Re: Jailrootting
On Tue, 2010-06-22 at 16:25 -0400, Christopher Schultz wrote: On 6/22/2010 12:07 PM, Gregor Schneider wrote: 2010/6/18 Mikolaj Rydzewski m...@ceti.pl: Luca Gervasi wrote: i can read my /etc/passwd from a malicious jsp. Where can i find infos on limiting filesystem access / visibility ? 1st thing to do: run tomcat as user tomcat (or whatever username u like) with limited rights - that should at least fix the possibility to cat /etc/passwd I've never seen a system where /etc/passwd wasn't world-readable. Otherwise, 'ls' doesn't even work well ;) Hi guys, thanks for answering me. Tomcat uses a low privilege user and the system-wide permissions are thus enforced by OS but...i can still read all the istance-wide files (tomcat-users.xml, server.xml and any other 644 file). I'm starting to read about SecurityManager, but i think that this should be the answer i was looking for :) Thanks Luca - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting Up AJP Workers as a Failover
On 23 Jun 2010, at 00:12, David Fisher dfis...@jmlafferty.com wrote: Hi All, I've got myself in a situation where I need a stopgap quick fix - until we can respond correctly. I have the following workers file: # define the worker list worker.list=LoadBalancer # Define the LB worker worker.LoadBalancer.type=lb worker.LoadBalancer.balance_workers=webprod1,webprod2 worker.LoadBalancer.sticky_session=1 # configure each worker worker.webprod1.type=ajp13 worker.webprod1.host=webprod1 worker.webprod1.port=8009 worker.webprod1.lbfactor=100 worker.webprod2.type=ajp13 worker.webprod2.host=webprod2 worker.webprod2.port=8009 worker.webprod2.lbfactor=100 If I change the last line to worker.webprod2.lbfactor=0 will webprod2 only be used if webprod1 is disconnected or otherwise in an error state? My other choice is to turn off one of the server's Tomcat instance. The real solution might take a day or two and that is to put back JSESSIONID - meanwhile I'm looking at how to fix occasional strangeness for users. If someone has a way to force JSESSIONID with a valve or filter that would be great. I can't make sense of the above. Put it back where and why? p Yes my jvmroutes are set. Regards, Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23 Jun 2010, at 02:40, Rainer Jung rainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? p Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help tracking down a strange Threading issue in Tomcat 6, but not 5.5
On 22 Jun 2010, at 22:38, Mick Knutson mknut...@baselogic.com wrote: have an application I am trying to move to Tomcat 6.0 from Tomcat 5.5. Which versions exactly, (- it does matter)? Also OS, JVM and any other relevant app versions. This is a VXML Voice Browser application. In this app, the general flow is: 1. Voice Browser makes http request to jsp 2. jsp might call Service Object 3. Service Object creates new Thread to call external Webservice 4. If the service fails, then the Jsp calls another webapp to send the same request pseudo asynchronously. 5. 2nd webapp call external webservice. 6. JSP returns. Performing the logic in a Servlet would be more elegant. ($0.02) This works fine (not great, but does function) in PROD now on TC 5.5 But when I move this to TC 6, I have a strange issue where there are User created threads making external webservice calls to another server, and they stop spawning new threads, and the existing threads seem to complete, but do not allow anymore to be created. Take a thread dump, see what they're all doing during the slow down. Tomcat is set to handle 350 threads. How have you done this and are you expecting it to limit the number of the application (as opposed to Connector) threads? When this happens - There are about 100-200 total threads. - Memory @ 40% used - CPU @ ~6% Which memory? Server or heap? What are your heap settings? p It almost appears as though TC just is not accepting anymore new requests, for ~5 minutes. Then it comes back to life. But we can not leave this running as the caller experience is not good. On lower volumes, say 100 requests, we do not see any issue at all. But TC 5.5 is taking ~100-140 requests currently and does not have thee failures. I can attach images, JVMVis snapshots, and a word doc showing several WILY report graphs to see if I can get some help on this please. I have been working on this for a solid 3 weeks and no luck. --- Thank You… Mick Knutson, President BASE Logic, Inc. Enterprise Architecture, Design, Mentoring Agile Consulting p. (866) BLiNC-411: (254-6241-1) f. (415) 685-4233 Website: http://www.baselogic.com Blog: http://www.baselogic.com/blog/ Linked IN: http://linkedin.com/in/mickknutson Twitter: http://twitter.com/mickknutson Vacation Rental: http://tahoe.baselogic.com --- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writing errors to localhost log
On 22 Jun 2010, at 14:55, laredotornado laredotorn...@gmail.com wrote: Hi, I'm using Tomcat 6.0.26. I notice that when I define an error page for my JSPs %@ page errorPage=/error-pages/500.jsp % The error page gets called properly, but the stack trace of the error is no longer written to my localhost log file, where it used to be output before I inserted the directive. Do you know how I can continue to have the stack trace show up in this file and continue to define an error page for my JSP? You can define an error-page element in web.xml, have a read of the Servlet Spec for more info. p Thanks, - Dave -- View this message in context: http://old.nabble.com/Writing-errors-to-localhost-log-tp28960361p28960361.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question for sso session replication in tomcat 6.0.26
I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all /Location === server.xml === !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=9002 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=4 Manager className=org.apache.catalina.ha.session.DeltaManager name=node2 expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService
deploy problem
Hi: I use ant to deploy a servlet project like this : ant all, ant install. And it worked. But the next time after I restarted tomcat, I got 404 not found error. Anyone know why this happened? Thanks very much. -- Roy
RE: Re: Question on IE zones with Mod_jk
Hello Andre, Thanks for the excellent respons; it took some time, but we finally got it to work! It turned out that after logging in using IE the redirect (HTTP 302) thrown by the webserver confused IE. After changing some keepalive settings it worked. I'd never figured this out without Fiddler, thanks a lot for the tip! Best, Robin -Original message- From: André Warnier a...@ice-sa.com Sent: Wed 09-06-2010 11:19 To: Tomcat Users List users@tomcat.apache.org; Subject: Re: Question on IE zones with Mod_jk Robin Diederen wrote: Hi Andre, Thanks for the tip. What should I be looking for when analyzing this communication? You should be examining the detail of the requests/responses between bnrowser and server, to see if your assumptions are correct about the redirection etc.. A 401 response is not an error. It is the server telling the browser that this resource is protected and requires authentication. With NTLM, there is a 3-phase exchange that must take place, before the connection is authenticated. Maybe that sequence is not being respected, and therefore IE thinks your are somewhere else. Also, the NTLM authentication system (starting with v2) is specially designed to avoid man in the middle attacks, so this can give problems with firewalls and proxies, and in this case you do have a man in the middle (Apache+mod_jk). It is difficult for anyone else than yourself to debug this, because by definition, one must be inside your Windows domain to see really what happens. To even begin to help, you need to be really precise when supplying the information about the components you are using (versions). The latest versions is not precise, because there are dozens of sites where you can download each of these modules, and their latest versions may not match. You should also find out from your windows network security people, which kind of authentication (and NTLM version) your servers and workstations should be using (for example, if NTLMv2 is mandatory, or if NTLMv1 is allowed also). You can also change the log level of mod_jk (e.g. to debug) and see if the request from mod_jk to Tomcat contains a user-id or not. Browser/server authentication with NTLM is a sequence like this : 1) browser sends request to server, without authentication 2) server responds with 401 (auth required, type=NTLM) 3) browser re-sends request with an Authorization header, type=NTLM, plus an encoded token 4) server responds with a new (different) 401 response, type=NTLM, plus also an encoded token 5) browser repeats the request again, with an Authorization header, type=NTLM, with a final encoded token 6) server now checks, and grants or denies the authentication. If granted, it sends the requested document. If denied, it sends a 403 response (forbidden). All the above must happen on the same browser-to-server TCP connection, because in the end it is this connection which will be authenticated. If the connection is somehow broken in the middle and a new connection created, it will not work. But first, check with Fiddler2 the exact sequence of requests/responses, and see if that matches your assumptions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Re: Question on IE zones with Mod_jk
Hello Rainer, It turned out that the KeepAlive setting of Apache could solve our issue. Thanks for the tip! Best, Robin -Original message- From: Rainer Jung rainer.j...@kippdata.de Sent: Wed 09-06-2010 13:00 To: Tomcat Users List users@tomcat.apache.org; Subject: Re: Question on IE zones with Mod_jk On 09.06.2010 11:18, André Warnier wrote: Robin Diederen wrote: Hi Andre, Thanks for the tip. What should I be looking for when analyzing this communication? You should be examining the detail of the requests/responses between bnrowser and server, to see if your assumptions are correct about the redirection etc.. A 401 response is not an error. It is the server telling the browser that this resource is protected and requires authentication. With NTLM, there is a 3-phase exchange that must take place, before the connection is authenticated. Maybe that sequence is not being respected, and therefore IE thinks your are somewhere else. Also, the NTLM authentication system (starting with v2) is specially designed to avoid man in the middle attacks, so this can give problems with firewalls and proxies, and in this case you do have a man in the middle (Apache+mod_jk). It is difficult for anyone else than yourself to debug this, because by definition, one must be inside your Windows domain to see really what happens. To even begin to help, you need to be really precise when supplying the information about the components you are using (versions). The latest versions is not precise, because there are dozens of sites where you can download each of these modules, and their latest versions may not match. You should also find out from your windows network security people, which kind of authentication (and NTLM version) your servers and workstations should be using (for example, if NTLMv2 is mandatory, or if NTLMv1 is allowed also). You can also change the log level of mod_jk (e.g. to debug) and see if the request from mod_jk to Tomcat contains a user-id or not. Browser/server authentication with NTLM is a sequence like this : 1) browser sends request to server, without authentication 2) server responds with 401 (auth required, type=NTLM) 3) browser re-sends request with an Authorization header, type=NTLM, plus an encoded token 4) server responds with a new (different) 401 response, type=NTLM, plus also an encoded token 5) browser repeats the request again, with an Authorization header, type=NTLM, with a final encoded token 6) server now checks, and grants or denies the authentication. If granted, it sends the requested document. If denied, it sends a 403 response (forbidden). All the above must happen on the same browser-to-server TCP connection, because in the end it is this connection which will be authenticated. If the connection is somehow broken in the middle and a new connection created, it will not work. But first, check with Fiddler2 the exact sequence of requests/responses, and see if that matches your assumptions. Have a look at: http://marc.info/?l=tomcat-userm=119886120025980 Maybe that helps. Caution: NTLM is a broken protocol. It assumes that the connection between the client and the authenticating server does not change during the NTLM flow of a couple of requests. If there is nothing between the client and the authentication server, this is easy by just enabling HTTP Keep Alive. If there is a reverse proxy between the client and the backend, i.e. the proxy does not do the authentication, but the backend, this will likely break, because proxies do not make any guarantees about reusing the same backend conection even when the same client connection is used for multiple requests. This is especially true for mod_jk and mod_proxy. It might work with low load, because then there might be only one backend connection but when load increases more backend connections will be opened and finally requests will be dispatched to different connections. When using Apache you can fix that by using the prefork MPM. It is signle threaded and each client connection is associated with a single Apache process. mod_jk in combination with prefork only opens one backend connection per process, so for prefork no connection switching will happen. Not sure whether that all really is your problem. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on IE zones with Mod_jk
Hi dB, That looks promising and might come in handy for another project I'm doing.. :-) Best, Robin -Original message- From: dB. dbl...@dblock.org Sent: Tue 08-06-2010 13:58 To: Tomcat Users List users@tomcat.apache.org; Subject: RE: Question on IE zones with Mod_jk I think your conclusion may be a little too quick. You should post the complete HTTP trace from this session. PS: If you're on Windows and are using Apache for NTLM only, you may want to take a look at http://waffle.codeplex.com. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Robin Diederen [mailto:diede...@nlcom.nl] Sent: Tuesday, June 08, 2010 3:16 AM To: users@tomcat.apache.org Subject: Question on IE zones with Mod_jk Hello all, We're trying to get a combination of Apache (webserver), Tomcat and mod_jk to work flawlessly with NTLM authentication. We're using mod_jk to loadbalance two Tomcat / LifeRay installations. We're using the latest versions of Apache 2.2, Tomcat 6 and mod_jk. Our setup works fine on FireFox, but on IE this gives some troubles. When I bypass mod_jk by connecting directly to a Tomcat node, it all works fine in IE too. The problem appears on IE 6, 7 and 8. The problem: - I surf to http://portal - IE recognizes the site as trusted / in the intranet zone - I click the sign in link and get redirected to http://portal/c/portal/login; IE now thinks I'm in the _internet_zone_ (thus NTLM auth doesn't work) - From the Apache logs, I find that a 401 error occurred My guess would be that IE detects the redirect and concludes the wrong zone. Is there any way to configure this from the server side? Best, Robin - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
Thanks Leo. I've got the same setup in IIS regarding integrated windows security. However, IIS is on port 80 and Tomcat is on 9080 so as not to conflict. IIS is giving the ISAPI filter the user info that I'm looking for as indicated in the ISAPI log. Thanks for trying. It's appreciated. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Tuesday, June 22, 2010 6:13 PM To: 'Tomcat Users List' Subject: RE: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat? If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no? I still have a server with IIS and the isapi_redirect.dll Jakarta filter running internally. I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080) I added the Jakarta virtual directory to test. I removed anonymous access and checked integrated windows security for test. http://localhost:8088 supply credentials of user not allowed to this directory - yields no access. http://localhost:8088/examples I get right through, no challenge from IIS. http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value. I stand corrected, as usual. Snoop JSP does display my login info. However, my browser is now set to supply credentials for internal sites. Automatic login only in Intranet zone. IE 7 Internet Options Security Custom Level Scroll all the way down to User Authentication. isapi_redirect.dll version 1.2.27 IIS 6.0 Windows Server 2003 http://localhost:8088/examples/jsp/snp/snoop.jsp Request Information JSP Request Method: GET Request URI: /examples/jsp/snp/snoop.jsp Request Protocol: HTTP/1.1 Servlet path: /jsp/snp/snoop.jsp Path info: null Query string: null Content length: 0 Content type: null Server name: server name Server port: 8088 Remote user: PLANDEV\donahuel Remote address: my ip Remote host: my ip Authorization scheme: Negotiate Locale: en_US - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does GC Really Matter (Is This Situation)?
Op dinsdag, 22 juni 2010 18:33 schreef Robinson, Eric eric.robin...@psmnv.com: This is a similar question to one already being discussed in the list with the subject Setting the Right Amount of Memory. We have 160 instances of tomcat on the same server, with most instances configured to use 64-96MB of RAM. We carefully watch the logs for OOMEs. If we see any, we increase the RAM allocation for that instance by 32MB, which is enough to make the OOMEs go away. Some people say this approach will lead to increased CPU utilization from frequent GC; however, our server runs 90% idle all day long so CPU is evidently not being driven up by much, if any. Given the circumstances, is there anything to be gained from increasing the heap size? Our software vendor wants us to increase each tomcat instance to 512MB, just as a matter of policy, but I don't see a good technical reason to do that. Am I missing something? -- Eric Robinson You can monitor the gc with jstat. jstat -gc pid 10s This wil show you the memory usage of a java instance with the time spent in GC. If it does 0.9 sec. of GC every sec. you are running inefficient. :-) Ronald.
fantastic! but what's going on?
I am pleased to say that myearlier issue appears to have solved itself? But what is happening? I had to remake, recompile, redeploy and restart just to get tomcat and hibernate to play nicely with the database! Now I am unable to use the realm to authenticate users but I don't know why. perhaps my wars are getting corrupted but what can i do to avoid this? I made NO code changes and the exception (jdbc is null) was no longer thrown ! It appears the same issue is now preventing my realm from running smoothly. -- From: superman sbw...@163.com Sent: Wednesday, June 23, 2010 12:13 PM To: users@tomcat.apache.org Subject: How to get session scop ? how to setup session scop at MemoryRealm class in tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
What's going on (are my wars getting corrupted?
I am pleased to say that myearlier issue appears to have solved itself? But what is happening? I had to remake, recompile, redeploy and restart just to get tomcat and hibernate to play nicely with the database! Now I am unable to use the realm to authenticate users but I don't know why. perhaps my wars are getting corrupted but what can i do to avoid this? I made NO code changes and the exception (jdbc is null) was no longer thrown ! It appears the same issue is now preventing my realm from running smoothly.
Re: fantastic! but what's going on?
On 23/06/2010 12:12, yucca...@live.co.za wrote: I am pleased to say that myearlier issue appears to have solved itself? But what is happening? I had to remake, recompile, redeploy and restart just to get tomcat and hibernate to play nicely with the database! Now I am unable to use the realm to authenticate users but I don't know why. perhaps my wars are getting corrupted but what can i do to avoid this? I made NO code changes and the exception (jdbc is null) was no longer thrown ! It appears the same issue is now preventing my realm from running smoothly. Please don't hijack other peoples threads, especially when you have several of your own to pick from. p -- From: superman sbw...@163.com Sent: Wednesday, June 23, 2010 12:13 PM To: users@tomcat.apache.org Subject: How to get session scop ? how to setup session scop at MemoryRealm class in tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: What's going on (are my wars getting corrupted?
On 23/06/2010 12:15, yucca...@live.co.za wrote: I am pleased to say that myearlier issue appears to have solved itself? But what is happening? I had to remake, recompile, redeploy and restart just to get tomcat and hibernate to play nicely with the database! Now I am unable to use the realm to authenticate users but I don't know why. perhaps my wars are getting corrupted but what can i do to avoid this? I made NO code changes and the exception (jdbc is null) was no longer thrown ! What evidence do you have that your .war files are getting corrupted? It appears the same issue is now preventing my realm from running smoothly. Which issue? You just said it was working, is it, or isn't it? p signature.asc Description: OpenPGP digital signature
Re: How to get session scop ?
On 23/06/2010 11:13, superman wrote: how to setup session scop at MemoryRealm class in tomcat ? http://catb.org/esr/faqs/smart-questions.html p signature.asc Description: OpenPGP digital signature
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23/06/2010 10:45, Rainer Jung wrote: On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. OK, and I'm guessing that if there was a way to get the AJP connector to dump those attributes you'd have said so by now. p Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
RE: How to get session scop ?
className, debug, digest, pathname are valid attributes for MemoryRealm http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html#MemoryRealm we can provide greater assistance to you.. if you can you explain what you're trying to accomplish Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Wed, 23 Jun 2010 18:13:38 +0800 From: sbw...@163.com To: users@tomcat.apache.org Subject: How to get session scop ? how to setup session scop at MemoryRealm class in tomcat ? _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
Re: deploy problem
On 23/06/2010 09:19, Roy Chang wrote: Hi: I use ant to deploy a servlet project like this : ant all, ant install. And it worked. But the next time after I restarted tomcat, I got 404 not found error. Anyone know why this happened? Thanks very much. http://catb.org/esr/faqs/smart-questions.html p signature.asc Description: OpenPGP digital signature
Re: Jailrootting
Christopher Schultz wrote: I've never seen a system where /etc/passwd wasn't world-readable. Otherwise, 'ls' doesn't even work well ;) I saw a free shell server once. There was some kind of linux kernel hack implemented, that used to filter /etc/passwd to display only system accounts and yours. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Jailrootting
Luca Gervasi wrote: Tomcat uses a low privilege user and the system-wide permissions are thus enforced by OS but...i can still read all the istance-wide files (tomcat-users.xml, server.xml and any other 644 file). What is your scenario for running webapps? Are you going to run third-party untrusted code (free hosting?), or anything else? In most cases jail/chroot and accout with limited privileges are sufficient enough. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fantastic! but what's going on?
aplogies -- From: Pid p...@pidster.com Sent: Wednesday, June 23, 2010 1:44 PM To: Tomcat Users List users@tomcat.apache.org Subject: Re: fantastic! but what's going on? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Does GC Really Matter (In This Situation)?
You can monitor the gc with jstat. jstat -gc pid 10s This wil show you the memory usage of a java instance with the time spent in GC. If it does 0.9 sec. of GC every sec. yare running inefficient. :-) Thanks. I guess I could restate the question as, Does GC inefficiency really matter if overall CPU utilization remains low? -- Eric Robinson Disclaimer - June 23, 2010 This email and any files transmitted with it are confidential and intended solely for Ronald Klop,Tomcat Users List. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of . Warning: Although has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 Thank you. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 6:52 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 23/06/2010 10:45, Rainer Jung wrote: On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. OK, and I'm guessing that if there was a way to get the AJP connector to dump those attributes you'd have said so by now. p Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On Wed, Jun 23, 2010 at 8:49 AM, Savoy, Melinda melindasa...@texashealth.org wrote: Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: What about the attributes? request.getAttribute() This is different then a header Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SEVERE: Error listenerStart
Jun 23, 2010 3:14:33 PM org.apache.catalina.core.StandardContext addApplicationListener INFO: The listener org.springframework.web.context.ContextLoaderListener is already configured for this context. The duplicate definition has been ignored. Jun 23, 2010 3:14:34 PM org.apache.catalina.core.StandardContext start SEVERE: Error listenerStart Jun 23, 2010 3:14:34 PM org.apache.catalina.core.StandardContext start SEVERE: Context [/ALS] startup failed due to previous errors ALS is my application and not able to start, Please help me to solve this problem, thanks in advance, Rajeev -- View this message in context: http://old.nabble.com/SEVERE%3A-Error-listenerStart-tp28971557p28971557.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
I just tried the request.getAttributeNames() and I got nulls for all the elements in this enumeration. Thanks. -Original Message- From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Sent: Wednesday, June 23, 2010 8:03 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On Wed, Jun 23, 2010 at 8:49 AM, Savoy, Melinda melindasa...@texashealth.org wrote: Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: What about the attributes? request.getAttribute() This is different then a header Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
I also tried request.getAttribute(user) but I got a null value as well. -Original Message- From: Savoy, Melinda Sent: Wednesday, June 23, 2010 8:09 AM To: 'Tomcat Users List' Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication I just tried the request.getAttributeNames() and I got nulls for all the elements in this enumeration. Thanks. -Original Message- From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Sent: Wednesday, June 23, 2010 8:03 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On Wed, Jun 23, 2010 at 8:49 AM, Savoy, Melinda melindasa...@texashealth.org wrote: Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: What about the attributes? request.getAttribute() This is different then a header Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Does GC Really Matter (In This Situation)?
From: Robinson, Eric [mailto:eric.robin...@psmnv.com] Subject: RE: Does GC Really Matter (In This Situation)? Does GC inefficiency really matter if overall CPU utilization remains low? If CPU utilization is low, you are not experiencing meaningful GC inefficiency. The heap configuration might not be 100% perfect, but that's really only a concern for people publishing benchmark numbers. If you're satisfied with your throughput and responsiveness, and your trend lines indicate you'll stay satisfied, leave whatever you've got alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SEVERE: Error listenerStart
1. Please tell us your exact Tomcat version (three numbers, x.y.z). 2. There are several log files in Tomcat. Have you tried to look into all of them? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Does GC Really Matter (In This Situation)?
Op woensdag, 23 juni 2010 14:31 schreef Robinson, Eric eric.robin...@psmnv.com: You can monitor the gc with jstat. jstat -gc pid 10s This wil show you the memory usage of a java instance with the time spent in GC. If it does 0.9 sec. of GC every sec. yare running inefficient. :-) Thanks. I guess I could restate the question as, Does GC inefficiency really matter if overall CPU utilization remains low? -- Eric Robinson I don't know. Does it matter to you? If you have a lot of GC your CPU% wil not be very low. GC is CPU bound (if you are not swapping). If your server still has enough CPU power and the users are not complaining about the speed, than you don't have a problem. Ronald.
Re: Setting Up AJP Workers as a Failover
David, you might want to take a look at http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html under Advanced lb Worker properties. There's an example for what you want with what Reiner was talking about (activation/redirect). Shay On Wed, Jun 23, 2010 at 3:48 AM, Pid p...@pidster.com wrote: On 23 Jun 2010, at 00:12, David Fisher dfis...@jmlafferty.com wrote: Hi All, I've got myself in a situation where I need a stopgap quick fix - until we can respond correctly. I have the following workers file: # define the worker list worker.list=LoadBalancer # Define the LB worker worker.LoadBalancer.type=lb worker.LoadBalancer.balance_workers=webprod1,webprod2 worker.LoadBalancer.sticky_session=1 # configure each worker worker.webprod1.type=ajp13 worker.webprod1.host=webprod1 worker.webprod1.port=8009 worker.webprod1.lbfactor=100 worker.webprod2.type=ajp13 worker.webprod2.host=webprod2 worker.webprod2.port=8009 worker.webprod2.lbfactor=100 If I change the last line to worker.webprod2.lbfactor=0 will webprod2 only be used if webprod1 is disconnected or otherwise in an error state? My other choice is to turn off one of the server's Tomcat instance. The real solution might take a day or two and that is to put back JSESSIONID - meanwhile I'm looking at how to fix occasional strangeness for users. If someone has a way to force JSESSIONID with a valve or filter that would be great. I can't make sense of the above. Put it back where and why? p Yes my jvmroutes are set. Regards, Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Apache Tomcat 6.0.18 on Windows Server 2008 R2 Changes RDP Port
1) Terminal Services starts listening on port 80 instead of 3380 2) We determined this by disabling Tomcat. The problem stopped. This is happening on their website, so we would know it happens because customers would call in saying the website is down. 3) Right now (before the switch) it is showing tomcat running on 80 and svchost running on 3389. I haven't run this command after the switch yet. 4) Tomcat is what runs on port 80, yes. Aaron K. Clark Senior Technician A+, Network+ CCNA Intellicom, Inc (308) 237 - 0684 x 228 (308) 234 - 6645 (Fax) 1700 2nd Ave Kearney, Ne 68847 -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, June 22, 2010 6:03 PM To: Tomcat Users List Subject: RE: Apache Tomcat 6.0.18 on Windows Server 2008 R2 Changes RDP Port From: Aaron Clark [mailto:acl...@intellicominc.com] Subject: Apache Tomcat 6.0.18 on Windows Server 2008 R2 Changes RDP Port We have a customer that is running Tomcat Server 6.0.18 under Windows 2008 R2. On this server the Remote Desktop Port (3389) is being changed to port 80 after X (usually ~3) number of days. Sounds like Windows is broken - again. Regardless, a few questions: 1) Can you clarify what you mean by is being changed to port 80? Do you mean that svchost.exe suddenly appears to be listening on port 80 instead of 3389? 2) How did you determine this? 3) What does netstat -ano show both before and after the apparent switch? 4) Is Tomcat normally the process listening on port 80? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it may contain information that is confidential, privileged and exempt from disclosure under applicable law. It is intended solely for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by reply E-mail and destroy all copies of the original message. Additionally, we will take the appropriate action to avoid sending you an unintended E-mail in the future. Thank you for your cooperation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Let me ask another question if I might in addition to the one below: In my ISAPI log it shows: [Wed Jun 23 09:50:59.568 2010] [5024:6028] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp The value of 80 is shown, my question is does this line in my ISAPI log show the request as to where it is coming from, meaning IIS since IIS is on port 80? My tomcat app is running on port 9080. Just curious. I think, I am going on to try Waffle, instead of trying to pursue this any further. dB has been kind enough to offer his help in getting me setup. I just thought I'd ask this one last question. Thanks for all the time and help. Regards. -Original Message- From: Savoy, Melinda Sent: Wednesday, June 23, 2010 7:50 AM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 Thank you. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 6:52 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 23/06/2010 10:45, Rainer Jung wrote: On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. OK, and I'm guessing that if there was a way to get the AJP connector to dump those attributes you'd have said so by now. p Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Log all http request
Hello, we've a web service that receives SOAP RPC-encoded xml requests on HTTP through axis and tomcat 5.5. We'd like to log every xml rq we receive using a Filter, because we've to write the xml to a file whose name depends on the xml request. The problem is that one can call SevletRequest.getReader once. So we extended HttpServletRequestWrapper with the class in attachment, to read the request body once in a string and then to wrap the getReader method. Then we create a clone of the request we receive in the filter Is this a good way or there's another standard way to read HTTP request body in a Filter? Should we implement an axis handler? Many many thanks in advance Best regards Bartolomeo package com.siap.Utility; import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.StringReader; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * Filtra le richieste ai WebServices per salvare l'xml di richiesta e salvarlo in un determinato * path con un nome specifico * @author Marco Rosa - 23/giu/10 */ public class SiapHttpServletRequestWrapper extends HttpServletRequestWrapper { String rq_xml = ; SiapHttpServletRequestWrapper( HttpServletRequest rq ){ super(rq); // save xml StringBuffer strbuf = new StringBuffer(); try{ BufferedReader reader = rq.getReader(); //... Loop as long as there are input lines. String line = null; while ((line=reader.readLine()) != null) { strbuf.append(line); strbuf.append(\n); // Write system dependent end of line. } //... Close reader and writer. reader.close(); // Close to unlock. rq_xml = strbuf.toString(); }catch( Exception e){ } } private class SiapServletInputStream extends ServletInputStream{ ByteArrayInputStream m_r =null; SiapServletInputStream( ByteArrayInputStream r ){ m_r = r; } public int read(){ return m_r.read(); } public int read(byte[] b, int off, int len) { return m_r.read(b, off, len ); } //public int readLine(byte[] b, int off, int len) { // return m_r.readLine( b, off, len); //} } public ServletInputStream getInputStream(){ SiapServletInputStream retVal = null; try{ retVal = new SiapServletInputStream(new ByteArrayInputStream(rq_xml.getBytes(UTF-8))); }catch(Exception e ){ } return retVal; } public BufferedReader getReader(){ return new BufferedReader( new StringReader(rq_xml) ); } /** * * @author Marco Rosa - 23/giu/10 */ public String getRq_xml() { return rq_xml; } /** * * @author Marco Rosa - 23/giu/10 */ public void setRq_xml(String rq_xml) { this.rq_xml = rq_xml; } } - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for sso session replication in tomcat 6.0.26
Thanks Pid It might be related to the fix for 45255. This is the only one I can see remotely related. According to this fix, (I might be wrong), but it looks like once the user is logged-out from the application or node upon regular logout or node shutdown or some other reasons, a user is asked to relogin by default to renew sso session id. Is there any way to stop this behavior to add a flag or some kind in server.xml? I tested with mod_jk [v1.2.30] and httpd [2.2.15], and the result is consistent with mod_proxy_ajp and mod_balancer. SingleSignOn session does not failover. I will try to test older Tomcat 6.0.1x today. Yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy balancer-manager ProxyPass /balancer-manager ! Location /examples ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all /Location Location / ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all
Re: Showing Tomcat Memory Utilization with 'top'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 6/22/2010 5:00 PM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Showing Tomcat Memory Utilization with 'top' Also, I believe VIRT includes memory shared with other processes Doesn't RES also include shared pages - anything that's in the memory map of the process? (I can't remember exactly how that works, but the shared pages have to be accounted for somewhere.) This is reaching the limits of my knowledge as well. I could imagine shared memory not being counted against every process but it also quite makes sense that it would. so if you have 50MiB of Java system classes loaded and a modern JVM which shares them among running JVMs Note that only the client HotSpot JVM shares classes; the server version does not. (The sharing is really class templates, not the class objects themselves.) I didn't realize that the server JVM didn't share class templates. Do you have any ideas why not? It seems to be a relatively cheap optimization when multiple JVMs are in use, and shouldn't include too much overhead for either the process or the OS if there's no actual sharing going on in a single-JVM scenario. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwiPcQACgkQ9CaO5/Lv0PA9oACcCAVoKQZ3F9DG5iPmEusC0nSt k/wAnjfHzZpGU2lceqY7cltkJ/EUiNk9 =sw+t -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Showing Tomcat Memory Utilization with 'top'
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Showing Tomcat Memory Utilization with 'top' I didn't realize that the server JVM didn't share class templates. Do you have any ideas why not? AFAIK, Sun just hadn't gotten around to it yet; don't know if it's in JRE 7 or not. Class sharing is primarily of interest in environments where startup time is critical, and Sun didn't think that the server JVM would be subject to that issue. However, with more and more 64-bit environments being available (eg, everybody's laptops) that have only a server JVM on them, that decision looks like it's no longer valid. Note that the client and server JVMs are really two entirely different beasts, so the data structures from one are not easily translated to the other. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: soory I am starting new thread for new problem
-Original Message- From: yucca...@live.co.za [mailto:yucca...@live.co.za] Subject: soory I am starting new thread for new problem No, you're hijacking yet another thread. Stop doing that. -- From: Christopher Schultz ch...@christopherschultz.net Sent: Wednesday, June 23, 2010 7:00 PM To: Tomcat Users List users@tomcat.apache.org Subject: Re: Showing Tomcat Memory Utilization with 'top' -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 6/22/2010 5:00 PM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Showing Tomcat Memory Utilization with 'top' Also, I believe VIRT includes memory shared with other processes Doesn't RES also include shared pages - anything that's in the memory map of the process? (I can't remember exactly how that works, but the shared pages have to be accounted for somewhere.) This is reaching the limits of my knowledge as well. I could imagine shared memory not being counted against every process but it also quite makes sense that it would. so if you have 50MiB of Java system classes loaded and a modern JVM which shares them among running JVMs Note that only the client HotSpot JVM shares classes; the server version does not. (The sharing is really class templates, not the class objects themselves.) I didn't realize that the server JVM didn't share class templates. Do you have any ideas why not? It seems to be a relatively cheap optimization when multiple JVMs are in use, and shouldn't include too much overhead for either the process or the OS if there's no actual sharing going on in a single-JVM scenario. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwiPcQACgkQ9CaO5/Lv0PA9oACcCAVoKQZ3F9DG5iPmEusC0nSt k/wAnjfHzZpGU2lceqY7cltkJ/EUiNk9 =sw+t -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Setting Up AJP Workers as a Failover
Hi Rainer, Thank you for your reply - it really has helped out today in several ways. I've got myself in a situation where I need a stopgap quick fix - until we can respond correctly. It turns out I was overreacting and we have other better tools to fix the troubles - no need to discuss as they are application specific. I have the following workers file: # define the worker list worker.list=LoadBalancer # Define the LB worker worker.LoadBalancer.type=lb worker.LoadBalancer.balance_workers=webprod1,webprod2 worker.LoadBalancer.sticky_session=1 # configure each worker worker.webprod1.type=ajp13 worker.webprod1.host=webprod1 worker.webprod1.port=8009 worker.webprod1.lbfactor=100 worker.webprod2.type=ajp13 worker.webprod2.host=webprod2 worker.webprod2.port=8009 worker.webprod2.lbfactor=100 If I change the last line to worker.webprod2.lbfactor=0 will webprod2 only be used if webprod1 is disconnected or otherwise in an error state? No, value 0 ist not supported and will automatically be changed to 1. What about using activation=disabled? This worked really well today when one of our new Sun 2270s ran into an OS bug and slowly locked up. I just made the bad machine deactivated while we got support and applied the workaround. What are you trying to achieve? I was thinking of de-load-balancing glad to re-think and abandon a silly notion. You should also look at the example configuration bundled with the 1.2.30 sources. It contains nice suggestions about timeouts that your configuration is lacking. This was extremely helpful - we now plan is to build 1.2.30 from source and begin using it very soon - we will likely use this well-annotated example for the basis of our configuration. I knew I could count on the Tomcat Community. BR, Dave My other choice is to turn off one of the server's Tomcat instance. The real solution might take a day or two and that is to put back JSESSIONID - meanwhile I'm looking at how to fix occasional strangeness for users. If someone has a way to force JSESSIONID with a valve or filter that would be great. Yes my jvmroutes are set. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: question for sso session replication in tomcat 6.0.26
Hi Pid I tested tomcat with three different versions [6.0.18, 6.0.20, 6.0.24] and the all results were consistent. SingleSignOn session did not failover. I hope someone can help me about this. yasushi -Original Message- From: Okubo, Yasushi (TSD) Sent: Wednesday, June 23, 2010 9:20 AM To: 'Tomcat Users List' Subject: RE: question for sso session replication in tomcat 6.0.26 Thanks Pid It might be related to the fix for 45255. This is the only one I can see remotely related. According to this fix, (I might be wrong), but it looks like once the user is logged-out from the application or node upon regular logout or node shutdown or some other reasons, a user is asked to relogin by default to renew sso session id. Is there any way to stop this behavior to add a flag or some kind in server.xml? I tested with mod_jk [v1.2.30] and httpd [2.2.15], and the result is consistent with mod_proxy_ajp and mod_balancer. SingleSignOn session does not failover. I will try to test older Tomcat 6.0.1x today. Yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, Okubo, Yasushi (TSD) yasushi.ok...@takedasd.com wrote: Hi There were two cookies created by Tomcat 6.0.26. One is for SSO, and the other is for regular session between client and tomcat. JSESSIONID is working fine : it means session replication and failover, but not JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. yasushi JSESSIONIDSSO 65110434847FE0AA1F1EBF0EF0871D25 JSESSIONID 5CFE92814875C4DEFC554526147698A3.jvm2 -Original Message- From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] Sent: Tuesday, June 22, 2010 2:17 PM To: Tomcat Users List Cc: Okubo, Yasushi (TSD) Subject: Re: question for sso session replication in tomcat 6.0.26 Are you using a jvmRoute setting on your BalancerMember definition in mod_proxy config and on the Engine/ element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so. From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same. Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect there are many bugfixes and improvements since then, you should upgrade HTTPD. p OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf VirtualHost 10.250.200.57:9050 ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all /Location ProxyRequests off Proxy balancer://webclust BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all /Proxy #Do not proxy
Re: Jailrootting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca, On 6/23/2010 3:18 AM, Luca Gervasi wrote: Hi guys, thanks for answering me. Tomcat uses a low privilege user and the system-wide permissions are thus enforced by OS but...i can still read all the istance-wide files (tomcat-users.xml, server.xml and any other 644 file). I'm starting to read about SecurityManager, but i think that this should be the answer i was looking for :) If you don't trust your webapps, your options are as previously-stated: SecurityManager and/or chroot jail for Tomcat/JVM. Using a chroot jail won't prevent hostile/untrustworthy webapps from reading server.xml, etc. so the SecurityManager is really the way to go. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwie+EACgkQ9CaO5/Lv0PB/+QCdFd3VK23wh7myZiR2tLpINf3D 0h4AoKIOhdWx0c7YoK+0p5Wus+AMIfyn =R9Ge -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x
Dear colleagues, I'm running IIS version 6 and Apache Tomcat 6.x on a Windows 2003 enterprise server. I had to renew SSL certificates for both the IIS and Tomcat web server. I was told to raise a CSR from the IIS server and create a certificate. The certificate (.PFX) could then be converted into a (.keystore) file for Tomcat. Unfortunately, I'm struggling with this. Generating a new CSR is unfortunately not an option as it needs to be completed tomorrow. Could you please please assist me to convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x? Thank you. Best regards, Ian
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23.06.2010 16:58, Savoy, Melinda wrote: In my ISAPI log it shows: [Wed Jun 23 09:50:59.568 2010] [5024:6028] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp The value of 80 is shown, my question is does this line in my ISAPI log show the request as to where it is coming from, meaning IIS since IIS is on port 80? Yes. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x
Google is your friend? http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores/ Please note that I have not tried this. Your mileage may vary. /mde/ --- On Wed, 6/23/10, ian loyola ian_loy...@yahoo.com wrote: From: ian loyola ian_loy...@yahoo.com Subject: Convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x To: users@tomcat.apache.org Date: Wednesday, June 23, 2010, 3:04 PM Dear colleagues, I'm running IIS version 6 and Apache Tomcat 6.x on a Windows 2003 enterprise server. I had to renew SSL certificates for both the IIS and Tomcat web server. I was told to raise a CSR from the IIS server and create a certificate. The certificate (.PFX) could then be converted into a (.keystore) file for Tomcat. Unfortunately, I'm struggling with this. Generating a new CSR is unfortunately not an option as it needs to be completed tomorrow. Could you please please assist me to convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x? Thank you. Best regards, Ian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x
Hi Mark, Thanks for that. I did try searching a lot for it and I did come across that article. But that method doesn't explain how to chain the CA's intermediate certificates. Any idea how to do that? Cheers, Ian From: Mark Eggers its_toas...@yahoo.com To: Tomcat Users List users@tomcat.apache.org Sent: Thu, 24 June, 2010 3:43:12 AM Subject: Re: Convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x Google is your friend? http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores/ Please note that I have not tried this. Your mileage may vary. /mde/ --- On Wed, 6/23/10, ian loyola ian_loy...@yahoo.com wrote: From: ian loyola ian_loy...@yahoo.com Subject: Convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x To: users@tomcat.apache.org Date: Wednesday, June 23, 2010, 3:04 PM Dear colleagues, I'm running IIS version 6 and Apache Tomcat 6.x on a Windows 2003 enterprise server. I had to renew SSL certificates for both the IIS and Tomcat web server. I was told to raise a CSR from the IIS server and create a certificate. The certificate (.PFX) could then be converted into a (.keystore) file for Tomcat. Unfortunately, I'm struggling with this. Generating a new CSR is unfortunately not an option as it needs to be completed tomorrow. Could you please please assist me to convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x? Thank you. Best regards, Ian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x
Hi Ian, Take a look on this http://tp.its.yale.edu/pipermail/cas/2005-July/001337.html. Hope it helps. On 24 June 2010 06:41, Konstantin Kolinko knst.koli...@gmail.com wrote: 2010/6/24 Mark Eggers its_toas...@yahoo.com: Google is your friend? http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores/ Please note that I have not tried this. Your mileage may vary. Noticing the PKCS #12 hint form the above page, I can find this Sun article: http://java.sun.com/developer/technicalArticles/J2SE/security/#4 Import and Export PKCS#12 Keystores how to chain the CA's intermediate certificates It looks that the method described in the Sun article imports the whole keystore, and from description of the format it looks that the one from Jetty also does so. Disclaimer: I have not tried them. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Configure Client Certificate
Hi I have successfully configured server certificate using keytool and now I can access my web application using HTTPS. Now I want to configure client certificate but I dont have any idea of how to do this. Can anyone please let me know step by step procedure on how to implement this. Note that I am using Tomcat 5.5 with JRE 1.5.0_16. Please help. Thanks Deepak -- View this message in context: http://old.nabble.com/Configure-Client-Certificate-tp28978681p28978681.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure Client Certificate
Dear, If You are accessing your application from same system i.e server then you have to import that certificate into browser. To access your application through client machine you have to purchase certificate. I will suggest you to purchase some basic certificate from GoDadday. its cheap one.. it will cost you around 650 INR. Then the process will become very easy for you. Regards, Nilesh. On Thu, Jun 24, 2010 at 9:17 AM, deepak.baran deepak.ba...@gmail.comwrote: Hi I have successfully configured server certificate using keytool and now I can access my web application using HTTPS. Now I want to configure client certificate but I dont have any idea of how to do this. Can anyone please let me know step by step procedure on how to implement this. Note that I am using Tomcat 5.5 with JRE 1.5.0_16. Please help. Thanks Deepak -- View this message in context: http://old.nabble.com/Configure-Client-Certificate-tp28978681p28978681.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org