Re: tomcat http connector
On 22 Nov 2011, at 07:53, Jan Vávra va...@602.cz wrote: Hello, I use ajp, because on tomcat I make authentication based on client certificate. That you cannot do via http connector. Oh dear. Of course it can. CLIENT_CERT auth is part of the Servlet spec. p Jan. Hi, Is there any document which I can refer to which states if tomcat's built in http connector (Coyote) can be used for production ? And also a comparison between http connector and AJP one. Thanks, Asha - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RemoveIpValve and valve execution order
Thanks for the quick reply. Works like a charm! Konstantin Kolinko wrote: 2011/11/22 rswart rjsw...@gmail.com: Hi, I'm trying to configure the RemoteIp in combination with AccessLogValve. request.getRemoteAddr() return the correct remote-ip from X-Forwarded-For header, but AccessLogValve still logs the unmodified (proxy) ip-address. Can this be related to the execution order of valves? Can I enforce the order somehow? No. It is not related to their order. If you need AccessLogValve to use information from RemoteIpValve you have to enable that explicitly. See requestAttributesEnabled in the documentation. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html Version = 7.0.22, valves: Valve className=org.apache.catalina.valves.RemoteIpValve remoteIpHeader=X-Forwarded-For protocolHeader=X-Forwarded-Proto/ Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=${instanceId}_access. suffix=.log pattern=%h %{Host}i %t quot;%rquot; %s %b %{klm_tracking_id}c %S %D / Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/RemoveIpValve-and-valve-execution-order-tp32872128p32872144.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat http connector
For 6.x: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html For 7.x: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html For production environments, my best practice is to use tomcat 6.x coyote connector with native libraries enabled, two clustered servers configured properly, under a load balancer (namely, citrix netscaler). Regards, On Tue, Nov 22, 2011 at 8:43 AM, Asha K S a...@adobe.com wrote: Hi, Is there any document which I can refer to which states if tomcat's built in http connector (Coyote) can be used for production ? And also a comparison between http connector and AJP one. Thanks, Asha -- Kürşat TUNCEL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat http connector
I use the http connector (actually https) with tcnative and mod_proxy w/ http in Apache Httpd. For my purposes, I wanted https connections between the httpd server and tomcat. I only saw a big performance issue when I wasn't using tcnative libraries. On Nov 22, 2011 2:58 AM, Kursat Tuncel kursat.tun...@gmail.com wrote: For 6.x: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html For 7.x: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html For production environments, my best practice is to use tomcat 6.x coyote connector with native libraries enabled, two clustered servers configured properly, under a load balancer (namely, citrix netscaler). Regards, On Tue, Nov 22, 2011 at 8:43 AM, Asha K S a...@adobe.com wrote: Hi, Is there any document which I can refer to which states if tomcat's built in http connector (Coyote) can be used for production ? And also a comparison between http connector and AJP one. Thanks, Asha -- Kürşat TUNCEL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat recycling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan, At the end I'd like to make a little comparision. Recently I've used .NET + native calls of dlls, php + custom made php modules (native dlls), jsp+java. .NET and php have possibilities for some kind of recoveries. It's almost impossible to crash Apache like a whole (control + x worker processes). ?? If your PHP script is bad, you'll crash the request processor. If you are in prefork mode, a new child process is created when the old child dies unexpectedly. If you are in worker mode, well, you're not because mod_php doesn't work in worker more IIRC. But, if you were in worker mode, then you'd bring-down a bunch of PHP scripts all running in parallel and a whole lot of users would see errors. That's not terribly user-friendly. So .NET and php seems me they're more stable than tomcat because they have some possibilites. So, PHP and .NET are more stable because poorly-written applications can be mitigated by using server software that tolerates them? That doesn't make any sense at all. If you want to say that you'd rather work in .NET or PHP because app servers are more forgiving, then that's your decision. But don't try to assert that .NET or PHP is somehow better because of that decision. It may be better in your situation, but that certainly does not make them more stable. I would argue the reverse: if your webapps crash and cause problems, the webapps are not stable. The platform is almost irrelevant. I haven't studied recovery options in other java app. servers, but I'd really appreciate something in Tomcat. If you can figure out how to determine whether Tomcat is down, then you can easily script a restart. This kind of thing really can't be done by Tomcat itself because something outside the JVM needs to orchestrate the server restart. Since there are so many environments out there, the Tomcat team can't be expected to create auto-restart scripts for all those possibilities. I'd be interested to see how .NET does this, since .NET runs in a VM just like Java, and would have the same potential difficulties. IIRC, .NET doesn't have a rich server-side specification like the Java Servlet Spec that ties everything together for webapps. Basically, it's got IIS's ASP.NET-runner and those ASPs can call-out into real (that is, something NOT written in ASP but in a real language like C# or whatever) components. Given that thin veneer that Microsoft provides to its developers, it's not surprising that the server can so easily be bounced: there is no complicated infrastructure in place that needs to be torn-down and re-started. A servlet container is much more complicated and has many more moving parts than both IIS's .NET webapp stuff and mod_php. It's not surprising to me in the least that you would have a tougher time bouncing the service at regular intervals. If you really want to bounce Tomcat at regular intervals, set up a cluster and have cron (or task scheduler, etc) bounce Tomcat whenever you want. Bouncing Tomcat is a non-trivial operation, so it won't be instantaneous. I would never do rolling restarts of any service without having a cluster in place that could redirect traffic to an available server. I would even use mod_jk or something similar to take individual members out of the cluster and then wait until their traffic dies down before bouncing them. That way, nobody knows that your services are undergoing rolling restarts. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Lt1gACgkQ9CaO5/Lv0PA9WQCfXA3h21pZlxuOQDxCppmi2ZxT P+gAnj0wksaWYvmgR3lCL0Z9fdvYkyWb =H67P -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/21/11 4:06 AM, André Warnier wrote: S Ahmed wrote: I know when I go in production I will have nginx map to this folder to serve the static files, which, as far as I understand your planned setup, would be a really bad idea. Only if you don't know what you're doing. Also, there is a big difference between this: DocumentRoot /path/to/tomcat/webapps/mywebapp and this: Alias /Assets /path/to/tomcat/webapps/mywebapp/Assets The latter is quite a bit safer IMO. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7LuKkACgkQ9CaO5/Lv0PBhYwCdGIGSURI4NDOjPMQ10neIOS0b whMAoJvsbx8tHhUrRbFPyQojKPSITjsO =vTIG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
Chris, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/21/11 4:06 AM, André Warnier wrote: S Ahmed wrote: I know when I go in production I will have nginx map to this folder to serve the static files, which, as far as I understand your planned setup, would be a really bad idea. Only if you don't know what you're doing. Granted. But in that respect, many people don't realise what they're doing, as many previous questions on the list show. Also, there is a big difference between this: DocumentRoot /path/to/tomcat/webapps/mywebapp and this: Alias /Assets /path/to/tomcat/webapps/mywebapp/Assets The latter is quite a bit safer IMO. Yes, but what the OP would need to do, considering where he wanted to put the files, would be Alias /Assets /path/to/tomcat/webapps/mywebapp/WEB-INF/Assets which in my view is at least an opening for doing less safe things (*), which is why several people have already suggested /not/ to put the Assets sub-directory under WEB-INF. (*) because in order for that to work, the user-id under which Apache is running, already needs at least rx permissions to all the directories in that path (WEB-INF included). Which is unnecessary and unsafe. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat http connector
Hi Asha, Is mod_proxy also an option you are considering? mod_proxy is part of the Apache distribution and does not require compiling any modules separately. Here are my thoughts: Tomcat's built-in HTTP connector can be used for production if your production traffic is light. It is advisable to front-end Tomcat with Apache. Apache will serve static files, and ProxyPass all dynamic content to Tomcat. Apache's I/O is superior to Tomcat. Besides, front-ending Tomcat with Apache also gives you access to the powerful traffic filtering, security and other modules that are available for Apache. What do others think? -Shanti On Nov 22, 2011, at 1:43 AM, Asha K S wrote: Hi, Is there any document which I can refer to which states if tomcat's built in http connector (Coyote) can be used for production ? And also a comparison between http connector and AJP one. Thanks, Asha !DSPAM:4ecb449672082560778728! -- Shanti Suresh App Systems Analyst Lead Web Services, LSA Development University of Michigan Office: 734-763-4807 sha...@umich.edu http://lsa.umich.edu/cms
RE: tomcat http connector
From: Shanti Suresh [mailto:sha...@umich.edu] Subject: Re: tomcat http connector Tomcat's built-in HTTP connector can be used for production if your production traffic is light. It is advisable to front-end Tomcat with Apache. Sorry, that's just BS. Back in the Tomcat 3 or 4 days, it was true to some extent, but performance of Tomcat without httpd has been demonstrated to be equal or better. Apache's I/O is superior to Tomcat. Another incorrect statement; with Tomcat's APR connector, the I/O is identical - since it's all the same code. Regardless, as Pid pointed out, overall performance is rarely limited by the connector; the application architecture is the critical factor. front-ending Tomcat with Apache also gives you access to the powerful traffic filtering, security and other modules that are available for Apache. And introduces configuration complexity and a greater opportunity to create attack vectors due to seemingly innocuous configuration errors. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Maven Tomcat 7 plugin - changing war name
Hi, I'm struggling to get the tomcat7 plugin to work. I want to change the name of the war file. When I call mvn tomcat7:deploy-only It looks for war file XXX-YYY.war, where XXX is the artifactId and YYY is the version name. I'd rather use a different, simpler WAR file name myapp. It's used elsewhere in the site. But neither of these two things changes the war name that the plugin is looking for. properties project.build.finalNamesimulate/project.build.finalName /properties ... plugin groupIdorg.apache.tomcat.maven/groupId artifactIdtomcat7-maven-plugin/artifactId version2.0-SNAPSHOT/version configuration warNamemyapp.war/warName path/myapp/path /configuration /plugin Any suggestions? Or is this just not yet implemented. WILL
Single war file - multiple hosts - can't get log4j to log to different files
All, Java running on windows 2008 r2 against tomcat 7.0.19 java version 1.6.0_24 Java(TM) SE Runtime Environment (build 1.6.0_24-b07) Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode) I have a single war file, and would like to host multiple demo sites of our app. So ideally users access demo1.company.com and demo2.company.com. Completely isolated, but all running the same war. Please correct me where ever my logic is wrong, but I figured that I would 1) have a tomcat instance, containing config directory. This would have catalina/demo1.company.com/ROOT.xml containing pertinent jndi config. 2) in server.xml add this Host name=demo1.company.com appBase=webapps\demos unpackWARs=false autoDeploy=false Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=demo_access_log. suffix=.log pattern=%h %l %u %t quot;%rquot; %s %b resolveHosts=false/ /Host When I start the app, it works and the app works. However all context's apps log to the same log file. What I want to know how to make the different contexts under different hosts log to different file. Our log4j file contains appender name=FILE class=org.apache.log4j.rolling.RollingFileAppender param name=Threshold value=INFO / param name=File value=${catalina.base}/logs/demo.log / param name=Append value=true / rollingPolicy class=org.apache.log4j.rolling.TimeBasedRollingPolicy param name=FileNamePattern value=${catalina.base}/logs/demo.%d{-MM-dd}.log / /rollingPolicy layout class=org.apache.log4j.PatternLayout param name=ConversionPattern value=%d %t %X{user} %-5p [%c] %m%n / /layout /appender I have searched around, and found some references to JNDI context selectors for log4j, but I believe that this is to allow log4j separation - not directly related to what I am trying to do. I have tried to add a suitable web.xml environment entry, and then add it to the log file name, e.g. ${catalina.base}/logs/${tomcatInstancePrefix}demo.log. Then in ROOT.xml for each host I add Environment name=tomcatInstancePrefix value=demo2- type=java.lang.String override=false/ and in web.xml I add resource-env-ref resource-env-ref-nametomcatInstancePrefix/resource-env-ref-name resource-env-ref-typejava.lang.String/resource-env-ref-type /resource-env-ref but that didn't work Has anyone else done this? I can't believe that we are unique. Perhaps I am just ignorant of the correct term to search for. Any help greatly appreciated Thanks Chris
Java 7
Hi. Knowing that this list is not a Java list per se, but knowing also that there is considerable Java expertise available here, I would like to ask the following question : being a regular follower of this list (and not of any Java list per se), I believe I remember seeing some comments on the list about there being some problems related to the Tomcat/Java 7 relationship. Can someone tell me if I am mistaken, or else what kind of issues are still floating around that theme ? The reason I'm asking is that for testing some unrelated Java software, I am being asked to install Java 7 on a system on which currently happily runs Tomcat 6.x with Java 6 (Oracle), and I'd like to know if I would be setting myself up for some incompatibility issues there. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Java 7
From: André Warnier [mailto:a...@ice-sa.com] Subject: Java 7 I believe I remember seeing some comments on the list about there being some problems related to the Tomcat/Java 7 relationship. Tomcat cannot be built with Java 7, but it can be run with it. Make sure you use the latest version of Java 7, since the first couple were pretty unstable. (The build problem is due to Sun/Oracle adding methods to some Interface classes in Java 7. If Tomcat were to implement those new methods, it would then be impossible to run it on Java 6.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: tomcat http connector
On 22/11/2011 16:21, Caldarale, Charles R wrote: From: Shanti Suresh [mailto:sha...@umich.edu] Subject: Re: tomcat http connector Tomcat's built-in HTTP connector can be used for production if your production traffic is light. It is advisable to front-end Tomcat with Apache. Sorry, that's just BS. Back in the Tomcat 3 or 4 days, it was true to some extent, but performance of Tomcat without httpd has been demonstrated to be equal or better. I agree with Chuck. Apache's I/O is superior to Tomcat. Another incorrect statement; with Tomcat's APR connector, the I/O is identical - since it's all the same code. Regardless, as Pid pointed out, overall performance is rarely limited by the connector; the application architecture is the critical factor. +1 front-ending Tomcat with Apache also gives you access to the powerful traffic filtering, security and other modules that are available for Apache. Tsk, tsk. p And introduces configuration complexity and a greater opportunity to create attack vectors due to seemingly innocuous configuration errors. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Single war file - multiple hosts - can't get log4j to log to different files
On 22/11/2011 19:28, chris derham wrote: Host name=demo1.company.com appBase=webapps\demos unpackWARs=false autoDeploy=false The appBase I find a little concerning... You don't have any apps directly place in webapps do you? p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: tomcat http connector
Pid wrote: On 22/11/2011 16:21, Caldarale, Charles R wrote: From: Shanti Suresh [mailto:sha...@umich.edu] Subject: Re: tomcat http connector Tomcat's built-in HTTP connector can be used for production if your production traffic is light. It is advisable to front-end Tomcat with Apache. Sorry, that's just BS. Back in the Tomcat 3 or 4 days, it was true to some extent, but performance of Tomcat without httpd has been demonstrated to be equal or better. I agree with Chuck. Apache's I/O is superior to Tomcat. Another incorrect statement; with Tomcat's APR connector, the I/O is identical - since it's all the same code. Regardless, as Pid pointed out, overall performance is rarely limited by the connector; the application architecture is the critical factor. +1 front-ending Tomcat with Apache also gives you access to the powerful traffic filtering, security and other modules that are available for Apache. Tsk, tsk. -1. (to the tsk, tsk I mean). Because that part is true. There are a whole bunch of add-on modules for Apache httpd which have no equivalent (yet) in the Tomcat world. (Or they are much more difficult to find). p And introduces configuration complexity and a greater opportunity to create attack vectors due to seemingly innocuous configuration errors. - Chuck But that's also true. So the real answer is, as usual, it depends.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat http connector
On 22/11/2011 20:08, André Warnier wrote: Pid wrote: On 22/11/2011 16:21, Caldarale, Charles R wrote: From: Shanti Suresh [mailto:sha...@umich.edu] Subject: Re: tomcat http connector Tomcat's built-in HTTP connector can be used for production if your production traffic is light. It is advisable to front-end Tomcat with Apache. Sorry, that's just BS. Back in the Tomcat 3 or 4 days, it was true to some extent, but performance of Tomcat without httpd has been demonstrated to be equal or better. I agree with Chuck. Apache's I/O is superior to Tomcat. Another incorrect statement; with Tomcat's APR connector, the I/O is identical - since it's all the same code. Regardless, as Pid pointed out, overall performance is rarely limited by the connector; the application architecture is the critical factor. +1 front-ending Tomcat with Apache also gives you access to the powerful traffic filtering, security and other modules that are available for Apache. Tsk, tsk. -1. (to the tsk, tsk I mean). Because that part is true. There are a whole bunch of add-on modules for Apache httpd which have no equivalent (yet) in the Tomcat world. (Or they are much more difficult to find). I'm increasingly less keen on employing a jack-of-all trades approach in the use of HTTPD e.g. traffic filtering. That is a network problem. p p And introduces configuration complexity and a greater opportunity to create attack vectors due to seemingly innocuous configuration errors. - Chuck But that's also true. So the real answer is, as usual, it depends.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Tomcat 7 not working with javax.net.ssl.keyStorePassword property
Hi All, I have observed a regression between tomcat 5 and tomcat 7. In my tomcat webapp, before I spawn another tomcat webapp process, I pass on the keystore password by setting the system property javax.net.ssl.keyStorePassword to keystore password, instead of writing the keystore password in plain-text as an attribute in server.xml. This used to work in tomcat 5. However in tomcat 7, the same webapp/keystore throws the following error: Nov 22, 2011 8:04:45 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8096] java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:373) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:498) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:909) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:596) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) at java.lang.Thread.run(Thread.java:619) Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769) ... 28 more Nov 22, 2011 8:04:47 PM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8096]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8096]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:596) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) at java.lang.Thread.run(Thread.java:619) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:911) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 14 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565) at
Thread executor question
We're going to be upgrading some vintage version 6 Tomcats to TC 7. I was wondering if there's any migration guide, in particular any discussion of the advantages to using thread pools/executors. Thanks, David
Re: Thread executor question
On Tue, 2011-11-22 at 12:57 -0800, David Dabbs wrote: We're going to be upgrading some vintage version 6 Tomcats to TC 7. I was wondering if there's any migration guide, Have you seen... https://tomcat.apache.org/migration.html#Migrating_from_6.0.x_to_7.0.x Dan
RE: Tomcat 7 not working with javax.net.ssl.keyStorePassword property
From: Satish Mittal [mailto:satish.mit...@gmail.com] Subject: Tomcat 7 not working with javax.net.ssl.keyStorePassword property In my tomcat webapp, before I spawn another tomcat webapp process I'll bite: what does that mean? What part of the servlet spec covers that action? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Single war file - multiple hosts - can't get log4j to log to different files
Host name=demo1.company.com appBase=webapps\demos unpackWARs=false autoDeploy=false The appBase I find a little concerning... You don't have any apps directly place in webapps do you? So I wasn't 100% sure exactly what to do here. I setup a folder under webapps called demos. We put our app there, named ROOT.war. Then in another subfolder of webapps called local, we put probe.war. We thought this would allow us to monitor all contexts with a single probe install, but it only seems to show a single localhost context. I assume that the hosts are separated, and that the context=priviliged setting can allow a web app to access other webapps in the same context, but not across hosts. Does that explanation make sense, and does that remove your concern? The only idea I have left if nobody can see an obvious flaw in our logic is to write some custom code to initialise log4j. We would just need to pick up the context, or a jndi variable and then prefix the log file name with this. Guess it can't be that hard - just figured that somebody would have hit this before. I recall that Mark Thomas mentioned something in a recent response about looking for some code in tomcat source where it allowed different contexts to register with JMX using different ports. I looked and can't find it - always hard to google for something if you don't know the term. Can anyone provide a pointer to if there is an existing variable containing a context id, or path, or name or something unique that we could use to prefix the log file - or is it just easier to setup our own context parameter? Thanks Chris
RE: Thread executor question
From: David Dabbs [mailto:dmda...@gmail.com] Subject: Thread executor question I was wondering if there's any migration guide You mean perhaps the link named Migration Guide on the Tomcat home page? http://tomcat.apache.org/migration.html in particular any discussion of the advantages to using thread pools/executors. Executors are available in Tomcat 6 already, so look in the 5.5.x to 6.0.x section: http://tomcat.apache.org/migration.html#Connector_thread_pools - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat http connector
Pid wrote: On 22/11/2011 20:08, André Warnier wrote: Pid wrote: On 22/11/2011 16:21, Caldarale, Charles R wrote: From: Shanti Suresh [mailto:sha...@umich.edu] Subject: Re: tomcat http connector Tomcat's built-in HTTP connector can be used for production if your production traffic is light. It is advisable to front-end Tomcat with Apache. Sorry, that's just BS. Back in the Tomcat 3 or 4 days, it was true to some extent, but performance of Tomcat without httpd has been demonstrated to be equal or better. I agree with Chuck. Apache's I/O is superior to Tomcat. Another incorrect statement; with Tomcat's APR connector, the I/O is identical - since it's all the same code. Regardless, as Pid pointed out, overall performance is rarely limited by the connector; the application architecture is the critical factor. +1 front-ending Tomcat with Apache also gives you access to the powerful traffic filtering, security and other modules that are available for Apache. Tsk, tsk. -1. (to the tsk, tsk I mean). Because that part is true. There are a whole bunch of add-on modules for Apache httpd which have no equivalent (yet) in the Tomcat world. (Or they are much more difficult to find). I'm increasingly less keen on employing a jack-of-all trades approach in the use of HTTPD e.g. traffic filtering. That is a network problem. In the absolute, you are probably right. But you are a Tomcat and Java specialist. Many of the people who use Tomcat (and come to this list for help) are not Tomcat nor Java specialists, such as sysadmins for instance. They are asked to resolve a particular issue, and use the tools they know best in order to do it. Apache httpd is more widely used and better-known to them than Tomcat, so it is their tool of preference. Also, in many cases, a website runs much more than Java applications and static pages. So they have to use another front-end anyway, and as long as it's there, they also use it (and its available and well-known modules) to solve issues that sometimes could also be handled in Tomcat, but with (to them) more difficulty. p p And introduces configuration complexity and a greater opportunity to create attack vectors due to seemingly innocuous configuration errors. - Chuck But that's also true. So the real answer is, as usual, it depends.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Maven Tomcat 7 plugin - changing war name
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 11/22/11 2:02 PM, Will Glass-Husain wrote: I'm struggling to get the tomcat7 plugin to work. I'm pretty sure that's still under development, so YMMV right now. Stick around and I'm sure you'll get a better answer from Olivier. I just didn't want you to beat your head against a wall for a while if the answer was going to be yep, not done yet or something like that. Can you limp-along with the XXX-YYY.war for now? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ME8UACgkQ9CaO5/Lv0PC/tgCfWtubedIoK3BX8gQ8GwVqaa0H jQcAn2FM+DPHkTd+e8nq14/KgdlknrWB =lE2v -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat http connector
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Asha, On 11/22/11 2:15 AM, Asha K S wrote: Is there any performance comparison document available already between http and AJP It should be easy to test in your own environment. If you are using AJP through another web server, the overhead of the server itself is obviously non-zero. If you're asking about connecting httpd and Tomcat via HTTP or AJP, then you'll have to do your own testing. I'm not sure there are any current performance comparisons out there. If you are using HTTPS in to Tomcat (that is, terminating SSL at httpd, then using HTTPS between httpd and Tomcat) then you definitely want to use the APR (aka native) connector as it's crypto implementation is much faster than the Java one. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7MFVsACgkQ9CaO5/Lv0PDajQCgmiaAqsG2jbBsTzRM2bdBy6w4 3XoAoLP3AaabD5F0FH8xwqJLvuqKd5zb =ErhA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat http connector
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Asha, On 11/22/11 2:15 AM, Asha K S wrote: Is there any performance comparison document available already between http and AJP It should be easy to test in your own environment. If you are using AJP through another web server, the overhead of the server itself is obviously non-zero. If you're asking about connecting httpd and Tomcat via HTTP or AJP, then you'll have to do your own testing. I'm not sure there are any current performance comparisons out there. If you are using HTTPS in to Tomcat (that is, terminating SSL at httpd, then using HTTPS between httpd and Tomcat) then you definitely want to use the APR (aka native) connector as it's crypto implementation is much faster than the Java one. Addendum : but if you do the above, and you are looking for performance, then you should at least think of what it means : browser (1) -- HTTPS A -- (2) Apache (3) -- HTTPS B -- (4) Tomcat (1) encryption (by the browser) (2) decryption (by Apache) (3) encryption (by Apache) (4) decryption (by Tomcat) encryption/decryption is a CPU-intensive process, so you will want to do it only where it is necessary. If the link between Apache and Tomcat is safe (in other words, they are both on the same host, or the link is a safe internal network), then you probably do not want to use HTTPS there. Even if the link between Apache and Tomcat is unencrypted HTTP (or AJP), you can still pass information from Apache to Tomcat about the browser/Apache HTTPS connection, if you need to. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Maven Tomcat 7 plugin - changing war name
yep, not done yet :-) It's a bit weird issue as the plugin use the project artifact (i.e. ${project.artifact} as mojo parameter expression which should point to the war artifact of your project ). Can you load an issue ? (I probably won't have time before end of the week to have a look). 2011/11/22 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 11/22/11 2:02 PM, Will Glass-Husain wrote: I'm struggling to get the tomcat7 plugin to work. I'm pretty sure that's still under development, so YMMV right now. Stick around and I'm sure you'll get a better answer from Olivier. I just didn't want you to beat your head against a wall for a while if the answer was going to be yep, not done yet or something like that. Can you limp-along with the XXX-YYY.war for now? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ME8UACgkQ9CaO5/Lv0PC/tgCfWtubedIoK3BX8gQ8GwVqaa0H jQcAn2FM+DPHkTd+e8nq14/KgdlknrWB =lE2v -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Thread executor question
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, November 22, 2011 3:44 PM To: Tomcat Users List Subject: Re: Thread executor question -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DAvid, On 11/22/11 3:57 PM, David Dabbs wrote: We're going to be upgrading some vintage version 6 Tomcats to TC 7. I was wondering if there's any migration guide, in particular any discussion of the advantages to using thread pools/executors. So, you already have two responses about reading the documentation :( Yes, which I should have done. In terms of actually using Executors, I wound say that you definitely want to use one (or more). Here are a couple of reasons: 1. You can unify all request processor threads under one roof: the executor can be shared among connectors, so you have a single pool of threads for servicing requests instead of having to have several pools, all of which have a large number of threads just in case. 2. Executor thread pools can reduce the number of active threads when traffic is low. This will free-up memory on the server during slow times and make the server (slightly) more responsive as well. There really doesn't seem to be a reason not to use an Executor. Note: if you are making loopback-requests (that is, a thread makes an HTTP (or other) connection back to Tomcat itself for some reason like an HTTP include, etc.) then you might want to make sure that you use a separate pool for the loopback requests. Depending on the volume of these requests, you can deadlock your server if you're not careful: if you get N requests that trigger a loopback request, you'll get N loopback requests for a total requirement of 2*N request processors. It's conceivable that, if you have N request processors, N requests will arrive and trigger N loopback requests, none of which can be accepted because the original N request processors are stuck waiting on the loopback requests. Eventually, everything should time-out, but you can get yourself a few minutes of lock-up if you're not careful. To be sure, that's a contrived scenario and would never happen... until it happens to your server under load and someone says wow, we never thought that would happen. - -chris Thank you, Chris. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7MF6QACgkQ9CaO5/Lv0PBhdQCdEjNC/lvDKqpmZqejniHCfw3h vmAAoKJ+IGOYag5M+/q3OjhI+cLgeunh =5cjn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1411 / Virus Database: 2092/4032 - Release Date: 11/22/11 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 not working with javax.net.ssl.keyStorePassword property
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 11/22/11 4:02 PM, Caldarale, Charles R wrote: From: Satish Mittal [mailto:satish.mit...@gmail.com] Subject: Tomcat 7 not working with javax.net.ssl.keyStorePassword property In my tomcat webapp, before I spawn another tomcat webapp process I'll bite: what does that mean? What part of the servlet spec covers that action? I'll get the popcorn. I'm anxiously waiting to hear what this is all about. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7MHq0ACgkQ9CaO5/Lv0PA+mgCgmiWr15JmLkw4kUEeVOpR4tdF WCsAn1TvIPCYsvnKthvmj/BacjL5bfwT =2VH/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 not working with javax.net.ssl.keyStorePassword property
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Satish, On 11/22/11 3:42 PM, Satish Mittal wrote: I pass on the keystore password by setting the system property javax.net.ssl.keyStorePassword to keystore password, instead of writing the keystore password in plain-text as an attribute in server.xml. What makes you think this will work? This used to work in tomcat 5. Interesting. Where is this documented to work? However in tomcat 7, the same webapp/keystore throws the following error: Nov 22, 2011 8:04:45 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8096] java.io.IOException: Keystore was tampered with, or password was incorrect You probably didn't set the password. :( - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7MIXkACgkQ9CaO5/Lv0PCOTACfbrLPw9otOzQVmBMiKM1JG2Z3 QGAAnjGzxKuTkwvgEsEwng7tsEXG1fuC =ifjs -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Single war file - multiple hosts - can't get log4j to log to different files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris, On 11/22/11 2:28 PM, chris derham wrote: Java running on windows 2008 r2 against tomcat 7.0.19 java version 1.6.0_24 Thanks! I have a single war file, and would like to host multiple demo sites of our app. So ideally users access demo1.company.com and demo2.company.com. Completely isolated, but all running the same war. Please correct me where ever my logic is wrong, but I figured that I would 1) have a tomcat instance, containing config directory. This would have catalina/demo1.company.com/ROOT.xml containing pertinent jndi config. Sounds good. 2) in server.xml add this Host name=demo1.company.com appBase=webapps\demos unpackWARs=false autoDeploy=false Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=demo_access_log. suffix=.log pattern=%h %l %u %t quot;%rquot; %s %b resolveHosts=false/ /Host Well, that will give you an access log for the whole host. If that's what you want, that's what you got. If you want the webapps to have separate access logs, you'll have to configure the Valve in ROOT.xml (and whatever other webapps you deploy). Maybe something like ROOT-access as the prefix value. When I start the app, it works and the app works. However all context's apps log to the same log file. What I want to know how to make the different contexts under different hosts log to different file. Our log4j file contains appender name=FILE class=org.apache.log4j.rolling.RollingFileAppender param name=Threshold value=INFO / param name=File value=${catalina.base}/logs/demo.log / So, this is a different issue. Above, you had an access log, which logs the hosts and URLs that they request, etc. It appears that log4j is an application log, like for INFO and DEBUG and stuff like that, right? Well, the obvious solution is to change the value of the File parameter in your log4j configuration. Try using something like ROOT-demo.log and a different value in the config file for the other copies that you deploy. Of course, that means that you can't actually use the same WAR file, or you need to figure out some way to load the log4j configuration file from another location. If you write your own ServletContextListener to load the log4j configuration (that's what we do over here... it also shuts-down log4j when the webapp undeploys), then you ought to be able to use the JNDI context to find the location of a configuration file on a per-context basis. For instance, you could put your config files somewhere like /etc/mywebapp/ROOT.xml and /etc/mywebapp/non-root.xml and just change the name of the log file name. (which does stuff like log the I have searched around, and found some references to JNDI context selectors for log4j, but I believe that this is to allow log4j separation - not directly related to what I am trying to do. I'm afraid I don't know a thing about JNDI context selectors and log4j. Sorry. I have tried to add a suitable web.xml environment entry, and then add it to the log file name, e.g. ${catalina.base}/logs/${tomcatInstancePrefix}demo.log. Then in ROOT.xml for each host I add Environment name=tomcatInstancePrefix value=demo2- type=java.lang.String override=false/ and in web.xml I add resource-env-ref resource-env-ref-nametomcatInstancePrefix/resource-env-ref-name resource-env-ref-typejava.lang.String/resource-env-ref-type /resource-env-ref but that didn't work Yeah, that doesn't work because it doesn't set a system property, which is what log4j requires for that kind of replacement. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7MI7AACgkQ9CaO5/Lv0PAapACeIyObJIZFFiJI/rfeoSnjTZi8 oCQAnR37LDsCFGBO6N9ufRJL8vzYWill =RcHC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Single war file - multiple hosts - can't get log4j to log to different files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris, On 11/22/11 4:03 PM, chris derham wrote: So I wasn't 100% sure exactly what to do here. I setup a folder under webapps called demos. We put our app there, named ROOT.war. Then in another subfolder of webapps called local, we put probe.war. So you'll end up with 4 contexts deployed: / - webapps/demos/ROOT.war /demos- webapps/demos /local- webapps/local /probe- webapps/local/probe.war We thought this would allow us to monitor all contexts with a single probe install, but it only seems to show a single localhost context. I assume that the hosts are separated, and that the context=priviliged setting can allow a web app to access other webapps in the same context, but not across hosts. So... what setting is that? Does that explanation make sense, and does that remove your concern? No, you should do this: 1. Move your .war files from out of the webapps directory (and subdirs) 2. Update the paths in ROOT.xml and probe.xml to point to the new location 3. Remove the local and demos directories Or: 1. Remove the .xml files from conf/[hostname]/*.xml 2. Move your .war files from webapps/*/*.war to webapps/*.war 3. Remove the local and demos directories While you have disabled auto-deploy, it would be surprising to see webapps and directories stuck under the webapps/ tree that weren't being auto-deployed. It's better to put them somewhere else. It also makes Tomcat upgrades easier, since you won't have to move WAR files or remember that you changed things from the default. The only idea I have left if nobody can see an obvious flaw in our logic is to write some custom code to initialise log4j. We would just need to pick up the context, or a jndi variable and then prefix the log file name with this. Guess it can't be that hard - just figured that somebody would have hit this before. I think that's your best bet. I recall that Mark Thomas mentioned something in a recent response about looking for some code in tomcat source where it allowed different contexts to register with JMX using different ports. I looked and can't find it - always hard to google for something if you don't know the term. Can anyone provide a pointer to if there is an existing variable containing a context id, or path, or name or something unique that we could use to prefix the log file - or is it just easier to setup our own context parameter? I'm not sure that using JMX is going to make your life any easier. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7MJcgACgkQ9CaO5/Lv0PDDpACdEJ+Kf/9pxVdpMLdeM0OxqIXB 72gAn1BhRTpS0Pd+yXeyDYefWN+Rkwdn =i6Zk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Maven Tomcat 7 plugin - changing war name
Thanks for the quick response. I wasn't initially sure of the status (the original Maven plugin doesn't work with Tomcat 7, so this is definitely needed. Now I see it's under development. I'll file an issue. WILL On Tue, Nov 22, 2011 at 1:50 PM, Olivier Lamy ol...@apache.org wrote: yep, not done yet :-) It's a bit weird issue as the plugin use the project artifact (i.e. ${project.artifact} as mojo parameter expression which should point to the war artifact of your project ). Can you load an issue ? (I probably won't have time before end of the week to have a look). 2011/11/22 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 11/22/11 2:02 PM, Will Glass-Husain wrote: I'm struggling to get the tomcat7 plugin to work. I'm pretty sure that's still under development, so YMMV right now. Stick around and I'm sure you'll get a better answer from Olivier. I just didn't want you to beat your head against a wall for a while if the answer was going to be yep, not done yet or something like that. Can you limp-along with the XXX-YYY.war for now? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ME8UACgkQ9CaO5/Lv0PC/tgCfWtubedIoK3BX8gQ8GwVqaa0H jQcAn2FM+DPHkTd+e8nq14/KgdlknrWB =lE2v -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 not working with javax.net.ssl.keyStorePassword property
Hi, Please see my response inline. -Satish On Wed, Nov 23, 2011 at 2:32 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Satish Mittal [mailto:satish.mit...@gmail.com] Subject: Tomcat 7 not working with javax.net.ssl.keyStorePassword property In my tomcat webapp, before I spawn another tomcat webapp process I'll bite: what does that mean? What part of the servlet spec covers that action? As per my product design, I have a parent process (tomcat webapp) that needs to spawns another tomcat webapp process and configure its server.xml. However I get the same behavior with the parent tomcat process itself, so these details don't matter here. I pass on the keystore password by setting the system property javax.net.ssl.keyStorePassword to keystore password, instead of writing the keystore password in plain-text as an attribute in server.xml. What makes you think this will work? This used to work in tomcat 5. Interesting. Where is this documented to work? As per the tomcat documentation, Tomcat can use two different implementations of SSL: - the JSSE implementation provided as part of the Java runtime (since 1.4) - the APR implementation, which uses the OpenSSL engine by default. In my installation, I use JSSE implementation. The javax.net.ssl.keyStorePassword property is supported by JSSE. However in tomcat 7, the same webapp/keystore throws the following error: Nov 22, 2011 8:04:45 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8096] java.io.IOException: Keystore was tampered with, or password was incorrect You probably didn't set the password. :( If you go to tomcat documentation at http://tomcat.apache.org/tomcat-5.5-doc/config/http.html#SSL_Support, you would find that multiple JSSE properties (related to trustStore) are supported by Tomcat as a mechanism to pass the value instead of specifying them explicitly in server.xml. I know that for keyStorePassword, it is not documented. However since this mechanism was working in tomcat 5, I want to check whether anyone else has observed this change in tomcat 7. -Satish THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -- The happiest of people don´t necessarily have the best of everything, they just make the most of everything that comes along their way.
Query related to detection of the Source IP Address in Load-balancing mode
Hi, I have applications running on two tomcat servers which are in load balancing mode. If I try to access the application from the first server,and if the request is forwarded to the second server, the request.getRemoteAddr() on the second server still returns 127.0.0.1(instead of first server IP). If the client is outside the two loadbancing servers, I am getting the proper client IP address. I am using tomcat 5.5.31 and mod_jk module for load balancing,and my platform is solaris 10. Is there a way to get the actual client IP,rather than localhost,if the client is on the same box as the tomcat server,and if the request is forwarded to the second load balancing server? Thanks, Faseela
Re: Tomcat recycling
Hello, thanks for a long response. As I see everybody are againts my proposal. Ok. Yes, some kind of restarting can be done via some scripts. In the best in a cluster environment... Personally I don't trust /etc/init.d/tomcat scripts that comes in wg. SLES linux. Sometimes this script didn't properly restart tomcat. It could be due to a some untermintated thread, who knows... I must look more closely into doc - how tomcat is starting and shutdowning if I'd like to do some tomcat recycling by own or modified scripts. Thanks. Jan. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan, At the end I'd like to make a little comparision. Recently I've used .NET + native calls of dlls, php + custom made php modules (native dlls), jsp+java. .NET and php have possibilities for some kind of recoveries. It's almost impossible to crash Apache like a whole (control + x worker processes). ?? If your PHP script is bad, you'll crash the request processor. If you are in prefork mode, a new child process is created when the old child dies unexpectedly. If you are in worker mode, well, you're not because mod_php doesn't work in worker more IIRC. But, if you were in worker mode, then you'd bring-down a bunch of PHP scripts all running in parallel and a whole lot of users would see errors. That's not terribly user-friendly. So .NET and php seems me they're more stable than tomcat because they have some possibilites. So, PHP and .NET are more stable because poorly-written applications can be mitigated by using server software that tolerates them? That doesn't make any sense at all. If you want to say that you'd rather work in .NET or PHP because app servers are more forgiving, then that's your decision. But don't try to assert that .NET or PHP is somehow better because of that decision. It may be better in your situation, but that certainly does not make them more stable. I would argue the reverse: if your webapps crash and cause problems, the webapps are not stable. The platform is almost irrelevant. I haven't studied recovery options in other java app. servers, but I'd really appreciate something in Tomcat. If you can figure out how to determine whether Tomcat is down, then you can easily script a restart. This kind of thing really can't be done by Tomcat itself because something outside the JVM needs to orchestrate the server restart. Since there are so many environments out there, the Tomcat team can't be expected to create auto-restart scripts for all those possibilities. I'd be interested to see how .NET does this, since .NET runs in a VM just like Java, and would have the same potential difficulties. IIRC, .NET doesn't have a rich server-side specification like the Java Servlet Spec that ties everything together for webapps. Basically, it's got IIS's ASP.NET-runner and those ASPs can call-out into real (that is, something NOT written in ASP but in a real language like C# or whatever) components. Given that thin veneer that Microsoft provides to its developers, it's not surprising that the server can so easily be bounced: there is no complicated infrastructure in place that needs to be torn-down and re-started. A servlet container is much more complicated and has many more moving parts than both IIS's .NET webapp stuff and mod_php. It's not surprising to me in the least that you would have a tougher time bouncing the service at regular intervals. If you really want to bounce Tomcat at regular intervals, set up a cluster and have cron (or task scheduler, etc) bounce Tomcat whenever you want. Bouncing Tomcat is a non-trivial operation, so it won't be instantaneous. I would never do rolling restarts of any service without having a cluster in place that could redirect traffic to an available server. I would even use mod_jk or something similar to take individual members out of the cluster and then wait until their traffic dies down before bouncing them. That way, nobody knows that your services are undergoing rolling restarts. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Lt1gACgkQ9CaO5/Lv0PA9WQCfXA3h21pZlxuOQDxCppmi2ZxT P+gAnj0wksaWYvmgR3lCL0Z9fdvYkyWb =H67P -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org