post by david smith..the answer is just as good now as when originally posted On 6/19/2010 1:31 PM, yucca...@live.co.za wrote: I have no choice left but to not let hibernate use my tomcat datasource. This is not good. I have even moved host provider in hope that it was previous fult tomcat install from dailyrazor (tomcat 6 does not hav common/lib) and is meant to have tomcat/lib I can say that my new container is correct and that I am 100% sure that all mus jdbc configuration is correct in zml after having gone though it at least 20 times and checked the wiki that was linked here earlier and still have issues. Yes mysql jdbc bin is in tomcat/lib so that is not cause of the error. /the error is very weird though as I have another point that uses hibernate without error on the same database. It is not possible for me to use hibernate to use tomcat datasource sadly. Many thanks for all the help though. DS If you put the following into a jsp and call the jsp, does it work? %...@page import=java.sql.Connection% %...@page import=java.sql.DriverManager% %...@page import=java.sql.SQLException% % Class.forName(com.mysql.jdbc.Driver).newInstance(); conn = DriverManager.getConnection(jdbc:mysql://localhost/test? + user=montypassword=greatsqldb); out.println( The connection worked!! ) ; Did this and it works , I even made this page my welcome page at thejarbar.org Great! That's one giant step in the right direction. % If that works then your jdbc driver is available and installed properly (I trust there is only one copy of that jar in your entire tomcat install ... right?). I do not see or find another copy of the driver Now check to see if there's an xml in tomcat/conf/Catalina/localhost there isn't one Ok ... this is one of a couple of places a Context ... / element can be. It maybe in one of the others I mentioned like your webapp's META-INF folder. The one that might be in tomcat/conf/Catalina/localhost will take precedence over any in your webapp's META-INF folder. People have been bitten before changing the one in META-INF, not realizing there was an old copy in tomcat/conf/Catalina/localhost. matching your webapp's deployed name. For instance if you access your webapp as http://localhost:8088/mywebapp, there should be a mywebapp.xml file there. Take a look at it for the Resource ... / or ResourceLink ... / (which ever you setup) and make sure they are correct. If this file is not available, take a look at context.xml in your webapp's META-INF folder (same process). If it's not there, then the Context ... element for your webapp is in server.xml and it should NOT be there. It's bad practice and requires a full tomcat restart to make I did not do this If you mean restart, it's not necessary as long as the Context ... /Context element defining your app to tomcat is not in server.xml. changes. Did this and it works , I even made this page my welcome page at thejarbar.org ??? I'm confused here. What did you do at this point that works? Lastly, case matters. Be sure everything is typed correctly including whether it's upper or lower case. Now take a look at the logs and
Re: Tomcat 6 64 bits, Java 6 64 bits and -Djava.library.path
Everything can be set up via service.bat You should modify this file only. This way when you install the service or remove the service, it works gracefully, and all libs, memory requirements, etc. are recorded in the registry. On Fri, Jun 18, 2010 at 12:44 AM, Katt katt@gmail.com wrote: Hi all, I have some strange issues: Enviroment: Windows 2003 R2 64 bits with Tomcat6 6.0.24 and Java6 1.6.0_20 64bits. If I have some libraries that need to be loaded at startup so I've added in catalina.bat: JAVA_OPTS=%JAVA_OPTS% -Djava.library.path=C:\libs, start tomcat with startup.bat, everything ok. After that I've changed service.bat adding at the very end of file: %EXECUTABLE% //US//%SERVICE_NAME% ++JvmOptions -Djava.library.path=C:\libs;..., install widnows service: service.bat install and start tomcat. Tomcat didn't load libraries from java.library.path. So, it's working only if I start tomcat from startup.bat but not if I install it as windows service. Any sugestions? Best regards, Katt -- Katt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question for sso session replication in tomcat 6.0.26
On 22/06/2010 06:09, Andrew Bruno wrote: Oh sorry, I re-read your answer. Not sure why SSO is not working, be interested to find out though.. You were right to ask about configuration. We can't really begin to analyze the problem until we've seen the cluster config and know the usual OS, JVM, HTTPD/mod_jk/mod_proxy/loadbalancer other relevant version/config information. p AB On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno andrew.br...@gmail.com wrote: Hi Yasushi In your serverl.xml have you added the jvmroute to the Engine? i.e. Engine name=Catalina defaultHost=localhost jvmRoute=1 Andrew On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi Andrew Thank for your post. When I checked the session id from firefox, sso session id [jsessionidsso] does not have jvmroute info, but only jsessionid has jvmroute. So, session replication upon failover is working fine, but singlesionon upon failover is not working on tomcat 6.0.x (including 6.0.26). yasushi -Original Message- From: Andrew Bruno [mailto:andrew.br...@gmail.com] Sent: Monday, June 21, 2010 9:18 PM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 Looking at the code I think this is wrong if (!_ssoSessionId.contains(. + jvmRoute)) { _ssoSessionId += . + jvmRoute; response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); } The original sessionId will already have the .+_any_other_jvmRoute included, so you need to substring it, and append the new jvmRoute. _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf(.)) and then add _ssoSessionId += . + jvmRoute; AB On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi experts I found this old email from archive in TC 5.5.23. Does this problem still exist in tomcat 6.0.x or 6.0.26? When failover occurs, sso session id is updated with new number after forcing a user to relogin to the application since sso session id is not replicated and rewritten correctly. Could someone explain what is expected in current tomcat 6.0.x cluster upon failover? Should sso session id is replicated correctly in tomcat 6.0.x? Thanks, yasushi ROOKIE wrote: Hi, I have a problem with tomcat cluster + mod_proxy load balancer : We have a main app which authenticate itself to a webapp and from this app one can launch embedded apps which use the SSO cookie to access other webapps on the server (Single-Sign-On for the user). Things are working perfectly for the normal cookie but not for the sso cookie. The problem I have is that tomcat does not replicate SSO sessions so when these embedded apps route through the load balancer we get 401s on all the other cluster members except the one which actually generated the SSO cookie. I wanted to know if we can edit the SSO cookie generated by tomcat to also contain the jvmRoute parameter so that the load balancer directly goes to the correct cluster member. I tried doing this in my code by fetching the SSO cookie and appending to it the jvmRoute as follows : HttpServletRequest request = (HttpServletRequest)Security.getContext(HttpServletRequest.class); HttpServletResponse response = (HttpServletResponse)Security.getContext(HttpServletResponse.class); if(request != null) { String jvmRoute = Vinod_Cluster_1;// as mentioned in server.xml Cookie[] cookies = request.getCookies(); for(int nc=0; cookies != null nc cookies.length; nc++) { if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { _sessionId = cookies[nc].getValue(); } else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { _ssoSessionId = cookies[nc].getValue(); if (!_ssoSessionId.contains(. + jvmRoute)) { _ssoSessionId += . + jvmRoute; response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); } } But after this I started getting 401s from even the correct cluster member. My guess is addCookie doesnt update the cookie in tomcat's cache which is reasonable. Other thought was to edit tomcat's sso cookie generation code to append the jvmRoute to the sso cookie. Is there an better way to achieve this in my code base ? Thanks In Advance, Vinod - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe,
Re: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' AGAIN!
On 22/06/2010 07:55, yucca...@live.co.za wrote: tomcats!, clearly it is time to move onbecause there is a workaround to this issue by having hibernate manage it's own connection pool. I am not going to recheck my iurls again and jndi names because they are correct and my hosting provider has assisted me in checking and found no wrong. for future visitors to this thread, try allowing hibernate to manage own pool, it worked for me before i rwefactored my app in an attempt to gwt hibernate to use the tomcat pool. The guide over here: http://wiki.apache.org/tomcat/TomcatHibernate will still show you how to do that and is ver well written and overall the guide did allow me get hibernate to use my tomcat pool on my test rig but it failed with two production environments. I will try again to get it working on tomcat 7 in the future and report back here. Changing Tomcat version isn't going to make any difference. You've tested the DB connection by manually creating a Connection using the DriverManager method, but have you tested the DataSource works by performing a JNDI lookup? Context initContext = new InitialContext(); Context envContext = (Context)initContext.lookup(java:/comp/env); DataSource ds = (DataSource)envContext.lookup(jdbc/my_db_name_here); Connection conn = ds.getConnection(); From: http://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource-examples-howto.html p -- From: David Smith david.sm...@cornell.edu Sent: Monday, June 21, 2010 2:54 PM To: Tomcat Users List users@tomcat.apache.org Subject: Re: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' AGAIN! I do not see the mistake that you see I didn't say I saw a mistake ... just listing stuff to look at in diagnosing this issue. The file permission issue can definitely contribute to what you were seeing. Other comments inline --David On 6/21/2010 8:32 AM, yucca...@live.co.za wrote: -- From: Martin Gainty mgai...@hotmail.com Sent: Monday, June 21, 2010 1:16 PM To: Tomcat Users List users@tomcat.apache.org Subject: RE: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' AGAIN! if you took time to look at tomcat-users archive you would've come across this post by david smith..the answer is just as good now as when originally posted On 6/19/2010 1:31 PM, yucca...@live.co.za wrote: I have no choice left but to not let hibernate use my tomcat datasource. This is not good. I have even moved host provider in hope that it was previous fult tomcat install from dailyrazor (tomcat 6 does not hav common/lib) and is meant to have tomcat/lib I can say that my new container is correct and that I am 100% sure that all mus jdbc configuration is correct in zml after having gone though it at least 20 times and checked the wiki that was linked here earlier and still have issues. Yes mysql jdbc bin is in tomcat/lib so that is not cause of the error. /the error is very weird though as I have another point that uses hibernate without error on the same database. It is not possible for me to use hibernate to use tomcat datasource sadly. Many thanks for all the help though. DS If you put the following into a jsp and call the jsp, does it work? %...@page import=java.sql.Connection% %...@page import=java.sql.DriverManager% %...@page import=java.sql.SQLException% % Class.forName(com.mysql.jdbc.Driver).newInstance(); conn = DriverManager.getConnection(jdbc:mysql://localhost/test? + user=montypassword=greatsqldb); out.println( The connection worked!! ) ; Did this and it works , I even made this page my welcome page at thejarbar.org Great! That's one giant step in the right direction. % If that works then your jdbc driver is available and installed properly (I trust there is only one copy of that jar in your entire tomcat install ... right?). I do not see or find another copy of the driver Now check to see if there's an xml in tomcat/conf/Catalina/localhost there isn't one Ok ... this is one of a couple of places a Context ... / element can be. It maybe in one of the others I mentioned like your webapp's META-INF folder. The one that might be in tomcat/conf/Catalina/localhost will take precedence over any in your webapp's META-INF folder. People have been bitten before changing the one in META-INF, not realizing there was an old copy in tomcat/conf/Catalina/localhost. matching your webapp's deployed name. For instance if you access your webapp as http://localhost:8088/mywebapp, there should be a mywebapp.xml file there. Take a look at it for the Resource ... / or ResourceLink ... / (which ever you setup) and make sure they are correct. If this file is not available, take a look at context.xml in your webapp's META-INF folder
RE: Cleartrust RSA integration
This all sounds very unnecessarily complicated. Maybe you want to look at authentication at the Tomcat level alone? Writing an authenticator is rather simple (and there're plenty of examples) provided that ClearTrust has an API, which I am sure it does. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Ron McNulty [mailto:rmcnu...@clear.net.nz] Sent: Tuesday, June 22, 2010 2:45 AM To: Tomcat Users List Subject: Re: Cleartrust RSA integration Hi Martin could you briefly explain the need for 2 apache webservers? I wish I could :) We currently have our secure web apps fronted by an IBM product, which seems to be a munged version of Apache. This has the Cleartrust pluin in place and working fine. In the DMZ we have various web servers, and the system architects are insisting that these servers do an independent Cleartrust authentication. As we want to put a Tomcat machine or three in this zone, it would need to be fronted by Apache to acheive independent Cleartrust authentication. This sounds like overkill to me... Regards Ron - Original Message - From: Martin Gainty mgai...@hotmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Monday, June 21, 2010 11:45 PM Subject: RE: Cleartrust RSA integration could you briefly explain the need for 2 apache webservers? thanks, Martin _ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Mon, 21 Jun 2010 20:22:44 +1200 From: rmcnu...@clear.net.nz Subject: Re: Cleartrust RSA integration To: users@tomcat.apache.org Hi Andre Thanks for the reply. I had a long discussion with our architecture group today. Basically they want Cleartrust authentication at the web gateway (in place now) and again at the web server. The gateway (an Apache instance) and the Tomcat server would not be on the same physical box - they would be in separate security zones. An option is to use yet another Apache instance fronting Tomcat. I'm not sure what sort of performance hit this would be (i.e. Apache - Apache - Tomcat) - do you have any insight? Regards Ron - Original Message - From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, June 20, 2010 9:37 PM Subject: Re: Cleartrust RSA integration Ron McNulty wrote: Hi All We are thinking of bringing some of our apps off proprietary J2EE servers to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and Linux on a VM (not sure of versions). One of the requirements is to authenticate using RSA Cleartrust. From my reading, Tomcat does not support this. The recommended solution is to front Tomcat with Apache, and let Apache do the Cleartrust integration. The links I have found are a bit ancient - are my assumptions still correct? Also, our system architects seem to think this setup is insufficiently secure - comments? Assuming the Apache Cleartrust authentication is secure.. If Apache authenticates a request, and if the Apache/Tomcat connector is mod_jk, then the authenticated user-id is propagated from Apache to Tomcat (*). (Additionals info could be propagated via additional HTTP headers, or request attributes). If the link between Apache and Tomcat is secure (like for example both run on the same machine and the connection is purely internal), then there is no reason why this would be less secure. (*) whether Tomcat actually uses it, is determined by the tomcatAuthentication attribute of the AJP Connector. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
My apologies. Let me try to ask my question in a more specific manner to see if I can get a response from someone on this list. Per the ISAPI log, I am getting to my index.jsp page successfully and I also am able to see the request info that is sent to the ISAPI filter from IIS. But when I try to use the getRemoteUser() in my index.jsp page to retrieve the info from the ISAPI filter, I am getting a NULL value. It would appear that the getRemoteUser() is not the method to retrieve the user value that is displayed below. I've also tried getUserPrincipal().getName() as well but that does not work either. There is a line below in the ISAPI log towards the bottom, right before the index.jsp page and the response is started that is displayed that states, NOT USING KEEP-ALIVE, is this preventing the user value in the request from being transferred to the page? : [Tue Jun 22 06:25:55.697 2010] [1572:4000] [debug] jk_isapi_plugin.c (947): Starting response for URI '/index.jsp' (protocol HTTP/1.1) [Tue Jun 22 06:25:55.697 2010] [1572:4000] [debug] jk_isapi_plugin.c (1047): Not using Keep-Alive [Tue Jun 22 06:25:55.697 2010] [1572:4000] [debug] jk_ajp_common.c (1336): received from ajp13 pos=0 len=75 max=8192 Maybe there is something in my configuration files somewhere that is preventing this page from getting at the user value that I need from below. I am just not sure and ANY help would be appreciated. ISAPI LOG: [Tue Jun 22 06:25:55.541 2010] [1572:4000] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp [Tue Jun 22 06:25:55.541 2010] [1572:4000] [debug] jk_isapi_plugin.c (3120): Service request headers=8 attributes=0 chunked=no content-length=0 available=0 [Tue Jun 22 06:25:55.541 2010] [1572:4000] [debug] jk_worker.c (116): found a worker scmisWorker [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_isapi_plugin.c (2162): got a worker for name scmisWorker [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (3093): acquired connection pool slot=0 after 0 retries [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (605): ajp marshaling done [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (2376): processing scmisWorker with 2 retries [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): sending to ajp13 pos=4 len=518 max=8192 [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 12 34 02 02 02 02 00 08 48 54 54 50 2F 31 2E 31 - .4..HTTP/1.1 [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0010 00 00 0A 2F 69 6E 64 65 78 2E 6A 73 70 00 00 09 - .../index.jsp... [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0020 31 32 37 2E 30 2E 30 2E 31 00 00 09 31 32 37 2E - 127.0.0.1...127. [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0030 30 2E 30 2E 31 00 00 09 6C 6F 63 61 6C 68 6F 73 - 0.0.1...localhos [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0040 74 00 00 50 00 00 08 A0 01 00 03 2A 2F 2A 00 00 - t..P...*/*.. [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0050 0F 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 - .accept-language [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0060 00 00 05 65 6E 2D 75 73 00 A0 06 00 0A 4B 65 65 - ...en-us.Kee [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0070 70 2D 41 6C 69 76 65 00 A0 0B 00 09 6C 6F 63 61 - p-Alive.loca [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0080 6C 68 6F 73 74 00 A0 0E 00 D0 4D 6F 7A 69 6C 6C - lhost.Mozill [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0090 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C - a/4.0.(compatibl [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00a0 65 3B 20 4D 53 49 45 20 38 2E 30 3B 20 57 69 6E - e;.MSIE.8.0;.Win [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00b0 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 54 72 69 - dows.NT.5.1;.Tri [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00c0 64 65 6E 74 2F 34 2E 30 3B 20 2E 4E 45 54 20 43 - dent/4.0;..NET.C [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00d0 4C 52 20 31 2E 31 2E 34 33 32 32 3B 20 2E 4E 45 - LR.1.1.4322;..NE [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00e0 54 20 43 4C 52 20 32 2E 30 2E 35 30 37 32 37 3B - T.CLR.2.0.50727; [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00f0 20 2E 4E 45 54 20 43 4C 52 20 33 2E 30 2E 30 34 - ..NET.CLR.3.0.04 [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0100
Re: Still having problem retrieving user value from ISAPI Filter for authentication
I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Thanks Marc. I actually have that setting in my server.xml file as well. Actually I did follow your post last week thinking that would help me but the ISAPI filter is working properly as indicated in my log and IIS has authenticated the info otherwise, at least it is my understanding and my experience for the last month in trying to get the ISAPI config and IIS setup properly, that the request info in the isapi log would NOT be populated at all. But now that it is, it appears that I cannot get to the request info by using the getRemoteUser() method which I understood from Ranier and Andre that I could use to get the user value that I need to complete authentication in my code. It just seems that the ISAPI filter is NOT working properly. Andre or Ranier, if you guys are out there, your response would be appreciated. Thanks again. -Original Message- From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Sent: Tuesday, June 22, 2010 7:06 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On Tue, Jun 22, 2010 at 8:16 AM, Savoy, Melinda melindasa...@texashealth.org wrote: Thanks Marc. I actually have that setting in my server.xml file as well. Hmm, I've only gotten the ISAPI filter working once and not in this context. Unless there are other ways to do this Pid's idea is probably the best. Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP Status 408!
Can you provide a hint on how to perform automatic login using BASIC authentication? Or can I somehow modify the class FormAuthenticator? and tell Tomcat to use my custom class Thanks! From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Mon, June 21, 2010 7:52:40 PM Subject: Re: HTTP Status 408! On 21/06/2010 17:36, neo21 zerro wrote: Ok. Something like this ? URL protectedResource = new URL(http://localhost:8080/resource;); *URLConnection yc = *protectedResource*.openConnection();* BufferedReader in = new BufferedReader( new InputStreamReader( *yc.getInputStream()*)); String inputLine; while ((inputLine = in.readLine()) != null) //check if the response is the login page in.close(); if(The response is login page){ //make another request with to specific params for the authentication } It's actually much easier to use BASIC auth if a machine is logging in. Look at: http://hc.apache.org/ My question is that in the second request I need to open a browser so is the session id of the first request the same with the session id of the second request? because the FormAuthenticator need's the session id of the first request to retrieve the protected resource? Yes, the session id will be required. If the URLs are encoded properly as per previous discussion, then the form action attribute will be re-encoded to incorporate the session id - you'll see how to submit to a modified URL if you examine the returned HTML for the login form. p *From:* Pid p...@pidster.com *To:* Tomcat Users List users@tomcat.apache.org *Sent:* Mon, June 21, 2010 6:19:44 PM *Subject:* Re: HTTP Status 408! On 21/06/2010 15:48, neo21 zerro wrote: Ok.I already have send params from my other application to my Tomcat application and everything goes well, I make this with the j_security_check on a post method, and I track down the path with the debug log. The problem is that in the org.apache.catalina.authenticator.FormAuthenticator in the authenticate method the user is getting authenticated but when the user should be redirected to the initial saved request, null is returned. So my problem is that I make */programmaticaly http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 /*just a request to my Tomcat web app authenticating the user per user params but I need somehow to tell the FormAuthenticator what the saved request should be. Any ideas? The process is: 1. make a request for a protected resource 2. check the response is what you want, 3. if it's not, but contains a login form 4. submit username password against form url FormAuthenticator creates the saved request at step 1. p Thanks!!! *From:* Pid p...@pidster.com mailto:p...@pidster.com *To:* Tomcat Users List users@tomcat.apache.org mailto:users@tomcat.apache.org *Sent:* Mon, June 21, 2010 5:30:00 PM *Subject:* Re: HTTP Status 408! On 21/06/2010 15:20, neo21 zerro wrote: Hello, Problem finally solved :) Pid was right my encoding was not ok and a Cookie was not passed over with the poste of the login page :) I needed to explicity create a servlet and in that servler add to the response object the JSSESIONID as a Cookie :) I have another question can I login from another aplication programmicaly to my app that runs on Tomcat with custom JAAS login module? If the other app knows how to perform whatever custom JAAS login you've built, then I don't see why not. p From: Martin Gainty mgai...@hotmail.com mailto:mgai...@hotmail.com mailto:mgai...@hotmail.com mailto:mgai...@hotmail.com To: Tomcat Users List users@tomcat.apache.org mailto:users@tomcat.apache.org mailto:users@tomcat.apache.org mailto:users@tomcat.apache.org Sent: Fri, June 11, 2010 11:16:09 PM Subject: RE: HTTP Status 408! can you post all of the code (including the html that houses the flex components), display the full stacktrace and display environmental variables from SET Martin __ standard caveats apply Date: Fri, 11 Jun 2010 12:32:44 -0700 From: neo21_ze...@yahoo.com mailto:neo21_ze...@yahoo.com mailto:neo21_ze...@yahoo.com mailto:neo21_ze...@yahoo.com Subject: Re: HTTP Status 408! To: users@tomcat.apache.org mailto:users@tomcat.apache.org mailto:users@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP Status 408!
On 22/06/2010 13:25, neo21 zerro wrote: Can you provide a hint on how to perform automatic login using BASIC authentication? Did you look at the link I sent? Or can I somehow modify the class FormAuthenticator? and tell Tomcat to use my custom class FormAuthenticator is a Valve, it is automatically added to the Valve pipeline for each Context it's used with. Look at the source for FormAuthenticator. You can manually define your own Authenticator implementation, in META-INF/context.xml. ?xml version=1.0 encoding=UTF-8? Context ... reloadable=true WatchedResourceWEB-INF/web.xml/WatchedResource Valve className=my.package.MyAuthenticator / /Context N.B. Use your own Authenticator and you'll have to make sure every Tomcat upgrade is thoroughly checked for changes to the related classes. Tomcat 7.0 will have programmatic login as it implements Servlet 3.0, so you might only need to do this is a temporary measure. p *From:* Pid p...@pidster.com *To:* Tomcat Users List users@tomcat.apache.org *Sent:* Mon, June 21, 2010 7:52:40 PM *Subject:* Re: HTTP Status 408! On 21/06/2010 17:36, neo21 zerro wrote: Ok. Something like this ? URL protectedResource = new URL(http://localhost:8080/resource;); *URLConnection yc = *protectedResource*.openConnection();* BufferedReader in = new BufferedReader( new InputStreamReader( *yc.getInputStream()*)); String inputLine; while ((inputLine = in.readLine()) != null) //check if the response is the login page in.close(); if(The response is login page){ //make another request with to specific params for the authentication } It's actually much easier to use BASIC auth if a machine is logging in. Look at: http://hc.apache.org/ My question is that in the second request I need to open a browser so is the session id of the first request the same with the session id of the second request? because the FormAuthenticator need's the session id of the first request to retrieve the protected resource? Yes, the session id will be required. If the URLs are encoded properly as per previous discussion, then the form action attribute will be re-encoded to incorporate the session id - you'll see how to submit to a modified URL if you examine the returned HTML for the login form. p *From:* Pid p...@pidster.com mailto:p...@pidster.com *To:* Tomcat Users List users@tomcat.apache.org mailto:users@tomcat.apache.org *Sent:* Mon, June 21, 2010 6:19:44 PM *Subject:* Re: HTTP Status 408! On 21/06/2010 15:48, neo21 zerro wrote: Ok.I already have send params from my other application to my Tomcat application and everything goes well, I make this with the j_security_check on a post method, and I track down the path with the debug log. The problem is that in the org.apache.catalina.authenticator.FormAuthenticator in the authenticate method the user is getting authenticated but when the user should be redirected to the initial saved request, null is returned. So my problem is that I make */programmaticaly http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 /*just a request to my Tomcat web app authenticating the user per user params but I need somehow to tell the FormAuthenticator what the saved request should be. Any ideas? The process is: 1. make a request for a protected resource 2. check the response is what you want, 3. if it's not, but contains a login form 4. submit username password against form url FormAuthenticator creates the saved request at step 1. p Thanks!!! *From:* Pid p...@pidster.com mailto:p...@pidster.com mailto:p...@pidster.com mailto:p...@pidster.com *To:* Tomcat Users List users@tomcat.apache.org mailto:users@tomcat.apache.org mailto:users@tomcat.apache.org mailto:users@tomcat.apache.org *Sent:* Mon, June 21, 2010 5:30:00 PM *Subject:* Re: HTTP Status 408! On 21/06/2010 15:20, neo21 zerro wrote: Hello, Problem finally solved :) Pid was right my encoding was not ok and a Cookie was not passed over with the poste of the login page :) I needed to explicity create a servlet and in that servler add to
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP The authorization should be base64, (if memory serves), you could decode it and see what it's passing. Tomcat has some base64 code which you can probably find use to decode it. (At least until someone who knows more about ISAPI turns up.) p accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. signature.asc Description: OpenPGP digital signature
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. signature.asc Description: OpenPGP digital signature
RE: Still having problem retrieving user value from ISAPI Filter for authentication
We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASA BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP Status 408!
Thanks Pid for your time and answers. Clearly that is not an option for me...I'll wait for Tomcat 7 then :) Thanks! From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Tue, June 22, 2010 3:41:02 PM Subject: Re: HTTP Status 408! On 22/06/2010 13:25, neo21 zerro wrote: Can you provide a hint on how to perform automatic login using BASIC authentication? Did you look at the link I sent? Or can I somehow modify the class FormAuthenticator? and tell Tomcat to use my custom class FormAuthenticator is a Valve, it is automatically added to the Valve pipeline for each Context it's used with. Look at the source for FormAuthenticator. You can manually define your own Authenticator implementation, in META-INF/context.xml. ?xml version=1.0 encoding=UTF-8? Context ... reloadable=true WatchedResourceWEB-INF/web.xml/WatchedResource Valve className=my.package.MyAuthenticator / /Context N.B. Use your own Authenticator and you'll have to make sure every Tomcat upgrade is thoroughly checked for changes to the related classes. Tomcat 7.0 will have programmatic login as it implements Servlet 3.0, so you might only need to do this is a temporary measure. p *From:* Pid p...@pidster.com *To:* Tomcat Users List users@tomcat.apache.org *Sent:* Mon, June 21, 2010 7:52:40 PM *Subject:* Re: HTTP Status 408! On 21/06/2010 17:36, neo21 zerro wrote: Ok. Something like this ? URL protectedResource = new URL(http://localhost:8080/resource;); *URLConnection yc = *protectedResource*.openConnection();* BufferedReader in = new BufferedReader( new InputStreamReader( *yc.getInputStream()*)); String inputLine; while ((inputLine = in.readLine()) != null) //check if the response is the login page in.close(); if(The response is login page){ //make another request with to specific params for the authentication } It's actually much easier to use BASIC auth if a machine is logging in. Look at: http://hc.apache.org/ My question is that in the second request I need to open a browser so is the session id of the first request the same with the session id of the second request? because the FormAuthenticator need's the session id of the first request to retrieve the protected resource? Yes, the session id will be required. If the URLs are encoded properly as per previous discussion, then the form action attribute will be re-encoded to incorporate the session id - you'll see how to submit to a modified URL if you examine the returned HTML for the login form. p *From:* Pid p...@pidster.com mailto:p...@pidster.com *To:* Tomcat Users List users@tomcat.apache.org mailto:users@tomcat.apache.org *Sent:* Mon, June 21, 2010 6:19:44 PM *Subject:* Re: HTTP Status 408! On 21/06/2010 15:48, neo21 zerro wrote: Ok.I already have send params from my other application to my Tomcat application and everything goes well, I make this with the j_security_check on a post method, and I track down the path with the debug log. The problem is that in the org.apache.catalina.authenticator.FormAuthenticator in the authenticate method the user is getting authenticated but when the user should be redirected to the initial saved request, null is returned. So my problem is that I make */programmaticaly http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 http://www.google.ro/search?hl=roei=IXsfTMiCB46C_AaVtpm9DQsa=Xoi=spellresnum=0ct=resultcd=1ved=0CCwQBSgAq=programmaticalyspell=1 /*just a request to my Tomcat web app authenticating the user per user params but I need somehow to tell the FormAuthenticator what the saved request should be. Any ideas? The process is: 1. make a request for a protected resource 2. check the response is what you want, 3. if it's not, but contains a login form 4. submit username password against form url FormAuthenticator creates the saved request at step 1. p Thanks!!! *From:* Pid p...@pidster.com mailto:p...@pidster.com mailto:p...@pidster.com mailto:p...@pidster.com *To:* Tomcat Users List users@tomcat.apache.org mailto:users@tomcat.apache.org mailto:users@tomcat.apache.org mailto:users@tomcat.apache.org *Sent:* Mon, June 21,
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Question. I never setup a custom Tomcat REALM and wondered if that is required by this ISAPI filter as another user at JavaRanch explained the following to me: You'd have to provide the user principals and roles via a Tomcat Realm in order for getRemoteUser to work. Filters, IIS authenthicators - none of them setup the J2EE security context of which getUserPrincipal and getRemoteUser are parts. How do I do that for this ISAPI filter setup if that is indeed true? Thanks. -Original Message- From: Savoy, Melinda Sent: Tuesday, June 22, 2010 7:59 AM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASA BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 14:16, Savoy, Melinda wrote: Thanks Marc. I actually have that setting in my server.xml file as well. Actually I did follow your post last week thinking that would help me but the ISAPI filter is working properly as indicated in my log and IIS has authenticated the info otherwise, at least it is my understanding and my experience for the last month in trying to get the ISAPI config and IIS setup properly, that the request info in the isapi log would NOT be populated at all. But now that it is, it appears that I cannot get to the request info by using the getRemoteUser() method which I understood from Ranier and Andre that I could use to get the user value that I need to complete authentication in my code. It just seems that the ISAPI filter is NOT working properly. Andre or Ranier, if you guys are out there, your response would be appreciated. I thought you already managed to have a situation, where getRemoteUser() returned something meaningful. So what's the difference to the situation now? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASA BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. signature.asc Description: OpenPGP digital signature
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Actually, what I finally got working was getting IIS to talk to Tomcat and therefore seeing the request get to the ISAPI filter which after working with a MS IIS engineer 2 weeks ago I was able to get up and running. I have not to date been able to get the getRemoteUser() to extract the user value info that ISAPI shows in its log. That is the issue. In the previous posts this morning I showed what the getHeaderNames() provided but it has an encrypted NTLM value. I thought I could get at the user value that ISAPI show by executing the getRemoteUser() but I'm still getting a NULL value. Pid suggested using a Base64Decoder but I thought the ISAPI filter would provide that for me. Thanks. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, June 22, 2010 8:16 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22.06.2010 14:16, Savoy, Melinda wrote: Thanks Marc. I actually have that setting in my server.xml file as well. Actually I did follow your post last week thinking that would help me but the ISAPI filter is working properly as indicated in my log and IIS has authenticated the info otherwise, at least it is my understanding and my experience for the last month in trying to get the ISAPI config and IIS setup properly, that the request info in the isapi log would NOT be populated at all. But now that it is, it appears that I cannot get to the request info by using the getRemoteUser() method which I understood from Ranier and Andre that I could use to get the user value that I need to complete authentication in my code. It just seems that the ISAPI filter is NOT working properly. Andre or Ranier, if you guys are out there, your response would be appreciated. I thought you already managed to have a situation, where getRemoteUser() returned something meaningful. So what's the difference to the situation now? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6 64 bits, Java 6 64 bits and -Djava.library.path
From: Andrew Bruno [mailto:andrew.br...@gmail.com] Subject: Re: Tomcat 6 64 bits, Java 6 64 bits and -Djava.library.path Everything can be set up via service.bat You should modify this file only. I'd strongly recommend using the tomcat6w.exe program to set any necessary options and system properties, rather than modifying the script. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 14:10, Savoy, Melinda wrote: Question. I never setup a custom Tomcat REALM and wondered if that is required by this ISAPI filter as another user at JavaRanch explained the following to me: You'd have to provide the user principals and roles via a Tomcat Realm in order for getRemoteUser to work. Filters, IIS authenthicators - none of them setup the J2EE security context of which getUserPrincipal and getRemoteUser are parts. Your filter might. I don't know how it works or what it does though. Do you? p How do I do that for this ISAPI filter setup if that is indeed true? Thanks. -Original Message- From: Savoy, Melinda Sent: Tuesday, June 22, 2010 7:59 AM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASA BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments
RE: Still having problem retrieving user value from ISAPI Filter for authentication
We had been working with JCIFS and chose the Tomcat Connector for IIS because we're primarily a MS shop and already had IIS in place here. The team lead who had written this custom code is no longer with the company and I've had to try and figure out what all he did and then try to implement this Tomcat connector. I've been able to talk to this former team lead and he basically told me the following on the filter: The filter basically takes the request/response and does create an auth value using the Base64Decoder and Base64Encoder from Sun and we populate a User object that is then used throughout the session for authentication purposes within the application as well as initially getting to the index.jsp page. I was testing, by commenting out the filter in my web.xml, to see if I could just get to a vanilla index.jsp page that only contained: %=getRemoteUser()% so that I could make certain that I could get that value which I understood I should be able to without setting up REALM's or auth in the config. But after getting IIS to talk to Tomcat last week I've been trying to get this to work and to no avail as of today and therefore the reason for my post this morning. I understood that the ISAPI filter provided the decrypted info that JCIFS had un decrypting and that is why we chose this route. But it seems like it is a lot more involved that what I read about and what I've understood from others on this list - which is fine but it was not as simple as I understood or misunderstood as the case may be. Sorry I cannot be more specific. Hope this helps. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:13 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgAS A BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc
Unable to send message through cluster sender
I'm currently running three 6.0.26 tomcat instances on multiple servers to establish a redundant, HA Tomcat cluster. Every second in each of the Tomcat instances the following error message is logged: org.apache.catalina.ha.tcp.SimpleTcpCluster sendSEVERE: Unable to send message through cluster sender.org.apache.catalina.tribes.ChannelException: Sender not connected.; No faulty members identified. at org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:45)at org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:81)at org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:78)at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75)at org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor.sendMessage(ThroughputInterceptor.java:61)at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75)at org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:73)at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75)at org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:87)at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75)at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:216)at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:175)at org.apache.catalina.ha.tcp.SimpleTcpCluster.send(SimpleTcpCluster.java:818)at org.apache.catalina.ha.tcp.SimpleTcpCluster.sendClusterDomain(SimpleTcpCluster.java:796)at org.apache.catalina.ha.session.DeltaManager.send(DeltaManager.java:586)at org.apache.catalina.ha.session.DeltaManager.sessionExpired(DeltaManager.java:1248)at org.apache.catalina.ha.session.DeltaSession.expire(DeltaSession.java:425)at org.apache.catalina.ha.session.DeltaSession.expire(DeltaSession.java:394)at org.apache.catalina.ha.session.DeltaSession.isValid(DeltaSession.java:358)at org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:698)at org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:683)at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1316)at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1601)at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1610)at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1610)at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1590)at java.lang.Thread.run(Unknown Source) Below is my Cluster configuration. It is the same on each server, however the ports have been changed per instance on the same server. Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=6 Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=localhost port=5001 selectorTimeout=5000 maxThreads=6/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender timeout=6/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve / Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster I have searched Google and read the Tomcat documentation and have made slight changes to the configuration however the results have either been worse or not effective. For
Writing errors to localhost log
Hi, I'm using Tomcat 6.0.26. I notice that when I define an error page for my JSPs %@ page errorPage=/error-pages/500.jsp % The error page gets called properly, but the stack trace of the error is no longer written to my localhost log file, where it used to be output before I inserted the directive. Do you know how I can continue to have the stack trace show up in this file and continue to define an error page for my JSP? Thanks, - Dave -- View this message in context: http://old.nabble.com/Writing-errors-to-localhost-log-tp28960361p28960361.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 14:45, Savoy, Melinda wrote: We had been working with JCIFS and chose the Tomcat Connector for IIS because we're primarily a MS shop and already had IIS in place here. The team lead who had written this custom code is no longer with the company and I've had to try and figure out what all he did and then try to implement this Tomcat connector. I've been able to talk to this former team lead and he basically told me the following on the filter: The filter basically takes the request/response and does create an auth value using the Base64Decoder and Base64Encoder from Sun and we populate a User object that is then used throughout the session for authentication purposes within the application as well as initially getting to the index.jsp page. I was testing, by commenting out the filter in my web.xml, to see if I could just get to a vanilla index.jsp page that only contained: %=getRemoteUser()% so that I could make certain that I could get that value which I understood I should be able to without setting up REALM's or auth in the config. But after getting IIS to talk to Tomcat last week I've been trying to get this to work and to no avail as of today and therefore the reason for my post this morning. I understood that the ISAPI filter provided the decrypted info that JCIFS had un decrypting and that is why we chose this route. But it seems like it is a lot more involved that what I read about and what I've understood from others on this list - which is fine but it was not as simple as I understood or misunderstood as the case may be. Sorry I cannot be more specific. Hope this helps. So I'm reading this to mean that the Filter you have commented out is doing the work required to parse the auth header set the relevant object values. One of the things a Servlet Filter can do is wrap the current request/response objects (see Servlet HttpServletRequestWrapper, HttpServletResponseWrapper interfaces), the wrappers provide methods which override certain request/response methods providing alternative return values. So your custom filter could be decoding the header and overriding the getRemoteUser and getUserPrincipal methods; your app accesses the methods and gets values that are not supplied by Tomcat auth/realm support. (Meaning the JavaRanch advice isn't applicable). So you need to look inside the execute(req, res) method you mentioned earlier to find out what it does, and re-enable the filter. p -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:13 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgAS A BIBcKIogUBKAoP accept-encoding = gzip,
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Thanks Pid. That is what I'm working on right now. I am in the middle of the Decoder part of the code again. My apologies to this list as I understood I could get that directly from the ISAPI filter as it would decrypt it for me, which it does per the ISAPI log, and then pass it on to me via the HttpServletRequest getRemoteUser() which it does not do. Thanks again, Pid. Your help is much appreciated. Regards. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 9:06 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 14:45, Savoy, Melinda wrote: We had been working with JCIFS and chose the Tomcat Connector for IIS because we're primarily a MS shop and already had IIS in place here. The team lead who had written this custom code is no longer with the company and I've had to try and figure out what all he did and then try to implement this Tomcat connector. I've been able to talk to this former team lead and he basically told me the following on the filter: The filter basically takes the request/response and does create an auth value using the Base64Decoder and Base64Encoder from Sun and we populate a User object that is then used throughout the session for authentication purposes within the application as well as initially getting to the index.jsp page. I was testing, by commenting out the filter in my web.xml, to see if I could just get to a vanilla index.jsp page that only contained: %=getRemoteUser()% so that I could make certain that I could get that value which I understood I should be able to without setting up REALM's or auth in the config. But after getting IIS to talk to Tomcat last week I've been trying to get this to work and to no avail as of today and therefore the reason for my post this morning. I understood that the ISAPI filter provided the decrypted info that JCIFS had un decrypting and that is why we chose this route. But it seems like it is a lot more involved that what I read about and what I've understood from others on this list - which is fine but it was not as simple as I understood or misunderstood as the case may be. Sorry I cannot be more specific. Hope this helps. So I'm reading this to mean that the Filter you have commented out is doing the work required to parse the auth header set the relevant object values. One of the things a Servlet Filter can do is wrap the current request/response objects (see Servlet HttpServletRequestWrapper, HttpServletResponseWrapper interfaces), the wrappers provide methods which override certain request/response methods providing alternative return values. So your custom filter could be decoding the header and overriding the getRemoteUser and getUserPrincipal methods; your app accesses the methods and gets values that are not supplied by Tomcat auth/realm support. (Meaning the JavaRanch advice isn't applicable). So you need to look inside the execute(req, res) method you mentioned earlier to find out what it does, and re-enable the filter. p -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:13 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is
RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: melindasa...@texashealth.org To: users@tomcat.apache.org; p...@pidster.com Date: Tue, 22 Jun 2010 08:45:18 -0500 Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication We had been working with JCIFS and chose the Tomcat Connector for IIS because we're primarily a MS shop and already had IIS in place here. The team lead who had written this custom code is no longer with the company MG read this MGhttp://washingtontechnology.com/Articles/2009/06/08/Insights-Soloway.aspx?Page=1 snip /snip Sorry I cannot be more specific. Hope this helps. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:13 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgAS A BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL,
RE: question for sso session replication in tomcat 6.0.26
Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/usr/local/apache/node2-tomcat-6.0.26/webapps watchDir=/tmp/war-listen/ watchEnabled=true/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster Valve className=org.apache.catalina.ha.authenticator.ClusterSingleSignOn / Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=webappqa_node2_access_log. suffix=.log pattern=common resolveHosts=false/ /Host /Engine -Original Message- From: Andrew Bruno [mailto:andrew.br...@gmail.com] Sent: Monday, June 21, 2010 10:09 PM To: Tomcat Users List Subject: Re: question for sso session replication in
Re: question for sso session replication in tomcat 6.0.26
On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/usr/local/apache/node2-tomcat-6.0.26/webapps watchDir=/tmp/war-listen/ watchEnabled=true/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster Valve className=org.apache.catalina.ha.authenticator.ClusterSingleSignOn / Valve
RE: question for sso session replication in tomcat 6.0.26
Sorry I should clarify few things: In case of no failover, SSO works for all web applications on the same node, not host. Then, session replication upon failover works for non-password protected area only. -Original Message- From: Okubo, Yasushi (TSD) [mailto:yasushi.ok...@takedasd.com] Sent: Tuesday, June 22, 2010 7:57 AM To: Tomcat Users List Subject: RE: question for sso session replication in tomcat 6.0.26 Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/usr/local/apache/node2-tomcat-6.0.26/webapps watchDir=/tmp/war-listen/ watchEnabled=true/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster Valve
placiing content and application on a microsoft DFS solution
Has anyone ever placed an application and its content on a redundant DFS solution? So as when one DFS server fails, another takes over. Does anyone see possible problems with this setup? ie. when dfs server fails does tomcat loose connection to the app or is the failover fast enough. regards Milko Emmerig Please consider the environment before printing this email. De informatie verzonden met dit e-mailbericht is vertrouwelijk en uitsluitend bestemd voor de geadresseerde. Indien u als niet-geadresseerde dit bericht ontvangt, wordt u verzocht direct de afzender hierover te informeren en het bericht te vernietigen. Gebruik van informatie door onbevoegden, openbaarmaking of vermenigvuldiging is verboden en kan leiden tot aansprakelijkheid. De afzender is niet aansprakelijk in geval van onjuiste overbrenging van het e-mailbericht en/of bij ontijdige ontvangst daarvan. The information transmitted is confidential and intended only for the person or entity to whom or which it is addressed. If you are not the intended recipient of this communication, please inform us immediately and destroy this communication. Unauthorised use, disclosure or copying of information is strictly prohibited and may entail liability. The sender accepts no liability for improper transmission of this communication nor for any delay in its receipt.
RE: question for sso session replication in tomcat 6.0.26
Ok I will try to install the latest apache httpd and test again. Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; .*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/usr/local/apache/node2-tomcat-6.0.26/webapps watchDir=/tmp/war-listen/ watchEnabled=true/ -- !-- only with jk_mod and jvmroutebindervalve-- ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene r/
Re: Jailrootting
2010/6/18 Mikolaj Rydzewski m...@ceti.pl: Luca Gervasi wrote: i can read my /etc/passwd from a malicious jsp. Where can i find infos on limiting filesystem access / visibility ? 1st thing to do: run tomcat as user tomcat (or whatever username u like) with limited rights - that should at least fix the possibility to cat /etc/passwd cheers gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
testing
http://moshah-linux.corp.walmart.com/ip/2668255 test -- View this message in context: http://old.nabble.com/testing-tp28962091p28962091.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Does GC Really Matter (Is This Situation)?
This is a similar question to one already being discussed in the list with the subject Setting the Right Amount of Memory. We have 160 instances of tomcat on the same server, with most instances configured to use 64-96MB of RAM. We carefully watch the logs for OOMEs. If we see any, we increase the RAM allocation for that instance by 32MB, which is enough to make the OOMEs go away. Some people say this approach will lead to increased CPU utilization from frequent GC; however, our server runs 90% idle all day long so CPU is evidently not being driven up by much, if any. Given the circumstances, is there anything to be gained from increasing the heap size? Our software vendor wants us to increase each tomcat instance to 512MB, just as a matter of policy, but I don't see a good technical reason to do that. Am I missing something? -- Eric Robinson Disclaimer - June 22, 2010 This email and any files transmitted with it are confidential and intended solely for Tomcat Users List. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of . Warning: Although has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Does GC Really Matter (Is This Situation)?
From: Robinson, Eric [mailto:eric.robin...@psmnv.com] Subject: Does GC Really Matter (Is This Situation)? Some people say this approach will lead to increased CPU utilization from frequent GC If you're referring to what I said, note the numerous caveats I included. Only if you happened to be right on the borderline of the minimum heap size would CPU usage be excessive, and all evidence indicates that none of your 160 instances are. Given the circumstances, is there anything to be gained from increasing the heap size? No. Just continue to monitor the CPU and heap usage (as it looks like you have been doing), especially if you have an increase in overall workload. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 16:18, Savoy, Melinda wrote: Thanks Pid. That is what I'm working on right now. I am in the middle of the Decoder part of the code again. My apologies to this list as I understood I could get that directly from the ISAPI filter as it would decrypt it for me, which it does per the ISAPI log, and then pass it on to me via the HttpServletRequest getRemoteUser() which it does not do. It does, but I expect something in your application stack to overwrite or delete it again. If you want to find out what happens, you need to get into a more simple test situation, like deploying a trivial app (e.g. the default Tomcat ROOT context), and simply add a JSP or servlet there that shows you the request.getRemoteUser(). I expect that to work. Then the question why it doesn't work in your app is up to your application and framework code. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Hi, Melinda- As Pid suggested, the first part of that string after NTLM in the authorization header decodes in base64 to 'NTLMSSP'. -Terence Bandoian Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: = MimeHeaders === accept =/* accept-language =n-us connection =eep-Alive host =ocalhost user-agent =ozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie =SESSIONID–9AE176A965514B845A6E3A9E83A21E authorization =TLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding =zip, deflate content-length = I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=alse to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Question. As my code is currently blowing up when I setup the Base64Decoder in my constructor I'm getting an error immediately, at any rate I'm working thru that, but will this DECODE method show me the USERID that I'm looking for? That is what I'm needing. Thank you. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Tuesday, June 22, 2010 12:40 PM To: Tomcat Users List Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Hi, Melinda- As Pid suggested, the first part of that string after NTLM in the authorization header decodes in base64 to 'NTLMSSP'. -Terence Bandoian Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: = MimeHeaders === accept =/* accept-language =n-us connection =eep-Alive host =ocalhost user-agent =ozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie =SESSIONID-9AE176A965514B845A6E3A9E83A21E authorization =TLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding =zip, deflate content-length = I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=alse to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Ranier, Thanks for your reply. What I did was comment out the filter from the web.xml and I went straight from the IE browser (http://localhost/index.jsp) to the index.jsp page that was comprised of only the following: %...@page language=java contentType=text/html; charset=ISO-8859-1 pageEncoding=ISO-8859-1% Here is my USERID using getRemoteUser, %=request.getRemoteUser()% , in my index.jsp page. My browser window then showed: Here is my USERID using getRemoteUser, null, in my index.jsp page. That was it. So I wasn't even going through my application at all but only from the browser to Tomcat and it returned my page without issue but with NO user value as is indicated below in the log. I did not see any errors in the log at all. It obviously would have made my life a lot easier if I could have gotten that info from the request. My ISAPI log looked like: [Tue Jun 22 06:15:19.816 2010] [1572:3812] [debug] jk_util.c (459): Pre-processed log time stamp format is '[%a %b %d %H:%M:%S.000 %Y] ' [Tue Jun 22 06:15:19.816 2010] [1572:3812] [info] jk_isapi_plugin.c (2403): Starting Jakarta/ISAPI/isapi_redirector/1.2.30 [Tue Jun 22 06:15:19.816 2010] [1572:3812] [debug] jk_isapi_plugin.c (2421): Detected IIS version 5.1 [Tue Jun 22 06:15:19.816 2010] [1572:3812] [debug] jk_isapi_plugin.c (2426): Using registry. [Tue Jun 22 06:15:19.816 2010] [1572:3812] [debug] jk_isapi_plugin.c (2429): Using log file c:\server\Tomcat 6.0\logs\isapi.log. [Tue Jun 22 06:15:19.816 2010] [1572:3812] [debug] jk_isapi_plugin.c (2430): Using log level 1. [Tue Jun 22 06:15:19.816 2010] [1572:3812] [debug] jk_isapi_plugin.c (2431): Using extension uri /jakarta/isapi_redirect.dll. [Tue Jun 22 06:15:19.816 2010] [1572:3812] [debug] jk_isapi_plugin.c (2432): Using worker file c:\server\Tomcat 6.0\conf\workers.properties. [Tue Jun 22 06:15:19.816 2010] [1572:3812] [debug] jk_isapi_plugin.c (2433): Using worker mount file c:\server\Tomcat 6.0\conf\uriworkermap.properties. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2435): Using rewrite rule file . [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2437): Using uri select 3. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2438): Using no chunked encoding. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2440): Using notification event SF_NOTIFY_AUTH_COMPLETE (0x0400) [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2450): Using uri header TOMCATURI6A6B:. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2451): Using query header TOMCATQUERY6A6B:. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2452): Using worker header TOMCATWORKER6A6B:. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2453): Using worker index TOMCATWORKERIDX6A6B:. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2454): Using translate header TOMCATTRANSLATE6A6B:. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_isapi_plugin.c (2455): Using a default of 250 connections per pool. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_map.c (491): Adding property '/*.jsp' with value 'scmisWorker' to map. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_map.c (491): Adding property '/*.action' with value 'scmisWorker' to map. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_map.c (491): Adding property '/jkmanager' with value 'jkstatus' to map. [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_uri_worker_map.c (1102): Loading urimaps from c:\server\Tomcat 6.0\conf\uriworkermap.properties with reload check interval 60 seconds [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_uri_worker_map.c (720): wildchar rule '/*.jsp=scmisWorker' source 'uriworkermap' was added [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_uri_worker_map.c (720): wildchar rule '/*.action=scmisWorker' source 'uriworkermap' was added [Tue Jun 22 06:15:19.831 2010] [1572:3812] [debug] jk_uri_worker_map.c (729): exact rule '/jkmanager=jkstatus' source 'uriworkermap' was added [Tue Jun 22 06:15:19.847 2010] [1572:3812] [debug] jk_uri_worker_map.c (171): uri map dump after file load: index=0 file='c:\server\Tomcat 6.0\conf\uriworkermap.properties' reject_unsafe=0 reload=60 modified=1277205249 checked=1277205319 [Tue Jun 22 06:15:19.847 2010] [1572:3812] [debug] jk_uri_worker_map.c (176): generation 0: size=0 nosize=0 capacity=0 [Tue Jun 22 06:15:19.847 2010] [1572:3812] [debug] jk_uri_worker_map.c (176): generation 1: size=3 nosize=0 capacity=4 [Tue Jun 22 06:15:19.847 2010] [1572:3812] [debug] jk_uri_worker_map.c (186): NEXT (1) map #0: uri=/jkmanager worker=jkstatus context=/jkmanager source=uriworkermap type=Exact len=10 [Tue Jun 22 06:15:19.847 2010] [1572:3812] [debug] jk_uri_worker_map.c (186): NEXT (1) map #1: uri=/*.action worker=scmisWorker
Showing Tomcat Memory Utilization with 'top'
In top, my java processes all show an average VIRT size of about 250MB and an average RES size of about 150MB. Most of them were started with a 64MB heap size. I have two questions: 1. Top shows 0k of swap usage, so the system is not swapping. In that case, why is there a difference between the VIRT and RES numbers? My understanding is that RES=CODE+DATA and VIRT=RES+SWAP. If swap=0, then should not RES and VIRT be the same? 2. Where does the 64MB of java heap show up? -- Eric Robinson Disclaimer - June 22, 2010 This email and any files transmitted with it are confidential and intended solely for Tomcat Users List. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of . Warning: Although has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Showing Tomcat Memory Utilization with 'top'
From: Robinson, Eric [mailto:eric.robin...@psmnv.com] Subject: Showing Tomcat Memory Utilization with 'top' 1. Top shows 0k of swap usage, so the system is not swapping. In that case, why is there a difference between the VIRT and RES numbers? Linux always allocates more virtual space than is actually used (thread stack space, for example). The JVM will also reserve, but not commit, the -Xmx size of the heap (and other spaces); it only commits what is really needed. My understanding is that RES=CODE+DATA and VIRT=RES+SWAP. Nope. RES is real memory usage, VIRT is just whatever space has been allocated, but not necessarily touched. Until a page is touched, it won't exist in RAM or on the swap file. 2. Where does the 64MB of java heap show up? Buried inside the VIRT number. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Hi, Melinda- I'm not sure it's going to be that easy. From what I've read, the NTLM authorization header includes structured data that is encoded using a server nonce and/or the password. However, AUTH_USER, REMOTE_USER and LOGON_USER variables should be available to ISAPI applications with NTLM. I'd be looking on the ISAPI side for a way, maybe a configuration setting, to pass the decoded NTLM credentials to tomcat. -Terence Bandoian Savoy, Melinda wrote: Question. As my code is currently blowing up when I setup the Base64Decoder in my constructor I'm getting an error immediately, at any rate I'm working thru that, but will this DECODE method show me the USERID that I'm looking for? That is what I'm needing. Thank you. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Tuesday, June 22, 2010 12:40 PM To: Tomcat Users List Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Hi, Melinda- As Pid suggested, the first part of that string after NTLM in the authorization header decodes in base64 to 'NTLMSSP'. -Terence Bandoian Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: =imeHeaders === accept = accept-language =us connection îp-Alive host =alhost user-agent =illa/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie =SSIONID-9AE176A965514B845A6E3A9E83A21E authorization =M TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding =p, deflate content-length I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=se to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
That is definitely the preferred method and the reason for going to the Tomcat Connector for this authentication process. However, even with the most simple implementation of my index.jsp and web.xml file I cannot get the getRemoteUser() to work. I am hoping that Ranier is able to look at the log that I sent a few minutes ago and perhaps from there be able to determine where I've messed up in the configuration portion of the ISAPI filter or see something in the log that would show him where this is going wrong that perhaps I can fix(?). As far as trying to get these other variables, I'm not sure how to go about getting them from the request but I'll start researching. Thanks for the additional information. It's appreciated. Regards. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Tuesday, June 22, 2010 2:30 PM To: Tomcat Users List Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Hi, Melinda- I'm not sure it's going to be that easy. From what I've read, the NTLM authorization header includes structured data that is encoded using a server nonce and/or the password. However, AUTH_USER, REMOTE_USER and LOGON_USER variables should be available to ISAPI applications with NTLM. I'd be looking on the ISAPI side for a way, maybe a configuration setting, to pass the decoded NTLM credentials to tomcat. -Terence Bandoian Savoy, Melinda wrote: Question. As my code is currently blowing up when I setup the Base64Decoder in my constructor I'm getting an error immediately, at any rate I'm working thru that, but will this DECODE method show me the USERID that I'm looking for? That is what I'm needing. Thank you. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Tuesday, June 22, 2010 12:40 PM To: Tomcat Users List Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Hi, Melinda- As Pid suggested, the first part of that string after NTLM in the authorization header decodes in base64 to 'NTLMSSP'. -Terence Bandoian Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: =imeHeaders === accept = accept-language =us connection îp-Alive host =alhost user-agent =illa/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie =SSIONID-9AE176A965514B845A6E3A9E83A21E authorization =M TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding =p, deflate content-length I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=se to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL,
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 21:29, Savoy, Melinda wrote: That is definitely the preferred method and the reason for going to the Tomcat Connector for this authentication process. However, even with the most simple implementation of my index.jsp and web.xml file I cannot get the getRemoteUser() to work. I am hoping that Ranier is able to look at the log that I sent a few minutes ago and perhaps from there be able to determine where I've messed up in the configuration portion of the ISAPI filter or see something in the log that would show him where this is going wrong that perhaps I can fix(?). The ISAPI redirector log shows that it's correctly forwarding the data. How do your web.xml and server.xml for this test look like? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Showing Tomcat Memory Utilization with 'top'
2. Where does the 64MB of java heap show up? Buried inside the VIRT number. For example, I have a tomcat configured to use 96MB of heap (export JAVA_OPTS=-ms96M -mx96M). Top shows VIRT=336396, RES=227264. I'm guessing that the 96MB of heap is buried in BOTH the VIRT and RES numbers? -- Eric Robinson Disclaimer - June 22, 2010 This email and any files transmitted with it are confidential and intended solely for Tomcat Users List. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of . Warning: Although has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Ranier, Please see the requested info below and thanks for taking time to look at the log and for your reply. Web.xml (1 2 were deleted because they had to do with my filters just in case you were wondering why 3 was there): ?xml version=1.0 encoding=UTF-8? web-appxmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns=http://java.sun.com/xml/ns/javaee; xmlns:web=http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; id=WebApp_ID version=2.5 display-nameSCMIS/display-name !-- 3. Setup error page/welcome files -- error-page exception-typejava.lang.Exception/exception-type location/error.jsp/location /error-page welcome-file-list welcome-fileindex.html/welcome-file welcome-fileindex.htm/welcome-file welcome-fileindex.jsp/welcome-file welcome-filedefault.html/welcome-file welcome-filedefault.htm/welcome-file welcome-filedefault.jsp/welcome-file /welcome-file-list /web-app Server.xml: ?xml version='1.0' encoding='utf-8'? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=8005 shutdown=SHUTDOWN !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -- Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / !-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -- GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container Note: A Service is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/service.html -- Service name=Catalina !--The connectors can use a shared executor, you can define one or more named thread pools-- !-- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ -- !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=9080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / !-- A Connector using the shared thread pool-- !-- Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- !-- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication What I did was comment out the filter from the web.xml and I went straight from the IE browser (http://localhost/index.jsp) to the index.jsp page that was comprised of only the following: %...@page language=java contentType=text/html; charset=ISO- 8859-1 pageEncoding=ISO-8859-1% Here is my USERID using getRemoteUser, %=request.getRemoteUser()% , in my index.jsp page. My browser window then showed: Here is my USERID using getRemoteUser, null, in my index.jsp page. That was it. So I wasn't even going through my application at all but only from the browser to Tomcat and it returned my page without issue but with NO user value as is indicated below in the log. Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. Look at the manager webapp web.xml example: !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameHTMLManger and Manager command/web-resource-name url-pattern/jmxproxy/*/url-pattern url-pattern/html/*/url-pattern url-pattern/list/url-pattern url-pattern/expire/url-pattern url-pattern/sessions/url-pattern url-pattern/start/url-pattern url-pattern/stop/url-pattern url-pattern/install/url-pattern url-pattern/remove/url-pattern url-pattern/deploy/url-pattern url-pattern/undeploy/url-pattern url-pattern/reload/url-pattern url-pattern/save/url-pattern url-pattern/serverinfo/url-pattern url-pattern/status/*/url-pattern url-pattern/roles/url-pattern url-pattern/resources/url-pattern url-pattern/findleaks/url-pattern /web-resource-collection auth-constraint !-- NOTE: This role is not present in the default users file -- role-namemanager/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameTomcat Manager Application/realm-name /login-config !-- Security roles referenced by this web application -- security-role description The role that is required to log in to the Manager Application /description role-namemanager/role-name /security-role - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Showing Tomcat Memory Utilization with 'top'
From: Robinson, Eric [mailto:eric.robin...@psmnv.com] Subject: RE: Showing Tomcat Memory Utilization with 'top' For example, I have a tomcat configured to use 96MB of heap (export JAVA_OPTS=-ms96M -mx96M). Top shows VIRT=336396, RES=227264. I'm guessing that the 96MB of heap is buried in BOTH the VIRT and RES numbers? Since -Xms == -Xmx, that is normally true. However, the JVM may not have actually used all the allocated heap space, since the heap is internally divided into several regions (eg, eden, survivor, tenured), and some of these are further subdivided (TLAB). If a page in the heap hasn't been touched (not unusual for some TLAB areas), it will appear in VIRT but not in RES. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Sorry, Marc. I'm have no idea what a wireshark packet capture is? I've only worked with the Fiddler Http Proxy Debugger tool to view what is coming over on the browser. Thanks. -Original Message- From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Sent: Tuesday, June 22, 2010 3:00 PM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Showing Tomcat Memory Utilization with 'top'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 6/22/2010 3:22 PM, Caldarale, Charles R wrote: From: Robinson, Eric [mailto:eric.robin...@psmnv.com] Subject: Showing Tomcat Memory Utilization with 'top' 1. Top shows 0k of swap usage, so the system is not swapping. In that case, why is there a difference between the VIRT and RES numbers? Linux always allocates more virtual space than is actually used (thread stack space, for example). The JVM will also reserve, but not commit, the -Xmx size of the heap (and other spaces); it only commits what is really needed. My understanding is that RES=CODE+DATA and VIRT=RES+SWAP. Nope. RES is real memory usage, VIRT is just whatever space has been allocated, but not necessarily touched. Until a page is touched, it won't exist in RAM or on the swap file. Also, I believe VIRT includes memory shared with other processes, so if you have 50MiB of Java system classes loaded and a modern JVM which shares them among running JVMs, then you'll see that 50MiB included in every process's VIRT that is sharing it, which is somewhat misleading. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwhGo0ACgkQ9CaO5/Lv0PCUlwCgmkijMJ5TQN6sMlDAboPU9upV cQEAoI7ZWJaD1hIFsYmx89WnFRjM4dkv =lN9a -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Jailrootting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gregor, On 6/22/2010 12:07 PM, Gregor Schneider wrote: 2010/6/18 Mikolaj Rydzewski m...@ceti.pl: Luca Gervasi wrote: i can read my /etc/passwd from a malicious jsp. Where can i find infos on limiting filesystem access / visibility ? 1st thing to do: run tomcat as user tomcat (or whatever username u like) with limited rights - that should at least fix the possibility to cat /etc/passwd I've never seen a system where /etc/passwd wasn't world-readable. Otherwise, 'ls' doesn't even work well ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwhHDsACgkQ9CaO5/Lv0PAR+QCff+b9cxcFXFAd+lNdn6dH23UL Hj8Anj7MlbfXhEpefSz553Q5Z73d647v =aJ4q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Showing Tomcat Memory Utilization with 'top'
Also, I believe VIRT includes memory shared with other processes, so if you have 50MiB of Java system classes loaded and a modern JVM which shares them among running JVMs, then you'll see that 50MiB included in every process's VIRT that is sharing it, which is somewhat misleading. Excellent point. 'top' shows 30-40MB in the 'SHR' column for each java process. Is that what you're referring to? -- Eric Robinson Disclaimer - June 22, 2010 This email and any files transmitted with it are confidential and intended solely for Tomcat Users List,Caldarale, Charles R. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of . Warning: Although has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does GC Really Matter (Is This Situation)?
On 22 June 2010 17:55, Robinson, Eric eric.robin...@psmnv.com wrote: Sorry, I wasn't referring specifically your comments. Over the years I've heard the same thing a few times from different sources. It seems to be the conventional wisdom on the subject. Fifteen years ago, it was right. Memory management and GC algorithms (and processor-memory interfaces) have come on a lot since then, and advice is sometimes slow to change and adapt to new realities. - Peter
RE: question for sso session replication in tomcat 6.0.26
Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; .*\.xls;.*\.sdf;.*\.xml;/ !-- only with jk_mod failover-- Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve enabled=true sessionIdAttribute=takeoverSessionid / !-- Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer
Re: placiing content and application on a microsoft DFS solution
On 22 June 2010 16:10, M.H.G. Emmerig m.h.g.emme...@dnb.nl wrote: Has anyone ever placed an application and its content on a redundant DFS solution? So as when one DFS server fails, another takes over. Does anyone see possible problems with this setup? ie. when dfs server fails does tomcat loose connection to the app or is the failover fast enough. At best, the failover takes several seconds, during which your app will fail to respond. Depending on your load and application design, the queued requests may be sufficient to run you out of heap memory, database handles and similar. I assume your goal is to improve reliability of end-user access to your application. If you have to use Windows, why would you take a DFS approach rather than using Windows' file replication to replicate files to multiple servers? The probability of network failure or poor performance is orders of magnitude higher than the probability of HDD subsystem failure or poor performance, so I would expect accessing apps from a remote network drive to worsen your reliability rather than improve it. - Peter
RE: Showing Tomcat Memory Utilization with 'top'
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Showing Tomcat Memory Utilization with 'top' Also, I believe VIRT includes memory shared with other processes Doesn't RES also include shared pages - anything that's in the memory map of the process? (I can't remember exactly how that works, but the shared pages have to be accounted for somewhere.) so if you have 50MiB of Java system classes loaded and a modern JVM which shares them among running JVMs Note that only the client HotSpot JVM shares classes; the server version does not. (The sharing is really class templates, not the class objects themselves.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Showing Tomcat Memory Utilization with 'top'
From: Robinson, Eric [mailto:eric.robin...@psmnv.com] Subject: RE: Showing Tomcat Memory Utilization with 'top' 'top' shows 30-40MB in the 'SHR' column for each java process. Is that what you're referring to? That could be any memory (eg, file pages) that's being used in more than one process. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: placiing content and application on a microsoft DFS solution
Has anyone ever placed an application and its content on a redundant DFS solution? So as when one DFS server fails, another takes over. Does anyone see possible problems with this setup? ie. when dfs server fails does tomcat loose connection to the app or is the failover fast enough. DFS is based on the Windows Change Journal. There can be several seconds to a minute of latency before file changes replicate from one DFS server to the other. Be sure that your application could tolerate that. If I was going to try a DFS-based approach, I'd just run DFS right on the tomcat server(s). However, my experience with DFS has been unsatifactory. Replication often drives up average disk queue lengths on both servers and causes application-level freezes. Personally, I'd strongly recommend using Linux+DRBD+Pacemaker. Much faster and more stable. -- Eric Robinson Disclaimer - June 22, 2010 This email and any files transmitted with it are confidential and intended solely for Tomcat Users List. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of . Warning: Although has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question for sso session replication in tomcat 6.0.26
Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100 selectorTimeout=5000 maxThreads=12/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor/ /Channel
Need help tracking down a strange Threading issue in Tomcat 6, but not 5.5
have an application I am trying to move to Tomcat 6.0 from Tomcat 5.5. This is a VXML Voice Browser application. In this app, the general flow is: 1. Voice Browser makes http request to jsp 2. jsp might call Service Object 3. Service Object creates new Thread to call external Webservice 4. If the service fails, then the Jsp calls another webapp to send the same request pseudo asynchronously. 5. 2nd webapp call external webservice. 6. JSP returns. This works fine (not great, but does function) in PROD now on TC 5.5 But when I move this to TC 6, I have a strange issue where there are User created threads making external webservice calls to another server, and they stop spawning new threads, and the existing threads seem to complete, but do not allow anymore to be created. Tomcat is set to handle 350 threads. When this happens - There are about 100-200 total threads. - Memory @ 40% used - CPU @ ~6% It almost appears as though TC just is not accepting anymore new requests, for ~5 minutes. Then it comes back to life. But we can not leave this running as the caller experience is not good. On lower volumes, say 100 requests, we do not see any issue at all. But TC 5.5 is taking ~100-140 requests currently and does not have thee failures. I can attach images, JVMVis snapshots, and a word doc showing several WILY report graphs to see if I can get some help on this please. I have been working on this for a solid 3 weeks and no luck. --- Thank You… Mick Knutson, President BASE Logic, Inc. Enterprise Architecture, Design, Mentoring Agile Consulting p. (866) BLiNC-411: (254-6241-1) f. (415) 685-4233 Website: http://www.baselogic.com Blog: http://www.baselogic.com/blog/ Linked IN: http://linkedin.com/in/mickknutson Twitter: http://twitter.com/mickknutson Vacation Rental: http://tahoe.baselogic.com ---
RE: question for sso session replication in tomcat 6.0.26
Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.5 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4020 autoBind=100
Apache Tomcat 6.0.18 on Windows Server 2008 R2 Changes RDP Port
Hello, We have a customer that is running Tomcat Server 6.0.18 under Windows 2008 R2. On this server the Remote Desktop Port (3389) is being changed to port 80 after X (usually ~3) number of days. If we disable the Apache Tomcat Server and stop the service, this problem goes away. We opened a case with Microsoft and they are saying to contact Apache. Does anyone have any direction on where I might be able to go for help with this problem? Thank You, Aaron K. Clark Senior Technician A+, Network+ CCNA Intellicom, Inc (308) 237 - 0684 x 228 (308) 234 - 6645 (Fax) 1700 2nd Ave Kearney, Ne 68847 CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it may contain information that is confidential, privileged and exempt from disclosure under applicable law. It is intended solely for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by reply E-mail and destroy all copies of the original message. Additionally, we will take the appropriate action to avoid sending you an unintended E-mail in the future. Thank you for your cooperation.
OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security- role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Marc Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat? If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no? I still have a server with IIS and the isapi_redirect.dll Jakarta filter running internally. I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080) I added the Jakarta virtual directory to test. I removed anonymous access and checked integrated windows security for test. http://localhost:8088 supply credentials of user not allowed to this directory - yields no access. http://localhost:8088/examples I get right through, no challenge from IIS. http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Apache Tomcat 6.0.18 on Windows Server 2008 R2 Changes RDP Port
From: Aaron Clark [mailto:acl...@intellicominc.com] Subject: Apache Tomcat 6.0.18 on Windows Server 2008 R2 Changes RDP Port We have a customer that is running Tomcat Server 6.0.18 under Windows 2008 R2. On this server the Remote Desktop Port (3389) is being changed to port 80 after X (usually ~3) number of days. Sounds like Windows is broken - again. Regardless, a few questions: 1) Can you clarify what you mean by is being changed to port 80? Do you mean that svchost.exe suddenly appears to be listening on port 80 instead of 3389? 2) How did you determine this? 3) What does netstat -ano show both before and after the apparent switch? 4) Is Tomcat normally the process listening on port 80? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Setting Up AJP Workers as a Failover
Hi All, I've got myself in a situation where I need a stopgap quick fix - until we can respond correctly. I have the following workers file: # define the worker list worker.list=LoadBalancer # Define the LB worker worker.LoadBalancer.type=lb worker.LoadBalancer.balance_workers=webprod1,webprod2 worker.LoadBalancer.sticky_session=1 # configure each worker worker.webprod1.type=ajp13 worker.webprod1.host=webprod1 worker.webprod1.port=8009 worker.webprod1.lbfactor=100 worker.webprod2.type=ajp13 worker.webprod2.host=webprod2 worker.webprod2.port=8009 worker.webprod2.lbfactor=100 If I change the last line to worker.webprod2.lbfactor=0 will webprod2 only be used if webprod1 is disconnected or otherwise in an error state? My other choice is to turn off one of the server's Tomcat instance. The real solution might take a day or two and that is to put back JSESSIONID - meanwhile I'm looking at how to fix occasional strangeness for users. If someone has a way to force JSESSIONID with a valve or filter that would be great. Yes my jvmroutes are set. Regards, Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat? If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no? I still have a server with IIS and the isapi_redirect.dll Jakarta filter running internally. I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080) I added the Jakarta virtual directory to test. I removed anonymous access and checked integrated windows security for test. http://localhost:8088 supply credentials of user not allowed to this directory - yields no access. http://localhost:8088/examples I get right through, no challenge from IIS. http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value. I stand corrected, as usual. Snoop JSP does display my login info. However, my browser is now set to supply credentials for internal sites. Automatic login only in Intranet zone. IE 7 Internet Options Security Custom Level Scroll all the way down to User Authentication. isapi_redirect.dll version 1.2.27 IIS 6.0 Windows Server 2003 http://localhost:8088/examples/jsp/snp/snoop.jsp Request Information JSP Request Method: GET Request URI: /examples/jsp/snp/snoop.jsp Request Protocol: HTTP/1.1 Servlet path: /jsp/snp/snoop.jsp Path info: null Query string: null Content length: 0 Content type: null Server name: server name Server port: 8088 Remote user: PLANDEV\donahuel Remote address: my ip Remote host: my ip Authorization scheme: Negotiate Locale: en_US - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 64 bits, Java 6 64 bits and -Djava.library.path
Yes, that's true. You can also use the GUI. Personally, I like the script, because it can be committed to repository(SVN, etc), and its easier to replicate and maintain. AB On Tue, Jun 22, 2010 at 11:28 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Andrew Bruno [mailto:andrew.br...@gmail.com] Subject: Re: Tomcat 6 64 bits, Java 6 64 bits and -Djava.library.path Everything can be set up via service.bat You should modify this file only. I'd strongly recommend using the tomcat6w.exe program to set any necessary options and system properties, rather than modifying the script. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting Up AJP Workers as a Failover
On 23.06.2010 01:12, David Fisher wrote: Hi All, I've got myself in a situation where I need a stopgap quick fix - until we can respond correctly. I have the following workers file: # define the worker list worker.list=LoadBalancer # Define the LB worker worker.LoadBalancer.type=lb worker.LoadBalancer.balance_workers=webprod1,webprod2 worker.LoadBalancer.sticky_session=1 # configure each worker worker.webprod1.type=ajp13 worker.webprod1.host=webprod1 worker.webprod1.port=8009 worker.webprod1.lbfactor=100 worker.webprod2.type=ajp13 worker.webprod2.host=webprod2 worker.webprod2.port=8009 worker.webprod2.lbfactor=100 If I change the last line to worker.webprod2.lbfactor=0 will webprod2 only be used if webprod1 is disconnected or otherwise in an error state? No, value 0 ist not supported and will automatically be changed to 1. What about using activation=disabled? What are you trying to achieve? You should also look at the example configuration bundled with the 1.2.30 sources. It contains nice suggestions about timeouts that your configuration is lacking. My other choice is to turn off one of the server's Tomcat instance. The real solution might take a day or two and that is to put back JSESSIONID - meanwhile I'm looking at how to fix occasional strangeness for users. If someone has a way to force JSESSIONID with a valve or filter that would be great. Yes my jvmroutes are set. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org