https server behind apache
Hi, I set up a virtual host for ssl in apache, www.sample.com, it uses mod_proxy to redirect to a tomcat server: ProxyPass / https://localhost:8443/ ProxyPassReverse / https://localhost:8443/ ProxyPreserveHost on SSLEngine on SSLProxyEngine on SSLCertificateFile /etc/httpd/sample.crt SSLCertificateKeyFile /etc/httpd/sample.key do I need a jks in the tomcat side? Thanks, Angelo -- View this message in context: http://old.nabble.com/https-server-behind-apache-tp32081628p32081628.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: https server behind apache
AngeloChen wrote: Hi, I set up a virtual host for ssl in apache, We will assume that you know what you are doing, but just as a reminder : HTTPS and VirtualHosts are not really compatible. You can make it work, but only with one name-based VirtualHost. If you are not sure or do not understand this, read the relevant Apache documentation carefully. www.sample.com, it uses mod_proxy to redirect to a tomcat server: ProxyPass / https://localhost:8443/ ProxyPassReverse / https://localhost:8443/ ProxyPreserveHost on SSLEngine on SSLProxyEngine on SSLCertificateFile /etc/httpd/sample.crt SSLCertificateKeyFile /etc/httpd/sample.key do I need a jks in the tomcat side? Thanks, The usual way to do this, is to terminate HTTPS at the Apache level, and proxy to Tomcat over normal HTTP, particularly if Tomcat is on the same host. The reason is that HTTPS has a cost : every packet going to Tomcat has to be encrypted, and decrypted at the Tomcat side; and every packet sent by Tomcat to Apache, similarly. If the browsers use HTTPS to communicate with Apache, then that part of the link is secure, and that is usually what you want. If the link between Apache and Tomcat is private (and if it is on the same host, you can probably consider it so), there is no real need to encrypt the traffic between them, and have all the complication of SSL there again. Now also : considering your Proxy directives above, it looks like you are proxying *everything* to Tomcat, and that Apache does nothing except forwarding requests/responses back and forth. So the question is : do you really need Apache httpd for any reason ? Tomcat alone can act as a webserver, HTTP or HTTPS. You could set up Tomcat to respond to port 80 (and 443) directly, and save yourself the complication and overhead of Apache httpd. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ssl and host name not match
Hi, I got a virtual host: Host name=www.sample.comappBase=sampleapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Aliassample.com/Alias ... for some reason, the jks in the tomcat is for sample.com, when calling this server with httpclient, it always get: javax.net.ssl.SSLException: hostname in certificate didn't match: www.sample.com != sample.com even there is an alias sample.com. any fix on this? Thanks, Angelo -- View this message in context: http://old.nabble.com/ssl-and-host-name-not-match-tp32081887p32081887.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Init HTTP session during realm authentication stage
Hi all: I'm using realm tool for user authentication on Tomcat 7 I've made a custom realm overriding authenticate() method of DataSourceRealm class. And all works fine. But I would like to initialize HTTP session in this stage with user data. My custom authenticate() method queries user data to check if exists or not , and I wouldn't like to have to call another service to perform the same query. Is this possible ? Any ideas ?? Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Init HTTP session during realm authentication stage
But I would like to initialize HTTP session in this stage with user data. My custom authenticate() method queries user data to check if exists or not , and I wouldn't like to have to call another service to perform the same query. Couldn't you just implement HttpSessionListener? Chris
Re: Init HTTP session during realm authentication stage
2011/7/18 chris derham ch...@derham.me.uk: Couldn't you just implement HttpSessionListener? Chris Yes, could be useful :-) Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl and host name not match
AngeloChen wrote: Hi, I got a virtual host: Host name=www.sample.comappBase=sampleapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Aliassample.com/Alias ... for some reason, the jks in the tomcat is for sample.com, when calling this server with httpclient, it always get: javax.net.ssl.SSLException: hostname in certificate didn't match: www.sample.com != sample.com even there is an alias sample.com. any fix on this? Thanks, There is no fix for this, because it is not a problem. The client and the server are working the way they should : - the client connects to a server, thinking it is www.sample.com - the server returns a certificate for the host sample.com - the client sees that the certificate is not for the host that it requested, so it gives an error. The Alias in your configuration is just a way for Tomcat to handle the request with the corresponding virtual host. But it does not change the content of the certificate. There are different ways to avoid the error : a) have the client connect to sample.com instead. Because of the Alias, the Tomcat virtual host will be the same, and it will return a certficate for sample.com, so the client will be happy too. b) use a wildcard certificate for *.sample.com c) change the certificate to be for www.sample.com ... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl and host name not match
i opted for #3 and it works, thanks. awarnier wrote: AngeloChen wrote: Hi, I got a virtual host: Host name=www.sample.comappBase=sampleapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Aliassample.com/Alias ... for some reason, the jks in the tomcat is for sample.com, when calling this server with httpclient, it always get: javax.net.ssl.SSLException: hostname in certificate didn't match: www.sample.com != sample.com even there is an alias sample.com. any fix on this? Thanks, There is no fix for this, because it is not a problem. The client and the server are working the way they should : - the client connects to a server, thinking it is www.sample.com - the server returns a certificate for the host sample.com - the client sees that the certificate is not for the host that it requested, so it gives an error. The Alias in your configuration is just a way for Tomcat to handle the request with the corresponding virtual host. But it does not change the content of the certificate. There are different ways to avoid the error : a) have the client connect to sample.com instead. Because of the Alias, the Tomcat virtual host will be the same, and it will return a certficate for sample.com, so the client will be happy too. b) use a wildcard certificate for *.sample.com c) change the certificate to be for www.sample.com ... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/ssl-and-host-name-not-match-tp32081887p32083029.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Init HTTP session during realm authentication stage
2011/7/18 Chema demablo...@gmail.com Yes, could be useful :-) Thanks I guess it's not so useful than I thought :-/ The reason is that HttpSessionListener.sessionCreated method is invoked always when Tomcat server receives the first petition. Session is not created by realm code when user is validated. Now I'm trying to use filters. When realm code validates an user , redirect to protected resource. If I can filter this redirection and load user data into session, I think that could works Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RedHat and mod_jk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 7/16/2011 12:50 AM, Mark Eggers wrote: I've been successful in the past in getting permission to build critical components locally. I've also been in environments where this was strictly forbidden, even at the expense of not meeting business requirements and/or exposing the infrastructure to known security risks. Meeting requirements is preferred (in my book). It also appears that more and more admins are uncomfortable with building, installing, and then managing systems with locally installed software. This goes back to the challenge that the original poster had. Why an admin would balk at learning how to do this is another question . . . Fortunately for me, I'm the admin *and* I get to make these kinds of decisions. I just don't feel like keeping MySQL up-to-date myself. :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4kRrMACgkQ9CaO5/Lv0PCNagCgnATwmx/Wi0XANU3lfJ6gtgVv gbIAnjz2+BxYq+lfxwmTTRvOn3zDkIbP =ki+L -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [JSP] List directory content within a war-file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DBD, On 7/16/2011 10:46 AM, Dark Before Dawn wrote: Since I have no exposed filesystem getRealPath will return null. So I tried to use getResourceAsStream wich works fine for files but not for directories. Are you sure you want to do this? My other idea was to use getResource and URL/URI to get a java.io.File via JNDI. But this file is not a file nor a directory. How is this file not a file? // null if unpackWar = false String absolute = this.getServletConfig().getServletContext().getRealPath(files); out.write(Files: + absolute); // jndi URL url = this.getServletConfig().getServletContext().getResource(files); Read the javadoc for ServletContext.getResource: Returns a URL to the resource that is mapped to a specified path. The path must begin with a / and is interpreted as relative to the current context root. InputStream is = this.getServletConfig().getServletContext().getResourceAsStream(files/1.txt); This should work, as long as you're using the API properly. // NPE if directory That makes sense. You need to check for null, just like the javadocs say. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4kSLsACgkQ9CaO5/Lv0PDn5wCfcXyA3/YahOeHpiiaKWTxgIcG /9kAoJNThIueIkq+08FsWLUxT3dfZa6e =6KeA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: https server behind apache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Angelo, On 7/18/2011 4:55 AM, AngeloChen wrote: I set up a virtual host for ssl in apache, www.sample.com, it uses mod_proxy to redirect to a tomcat server: ProxyPass / https://localhost:8443/ ProxyPassReverse / https://localhost:8443/ ProxyPreserveHost on SSLEngine on SSLProxyEngine on SSLCertificateFile /etc/httpd/sample.crt SSLCertificateKeyFile /etc/httpd/sample.key do I need a jks in the tomcat side? Thanks, No, because you are not using AJP, you're using HTTP(S). If you trust your web server and you have a secured network, you don't need to have the link between httpd and Tomcat use HTTPS. You'll get a performance improvement if you drop that SSL connection. Also, you might want to make sure you are using the APR connector on the Tomcat side, which will significantly improve your SSL performance in Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4kSa8ACgkQ9CaO5/Lv0PCAiACdEcslVe78JP1p60s7MvphvNYr VQYAnRlE5U9Ix8++n5Ouwa0tM5TMSGYf =G8x9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Init HTTP session during realm authentication stage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chema, On 7/18/2011 9:16 AM, Chema wrote: Now I'm trying to use filters. When realm code validates an user , redirect to protected resource. If I can filter this redirection and load user data into session, I think that could works This is how we do things using a custom Realm. We allow Tomcat to go about it's business setting the Principal in the request, and then we use a Filter to detect that the Principal is set but no user object is in the session. At that point, we perform the real login and do whatever is necessary on top of the actual authentication. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4kSlwACgkQ9CaO5/Lv0PADegCeL2PnZlp0tUy19OFqcoPIGSzE wokAoIg440qywv9coCciX1gmuCLKYHlp =1Qac -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RedHat and mod_jk
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 7/16/2011 12:50 AM, Mark Eggers wrote: I've been successful in the past in getting permission to build critical components locally. I've also been in environments where this was strictly forbidden, even at the expense of not meeting business requirements and/or exposing the infrastructure to known security risks. Meeting requirements is preferred (in my book). It also appears that more and more admins are uncomfortable with building, installing, and then managing systems with locally installed software. This goes back to the challenge that the original poster had. Why an admin would balk at learning how to do this is another question . . . Fortunately for me, I'm the admin *and* I get to make these kinds of decisions. I just don't feel like keeping MySQL up-to-date myself. :) A reason why admins balk may be because they are asked to take care of more and more systems (due to virtualisation e.g.), and can no longer afford to spend the time to do that. Anyway, whatever their reasons, a number of admins will not do it, and the practical consequence in this case will be a decrease of the usage of mod_jk. The basic point is : mod_jk is not included in the RedHat standard Apache/Tomcat packages. But maybe this is just an oversight of RedHat, and maybe with a little nudge, they may be persuaded to include it again. Does anyone know how one would go about trying to nudge them in this direction ? Alternatively, what would it take for mod_jk to be (maybe again) part of the standard Apache httpd distribution ? (so that these packagers would include it in the next Apache httpd packaged version without even having to think about it). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: RedHat and mod_jk
FYI... I got the S.A. to compile Apache, and then to compile mod_jk. It works, just like you guys said that it would. Thanks for ALL of your help! :-) JL -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, July 18, 2011 11:33 AM To: Tomcat Users List Subject: Re: RedHat and mod_jk Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 7/16/2011 12:50 AM, Mark Eggers wrote: I've been successful in the past in getting permission to build critical components locally. I've also been in environments where this was strictly forbidden, even at the expense of not meeting business requirements and/or exposing the infrastructure to known security risks. Meeting requirements is preferred (in my book). It also appears that more and more admins are uncomfortable with building, installing, and then managing systems with locally installed software. This goes back to the challenge that the original poster had. Why an admin would balk at learning how to do this is another question . . . Fortunately for me, I'm the admin *and* I get to make these kinds of decisions. I just don't feel like keeping MySQL up-to-date myself. :) A reason why admins balk may be because they are asked to take care of more and more systems (due to virtualisation e.g.), and can no longer afford to spend the time to do that. Anyway, whatever their reasons, a number of admins will not do it, and the practical consequence in this case will be a decrease of the usage of mod_jk. The basic point is : mod_jk is not included in the RedHat standard Apache/Tomcat packages. But maybe this is just an oversight of RedHat, and maybe with a little nudge, they may be persuaded to include it again. Does anyone know how one would go about trying to nudge them in this direction ? Alternatively, what would it take for mod_jk to be (maybe again) part of the standard Apache httpd distribution ? (so that these packagers would include it in the next Apache httpd packaged version without even having to think about it). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
apache and tomcat gets hang
below problem is seen in mod_jk.log file and after that my apache stop taking calls.the client gives error java.net.SocketTimeoutException: Read timed out. Added connection_timeout in server.xml for AJP13 , and no extra other entry in workers.properties. workers.properties worker.list=loadbalancer worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8036 worker.worker1.lbfactor=100 worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=worker1 [DATE] [8353:1] [info] jk_connect.c (566): connect to IP:8036 failed (errno=145) [Wed Jul 06 09:07:10 2011] [8353:1] [info] jk_ajp_common.c (869): Failed opening socket to (IP:8036) (errno=145) [DATE] [8353:1] [error] jk_ajp_common.c (1359): (worker) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=145) [DATE] [8353:1] [info] jk_ajp_common.c (2186): (worker) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1) apache used =apache_2.2.8 tomcat used =apache-tomcat-6.0.18 mod_jk used =1.2.26 not able to reproduce on other machine.:super: -- View this message in context: http://old.nabble.com/apache-and-tomcat-gets-hang-tp32084440p32084440.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RedHat and mod_jk
- Original Message - From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Cc: Sent: Monday, July 18, 2011 8:33 AM Subject: Re: RedHat and mod_jk Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 7/16/2011 12:50 AM, Mark Eggers wrote: I've been successful in the past in getting permission to build critical components locally. I've also been in environments where this was strictly forbidden, even at the expense of not meeting business requirements and/or exposing the infrastructure to known security risks. Meeting requirements is preferred (in my book). It also appears that more and more admins are uncomfortable with building, installing, and then managing systems with locally installed software. This goes back to the challenge that the original poster had. Why an admin would balk at learning how to do this is another question . . . Fortunately for me, I'm the admin *and* I get to make these kinds of decisions. I just don't feel like keeping MySQL up-to-date myself. :) A reason why admins balk may be because they are asked to take care of more and more systems (due to virtualisation e.g.), and can no longer afford to spend the time to do that. Anyway, whatever their reasons, a number of admins will not do it, and the practical consequence in this case will be a decrease of the usage of mod_jk. The basic point is : mod_jk is not included in the RedHat standard Apache/Tomcat packages. But maybe this is just an oversight of RedHat, and maybe with a little nudge, they may be persuaded to include it again. Does anyone know how one would go about trying to nudge them in this direction ? Alternatively, what would it take for mod_jk to be (maybe again) part of the standard Apache httpd distribution ? (so that these packagers would include it in the next Apache httpd packaged version without even having to think about it). I noticed that it's not a part of the Fedora (basically RedHat's test platform) distribution either. If it's a part of the Apache HTTPD distribution, more Linux distributions might pick it up. Just glancing at my installation, it seems that modules not shipped with Fedora's packaging are modules that are separate from Apache HTTPD (with the notable exception of mod_ssl). For RedHat, the process is roughly: 1) Get the new code accepted upstream. 2) Get it included in Fedora. 3) Get it included in Red Hat Enterprise Linux. This is taken from a RedHat magazine article, and discusses bug fixes, new features, and new packages. I'm guessing that item 1) applies to bug fixes and new features. So, possibly getting the Fedora team to accept an RPM for mod_jk would be the place to start. They'll probably want a 32-bit, 64-bit, and source packages. They'll also probably want a maintainer for those packages. The IRC channel #fedora-devel on FreeNode might be a good place to start. I don't know how other distributions are handled. Chris, I'm just a lowly systems architect (have been an admin in a former life). Building MySQL was always low on my list of things to do. However, it never seemed as difficult as building PHP :-p. Andre, managing lots of configurations is a pain. I've used custom processes/tools as well as commercial tools. Nothing seems to work effortlessly ;-). So mod_jk builds may be the (very lightweight) straw that breaks an admin's back. . . . . just my two cents. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
APR connector pollTime defaults are strange in tomcat6/7
From documentation: TC6: Duration of a poll call. Lowering this value will slightly decrease latency of connections being kept alive in some cases, but will use more CPU as more poll calls are being made. The default value is 2000 (5ms). TC7: Duration of a poll call in microseconds. Lowering this value will slightly decrease latency of connections being kept alive in some cases , but will use more CPU as more poll calls are being made. The default value is 2000 (2ms). TC6 APR connector defaults are also microseconds. But it gives not 5ms, but some arbitrary value that depends on kernel configuration. On distribution default kernels (debian, redhat...) with 100HZ configs ( very common on servers ) it gives epoll time of 10ms ( sounds reasonable, but... ). Now where trouble starts is on kernels with NO_HZ and HPET timers - it actually gives epoll time of 2ms. The problem is that on reasonably loaded servers tomcat java processes start to dominate wake up reasons and timer interrupt reasons - waking up each thread with APR connector ~480 times per second. pidstat -t -w -C java 1 will show those threads and ~480 context switches they are causing. and you can confirm the reason for those wakeups with: gdb -batch -ex bt -p 4056 warning: process 4056 is a cloned process [Thread debugging using libthread_db enabled] 0x7f652a096623 in epoll_wait () from /lib/libc.so.6 #0 0x7f652a096623 in epoll_wait () from /lib/libc.so.6 #1 0x7f6521147ca3 in ?? () from /usr/lib/libapr-1.so.0 #2 0x7f6521146908 in apr_pollset_poll () from /usr/lib/libapr-1.so.0 #3 0x7f652196b2b3 in Java_org_apache_tomcat_jni_Poll_poll (e=0x40fbf9c8, o=value optimized out, pollset=1092883016, timeout=2000, set=0x7f651b622750, remove=1 '\001') at src/poll.c:311 Also if you do strace -r -p APRconnectorpid, you will see that there is a mass of epool_wait calls going on, most of them each doing absolutely nothing. Does Tomcat APR really needs pollTime set so low by default? I thought timeout is meant for some sort of book keeping, where is all connections in FD set are idle, no events come for timeout period - you force timeout and do bookkeeping - on a busy system you will get events anyway cause of socket traffic. Also connection timeout is 60s by default, so ending connection @ 2ms precision is not enhancing latency in any way. I think defaults should be increased to something reasonable like 100ms (pollTime =10) to avoid unneeded wakeups (and wakeups are bad, cause they cause context switch, and context switches pollute caches, TLB buffers and on modern servers burn electricity by forcing CPUs from low C states ) P.S. There exists perfect workaround in latest Tomcat7, using protocol=org.apache.coyote.http11.Http11NioProtocol and protocol=org.apache.coyote.ajp.AjpNioProtocol for AJP will do away with all unneeded context switches. -- View this message in context: http://old.nabble.com/APR-connector-pollTime-defaults-are-strange-in-tomcat6-7-tp32085364p32085364.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Error dialog with the word environment misspelled as envionment
Hi, We are attempting to upgrade our product from using tomcat 6.0.29 to 6.0.32 (and also upgrade to the latest patch of Java 6). This process has been rocky, and when I installed the latest version of our product on windows, the tomcat service would not start, and I saw an error dialog (below) with text: The {0} envionment variable does not point to a working 32-bit JDK or JRE If windows does not auto-correct it, you will see that the word environment is misspelled as envionment - missing the letter r. [cid:image001.png@01CC4558.95A81140] I'm sure the cause of the error is in our own product. I only mention it because when I saw an anonymous error dialog with a misspelled word, my first thought was that I had a computer virus or some other malware. If there is a spelling error in a tomcat dialog, I'm sure somebody is fastidious enough to want to fix it. Can anybody verify whether this dialog was really generated by tomcat? This probably isn't relevant, but I am running Windows 7 Professional on a 64-bit machine. We are, in fact, bundling a 32-bit JRE in our product. Tomcat was installed via a zipfile, but probably configured incorrectly. Once again, I am not asking for help determining the cause of the error dialog: I am merely reporting the typographical error. Thanks, Eric
Running Tomcat on a webserver that is on a workgroup
I've been informed that our web server is going to be disjoined from the domain and placed on a workgroup. Is this a trend? I don't understand how Tomcat will be able to access resources from our domain, and vice versa, unless I'm running Tomcat as a local account, and that same local account is created on the other servers on the domain. It seems like I'm exploiting one security issue for another. Leo Donahue
Re: Running Tomcat on a webserver that is on a workgroup
Leo Donahue - PLANDEVX wrote: I've been informed that our web server is going to be disjoined from the domain and placed on a workgroup. Is this a trend? There is probably more to it than that. Perhaps your webserver is being moved to some demilitarised zone (DMZ) behind some kind of firewall, and since that firewall will probably block SMB/CIFS/NetBios kinds of communications, effectively indeed it will no longer be able to participate in a Domain. I don't understand how Tomcat will be able to access resources from our domain, and vice versa, unless I'm running Tomcat as a local account, and that same local account is created on the other servers on the domain. It all depends what you mean by resources. It will still be able to access other hosts via TCP (through the firewall, if the firewall allows it). But it will no longer be able to access shares or windows network printers e.g. What kind of network resources does your webserver need ? It seems like I'm exploiting one security issue for another. (trading). What is the security issue that this change is supposed to cure ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error dialog with the word environment misspelled as envionment
Eric Hawkes wrote: Hi, We are attempting to upgrade our product from using tomcat 6.0.29 to 6.0.32 (and also upgrade to the latest patch of Java 6). This process has been rocky, and when I installed the latest version of our product on windows, the tomcat service would not start, and I saw an error dialog (below) with text: The {0} envionment variable does not point to a working 32-bit JDK or JRE If windows does not auto-correct it, you will see that the word environment is misspelled as envionment - missing the letter r. [cid:image001.png@01CC4558.95A81140] I'm sure the cause of the error is in our own product. I only mention it because when I saw an anonymous error dialog with a misspelled word, my first thought was that I had a computer virus or some other malware. If there is a spelling error in a tomcat dialog, I'm sure somebody is fastidious enough to want to fix it. Can anybody verify whether this dialog was really generated by tomcat? This probably isn't relevant, but I am running Windows 7 Professional on a 64-bit machine. We are, in fact, bundling a 32-bit JRE in our product. Tomcat was installed via a zipfile, but probably configured incorrectly. Once again, I am not asking for help determining the cause of the error dialog: I am merely reporting the typographical error. The information above is a bit confusing. Are you running Tomcat as a Windows Service ? How is Tomcat being started ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Running Tomcat on a webserver that is on a workgroup
André, -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Running Tomcat on a webserver that is on a workgroup There is probably more to it than that. All they are going to do is join it to a workgroup. I don't understand how Tomcat will be able to access resources from our domain, and vice versa, unless I'm running Tomcat as a local account, and that same local account is created on the other servers on the domain. It all depends what you mean by resources. It will still be able to access other hosts via TCP (through the firewall, if the firewall allows it). But it will no longer be able to access shares or windows network printers e.g. What kind of network resources does your webserver need ? Windows shares. Otherwise the size of the vm that is my current web server needs to grow in order to support access to certain files, mostly images (over 500 GB), or I add the local account from the workgroup to the domain server containing the file share. It seems like I'm exploiting one security issue for another. (trading). Yes, trading is a better word. What is the security issue that this change is supposed to cure ? Other than making administration more difficult, I was hoping someone could tell me. Tomcat runs with a least privilege account anyway. Is this a feel good thing? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Error dialog with the word environment misspelled as envionment
Hi, I am running tomcat as a windows service. The service starts automatically after the machine is rebooted. The Path to executable in the tomcat service properties dialog is C:\Program Files (x86)\SonicWallES\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe //RS//Tomcat6 It is highly likely that our current build is failing to upgrade tomcat due to some foolish errors in our own code. If I were looking in my own product's source tree, I might do something like grep the appropriate part of the source base for the misspelled word envionment but I'm not familiar with the tomcat source tree. Thanks, Eric -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, July 18, 2011 3:39 PM To: Tomcat Users List Subject: Re: Error dialog with the word environment misspelled as envionment Eric Hawkes wrote: Hi, We are attempting to upgrade our product from using tomcat 6.0.29 to 6.0.32 (and also upgrade to the latest patch of Java 6). This process has been rocky, and when I installed the latest version of our product on windows, the tomcat service would not start, and I saw an error dialog (below) with text: The {0} envionment variable does not point to a working 32-bit JDK or JRE If windows does not auto-correct it, you will see that the word environment is misspelled as envionment - missing the letter r. [cid:image001.png@01CC4558.95A81140] I'm sure the cause of the error is in our own product. I only mention it because when I saw an anonymous error dialog with a misspelled word, my first thought was that I had a computer virus or some other malware. If there is a spelling error in a tomcat dialog, I'm sure somebody is fastidious enough to want to fix it. Can anybody verify whether this dialog was really generated by tomcat? This probably isn't relevant, but I am running Windows 7 Professional on a 64-bit machine. We are, in fact, bundling a 32-bit JRE in our product. Tomcat was installed via a zipfile, but probably configured incorrectly. Once again, I am not asking for help determining the cause of the error dialog: I am merely reporting the typographical error. The information above is a bit confusing. Are you running Tomcat as a Windows Service ? How is Tomcat being started ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org