[OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
See below. I hope MS Outlook does some decent indend so my response is clear -.- -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30. november 2011 18:51 To: Tomcat Users List Subject: Re: Maximum memory that can be assigned to Tomcat on windows platform -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Casper, On 11/30/11 3:37 AM, Casper Wandahl Schmidt wrote: Another question to ask is, why do you have 8GB memory when running 32bit? That is just stupid since 32bit cannot address more than 4GB of memory no matter what you do. Any sysadmin should know that right? That's per process. All reasonably recent 32-bit OSs can address way more than 4GiB internally. For example: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366778%28v=vs.85%29.aspx#memory_limits This is generally done through PAE (http://en.wikipedia.org/wiki/Physical_Address_Extension) which allows 32-bit OSs to access more than 4GiB at the kernel level, though each process is still limited to 4GiB. Aha so I learned something new today :) I'm still puzzled as to how a 32 bit CPU can compute and fetch a memory cell with address above 4GB since it cannot hold this large value. Anyway that is just too much low-level computer science for me, all I ever had was a seven week course on architecture and networking (a single week out of the seven) :) -Casper Running a machine with more than 4GiB in 32-bit mode isn't stupid at all IMO. If you have relatively small processes, there's no need for the overhead of 64-bit even if you have 16GiB or more. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7WbQYACgkQ9CaO5/Lv0PBsWwCgnifhHtqrLUBi7K4PeDjp4hnC JMkAn0gilsNy2hv3zu3nzUkrmrzxoYWF =AZpI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode where no password or credentials are required? In other words, where just a userID/username is presented, and if that userID/username is present in the LDAP, then the user gets authenticated? You have to be VERY specific here about what you mean, because this is a very delicate area. If you mean : does there exist any way by which Tomcat can authenticate a user, without forcing this user to go through a login dialog with userid and password ? then the answer is : yes, several (*). But the applicability of each depends very much on the exact circumstances. If you mean : does there exist any /standard/ authentication mechanism in Tomcat whereby, /with/ a login dialog, the user could be authenticated without providing a password, although the authentication back-end (e.g. LDAP) has a non-empty password registered for that user ? then the answer is no, definitely. Because such a mechanism would be a HUGE security hole, so it is certainly not provided as any standard authentication framework. (which does not mean that you could not invent your own mechanism). Also, when you are mentioning LDAP, do you really mean the standard LDAP (which is just basically a database, and is not per se an authentication mechanism), or do you mean Windows domain authentication, backed up by an Active Directory server ? Or something else ? There is so much variation possible here, that it may be better to describe what you want to achieve really, rather than asking questions about this or that mechanism right away. (*) for example, look here : http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html http://waffle.codeplex.com/ http://www.ioplex.com/jespa.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 + exception while adding cookies
On 01/12/2011 04:38, Debraj Mallick wrote: hi Christopher, my tomcat version is : 7.0.14 working on Window7 with JDK 1.6 Can you try again with at least 7.0.21? p On Thu, Dec 1, 2011 at 4:45 AM, Christopher Schultz ch...@christopherschultz.net wrote: Debraj, On 11/30/11 1:16 PM, Debraj Mallick wrote: i have set maxHttpHeaderSize=81920 but still i am getting exception *Stack trace:* 30 Nov, 2011 11:38:48 PM org.apache.catalina.connector.CoyoteAdapter service SEVERE: An exception or error occurred in the container during the request processing java.lang.ArrayIndexOutOfBoundsException: 8192 at org.apache.coyote.http11.AbstractOutputBuffer.write(AbstractOutputBuffer.java:522) What is the exact Tomcat version? 7.0.what? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Logging
On 30/11/2011 23:14, Christopher Schultz wrote: Thom, On 11/30/11 1:04 PM, Thom Hehl wrote: I'm using VI to reading the log file. I running a Windows RDP. Are you using 'vi' in a way that allows it to get updates from the file? I'm no 'vi' expert, but I'm sure it reads the entire file at startup and thinks that it doesn't change. Yup. p Try using: tail -f stdout.log If you have a POSIX environment handy (like Cygwin, or gnuutils or whatever). -chris PS: vi on Windows? That's doing things the hard way. ;) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Connection has been abanded
On 30/11/2011 21:15, János Löbb wrote: Hi, IT is Mac OSX 10.6.8 java -version java version 1.6.0_20 Java(TM) SE Runtime Environment (build 1.6.0_20-b02-279-10M3065) Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01-279, mixed mode) tomcat is 7.0.21 database is Sybase ASE 15.0.3 We are getting this error in about every half hour or so: java.lang.NullPointerException Nov 30, 2011 3:21:28 PM org.apache.tomcat.jdbc.pool.ConnectionPool abandon WARNING: Connection has been abandoned PooledConnection[net.sourceforge.jtds.jdbc.ConnectionJDBC3@40c65cd4]:java.lang.E\ xception at org.apache.tomcat.jdbc.pool.ConnectionPool.getThreadDump(ConnectionPool.java:973) at org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:727) at org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:585) at org.apache.tomcat.jdbc.pool.ConnectionPool.getConnection(ConnectionPool.java:174) at org.apache.tomcat.jdbc.pool.DataSourceProxy.getConnection(DataSourceProxy.java:124) at pathology.connection.CopathDbInterface.getConnectionFromPull(CopathDbInterface.java:119) at pathology.connection.CopathDbInterface.getConnection(CopathDbInterface.java:85) at pathology.connection.CopathDbInterface.getConnection(CopathDbInterface.java:68) at pathology.histology.server.DashboardServiceImpl.getBlockDashboardStatsMap(DashboardServiceImpl.java:923) at pathology.histology.server.DashboardServiceImpl.getBlockDashboardStats(DashboardServiceImpl.java:513) at pathology.histology.server.DashboardServiceImpl.getDashboardStats(DashboardServiceImpl.java:62) at sun.reflect.GeneratedMethodAccessor597.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:569) at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208) at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248) at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apach Any good idea where to start troubleshooting ? The background pool monitor job is finding connections that either weren't returned to the pool or have died somehow. The time it runs is configurable. Check your code for try-catch-finally bugs where the connection can leak, if an uncaught error escapes. Note: I have rarely had a good experience when dealing with the jTDS drivers. p Thanks ahead, János - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Changing session timeout for a webapp via JMX or internal Tomcat API?
On 30/11/2011 11:14, Ellecer Valencia wrote: Thanks Igor. I made a mistake though. I actually meant modifying web.xml and restarting the webapp. We want to find a way to change session timeouts - even for existing sessions - without doing a restart of the webapp. I don't see an obvious way to do that using Tomcat provided components. You could certainly add your own implementation to do it, expose this over JMX. p I know there's also a server-level session timeout in tomcat's /conf/web.xml but that would 1.affect all webapps (we only want to affect the older version - foo##001) and 2.it requires tomcat restart (we are trying to reduce downtime for users) Ellecer On Wednesday, November 30, 2011, Igor Cicimov icici...@gmail.com wrote: On Wed, Nov 30, 2011 at 4:11 PM, Ellecer Valencia elle...@gmail.com wrote: Is there a way to change session timeouts in tomcat via JMX? I've only seen the operation called expireSession, but not one that can change the session timeout period. The only way I've found so far to modify session timeouts is by modifying web.xml and restarting Tomcat. However, in our intended usage, we don't want to restart Tomcat and kick out users. We're looking at using parallel deployment in Tomcat 7, and so we'll have a situation with foo##001 -- old version foo##002 -- new version What we want to do is decrease timeouts in foo##001, so that users move to foo##002 sooner and allow us to get rid of the old version. I've had a look at the Manager MBean and there's operations to get the existing session IDs and to expire individual sessions, but not to change their timeouts (unless I've gone blind and there was something there staring me in the face!). Is there any way - either another MBean in Tomcat or by accessing Tomcat API - to change the session timeouts for a webapp? Someone told me that Weblogic has this feature, so maybe it's not impossible to do it in Tomcat (just speculating) Ellecer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Can't you just restart the application you are changing the timeout for? Why do you need to restart the whole server? -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
Op donderdag, 1 december 2011 09:39 schreef Casper Wandahl Schmidt kalle.pri...@gmail.com: See below. I hope MS Outlook does some decent indend so my response is clear -.- -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30. november 2011 18:51 To: Tomcat Users List Subject: Re: Maximum memory that can be assigned to Tomcat on windows platform -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Casper, On 11/30/11 3:37 AM, Casper Wandahl Schmidt wrote: Another question to ask is, why do you have 8GB memory when running 32bit? That is just stupid since 32bit cannot address more than 4GB of memory no matter what you do. Any sysadmin should know that right? That's per process. All reasonably recent 32-bit OSs can address way more than 4GiB internally. For example: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366778%28v=vs.85%29.aspx#memory_limits This is generally done through PAE (http://en.wikipedia.org/wiki/Physical_Address_Extension) which allows 32-bit OSs to access more than 4GiB at the kernel level, though each process is still limited to 4GiB. Aha so I learned something new today :) I'm still puzzled as to how a 32 bit CPU can compute and fetch a memory cell with address above 4GB since it cannot hold this large value. Anyway that is just too much low-level computer science for me, all I ever had was a seven week course on architecture and networking (a single week out of the seven) :) -Casper Running a machine with more than 4GiB in 32-bit mode isn't stupid at all IMO. If you have relatively small processes, there's no need for the overhead of 64-bit even if you have 16GiB or more. - -chris I have an analogy for you. If you look out of your window you only see a small part of the world. If you move your window you wil see another part of the world. This is what the OS does with PAE. It moves the window on your RAM frequently. That is why a 32 bits application only sees max. 4GB. That is the size of its window. Ronald.
RE: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
-Original Message- From: Ronald Klop (Mailing List) [mailto:ronald-mailingl...@base.nl] Sent: 1. december 2011 12:06 To: Tomcat Users List Subject: Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform Op donderdag, 1 december 2011 09:39 schreef Casper Wandahl Schmidt kalle.pri...@gmail.com: See below. I hope MS Outlook does some decent indend so my response is clear -.- -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30. november 2011 18:51 To: Tomcat Users List Subject: Re: Maximum memory that can be assigned to Tomcat on windows platform -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Casper, On 11/30/11 3:37 AM, Casper Wandahl Schmidt wrote: Another question to ask is, why do you have 8GB memory when running 32bit? That is just stupid since 32bit cannot address more than 4GB of memory no matter what you do. Any sysadmin should know that right? That's per process. All reasonably recent 32-bit OSs can address way more than 4GiB internally. For example: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366778%28v=v s.85%29.aspx#memory_limits This is generally done through PAE (http://en.wikipedia.org/wiki/Physical_Address_Extension) which allows 32-bit OSs to access more than 4GiB at the kernel level, though each process is still limited to 4GiB. Aha so I learned something new today :) I'm still puzzled as to how a 32 bit CPU can compute and fetch a memory cell with address above 4GB since it cannot hold this large value. Anyway that is just too much low-level computer science for me, all I ever had was a seven week course on architecture and networking (a single week out of the seven) :) -Casper Running a machine with more than 4GiB in 32-bit mode isn't stupid at all IMO. If you have relatively small processes, there's no need for the overhead of 64-bit even if you have 16GiB or more. - -chris I have an analogy for you. If you look out of your window you only see a small part of the world. If you move your window you wil see another part of the world. This is what the OS does with PAE. It moves the window on your RAM frequently. That is why a 32 bits application only sees max. 4GB. That is the size of its window. Ronald. That didn't quite help me understand, because how can the OS map from ie. 0-4GB to 4-8GB (the window is moved) when it can only use a 32bit register to tell the machine where to look in the psysical memory, that is where my knowledge ends :) So I read about PAE and found out that it uses 2 registers (36 bits due to some bits being used as flags) and that makes good sense, but how can the cpu calculate an address without overflow and send a command to the bus containing a 36bit address (or whatever fetches the bits from RAM)? That is where I'm puzzled but I guess it is because I'm not at all into ISA-level and below :) -Casper - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
On Thu, Dec 1, 2011 at 12:29, Casper Wandahl Schmidt kalle.pri...@gmail.com wrote: [...] That didn't quite help me understand, because how can the OS map from ie. 0-4GB to 4-8GB (the window is moved) when it can only use a 32bit register to tell the machine where to look in the psysical memory, that is where my knowledge ends :) So I read about PAE and found out that it uses 2 registers (36 bits due to some bits being used as flags) and that makes good sense, but how can the cpu calculate an address without overflow and send a command to the bus containing a 36bit address (or whatever fetches the bits from RAM)? That is where I'm puzzled but I guess it is because I'm not at all into ISA-level and below :) It is the role of the MMU to do that. At any one time, it can map a virtual, 32-bit wide, address to a real, 36-bit wide address. It uses TLBs (Translation Lookaside Buffers) for that, and it is the OS' role to have the correct TLB in place at any time. -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
-Original Message- From: Francis GALIEGUE [mailto:f...@one2team.com] Sent: 1. december 2011 12:33 To: Tomcat Users List Subject: Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform On Thu, Dec 1, 2011 at 12:29, Casper Wandahl Schmidt kalle.pri...@gmail.com wrote: [...] That didn't quite help me understand, because how can the OS map from ie. 0-4GB to 4-8GB (the window is moved) when it can only use a 32bit register to tell the machine where to look in the psysical memory, that is where my knowledge ends :) So I read about PAE and found out that it uses 2 registers (36 bits due to some bits being used as flags) and that makes good sense, but how can the cpu calculate an address without overflow and send a command to the bus containing a 36bit address (or whatever fetches the bits from RAM)? That is where I'm puzzled but I guess it is because I'm not at all into ISA-level and below :) It is the role of the MMU to do that. At any one time, it can map a virtual, 32-bit wide, address to a real, 36-bit wide address. It uses TLBs (Translation Lookaside Buffers) for that, and it is the OS' role to have the correct TLB in place at any time. Nice to know :) That explained it all :) -Casper -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
On Thu, 1 Dec 2011 12:29:14 +0100, Casper Wandahl Schmidt wrote: That didn't quite help me understand, because how can the OS map from ie. 0-4GB to 4-8GB (the window is moved) when it can only use a 32bit register to tell the machine where to look in the psysical memory, that is where my knowledge ends :) So I read about PAE and found out that it uses 2 registers (36 bits due to some bits being used as flags) and that makes good sense, but how can the cpu calculate an address without overflow and send a command to the bus containing a 36bit address (or whatever fetches the bits from RAM)? That is where I'm puzzled but I guess it is because I'm not at all into ISA-level and below :) Well, it's rather out of the scope of this list. On the other hand, increasing java heap size is not always the best option. It heavily depends on memory usage pattern in your application. In general: the bigger heap, the longer GC will run. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
Mikolaj Rydzewski wrote: On Thu, 1 Dec 2011 12:29:14 +0100, Casper Wandahl Schmidt wrote: That didn't quite help me understand, because how can the OS map from ie. 0-4GB to 4-8GB (the window is moved) when it can only use a 32bit register to tell the machine where to look in the psysical memory, that is where my knowledge ends :) So I read about PAE and found out that it uses 2 registers (36 bits due to some bits being used as flags) and that makes good sense, but how can the cpu calculate an address without overflow and send a command to the bus containing a 36bit address (or whatever fetches the bits from RAM)? That is where I'm puzzled but I guess it is because I'm not at all into ISA-level and below :) Well, it's rather out of the scope of this list. On the other hand, increasing java heap size is not always the best option. It heavily depends on memory usage pattern in your application. In general: the bigger heap, the longer GC will run. Why do I feel that a comment from Chuck is going to follow that one later on ? ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
timeout exception is ignored?
Hi,
The method org.apache.catalina.connector.Request.parseParameters() contains
this code.
try {
if (readPostBody(formData, len) != len) {
return;
}
} catch (IOException e) {
// Client disconnect
if (context.getLogger().isDebugEnabled()) {
context.getLogger().debug(
sm.getString(coyoteRequest.parseParameters),
e);
}
return;
}
When there is a timeout exception during reading of the postbody it is ignored
and my servlet runs without parameters. Why is this? Why don't I get the
exception in my code, so I can handle it?
Ronald.
RE: Logging
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 30, 2011 6:15 PM To: Tomcat Users List Subject: Re: Logging -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thom, On 11/30/11 1:04 PM, Thom Hehl wrote: I'm using VI to reading the log file. I running a Windows RDP. Are you using 'vi' in a way that allows it to get updates from the file? I'm no 'vi' expert, but I'm sure it reads the entire file at startup and thinks that it doesn't change. Actually, it monitors the file and allows you to load changes if the file changes. The problem is that this is a test server and so it may take days to dump the log I need. So the tool reading it is not the problem, it's the fact that tomcat hasn't flushed to the file yet. Try using: tail -f stdout.log If you have a POSIX environment handy (like Cygwin, or gnuutils or whatever). - -chris PS: vi on Windows? That's doing things the hard way. ;) Oh, contraire...although one of the hardest editors to learn to use (IBM's XEDIT comes to mind as equally hard) vi is the best editor to use EVER. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7WuOIACgkQ9CaO5/Lv0PA8hQCfbPXtlASPD28Nr1R7xayvAhZM OWgAoJtmfQ9IHfVNVip7nqSX0vjqonLg =lvdm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform In general: the bigger heap, the longer GC will run. Not strictly true, and hasn't been true for many years. GC time is proportional to the number of live (reachable) objects, not the size of the heap. If the app is making heavy use of weak references, this may allow more live objects to persist in a larger heap until GC gets fed up with the mess and throws them all away. Why do I feel that a comment from Chuck is going to follow that one later on ? Just had to wake up first. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Logging
On 01/12/2011 13:03, Thom Hehl wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 30, 2011 6:15 PM To: Tomcat Users List Subject: Re: Logging Thom, On 11/30/11 1:04 PM, Thom Hehl wrote: I'm using VI to reading the log file. I running a Windows RDP. Are you using 'vi' in a way that allows it to get updates from the file? I'm no 'vi' expert, but I'm sure it reads the entire file at startup and thinks that it doesn't change. Actually, it monitors the file and allows you to load changes if the file changes. The problem is that this is a test server and so it may take days to dump the log I need. So the tool reading it is not the problem, it's the fact that tomcat hasn't flushed to the file yet. Can you explain a little more about where what is generating log data and into which log it is being written? How long is the delay between when you expect the event to happen and the emission of a log record? p Try using: tail -f stdout.log If you have a POSIX environment handy (like Cygwin, or gnuutils or whatever). - -chris PS: vi on Windows? That's doing things the hard way. ;) Oh, contraire...although one of the hardest editors to learn to use (IBM's XEDIT comes to mind as equally hard) vi is the best editor to use EVER. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Tomcat Logging and HTTP Header question
So I am doing Tomcat STIGS and I am stuck on two of the STIGs. 1. How do I change what tomcat logs? I think it's something I need to do in server.xml but I'm not sure. This is what I need to log: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: - Successful and unsuccessful attempts to access the web server software. - Successful and unsuccessful attempts to access the web site. - Successful and unsuccessful attempts to access the web application. 2. How do I view/change the HTTP header information of an intranet site that is using Tomcat? I have to make sure the HTTP header does not show information about the web server which would include, web server product, version, or host operating system -- View this message in context: http://old.nabble.com/Tomcat-Logging-and-HTTP-Header-question-tp32892450p32892450.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Logging
I'm looking for stack traces. People report defects and we get a stack trace and I need to see it in the log, but instead, the log is still in the buffer. Usually I have to shutdown the server and start it back up to get the log entries. I'd just like to be able to flush the logs without shutting down the server. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Thursday, December 01, 2011 8:38 AM To: Tomcat Users List Subject: Re: Logging On 01/12/2011 13:03, Thom Hehl wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 30, 2011 6:15 PM To: Tomcat Users List Subject: Re: Logging Thom, On 11/30/11 1:04 PM, Thom Hehl wrote: I'm using VI to reading the log file. I running a Windows RDP. Are you using 'vi' in a way that allows it to get updates from the file? I'm no 'vi' expert, but I'm sure it reads the entire file at startup and thinks that it doesn't change. Actually, it monitors the file and allows you to load changes if the file changes. The problem is that this is a test server and so it may take days to dump the log I need. So the tool reading it is not the problem, it's the fact that tomcat hasn't flushed to the file yet. Can you explain a little more about where what is generating log data and into which log it is being written? How long is the delay between when you expect the event to happen and the emission of a log record? p Try using: tail -f stdout.log If you have a POSIX environment handy (like Cygwin, or gnuutils or whatever). - -chris PS: vi on Windows? That's doing things the hard way. ;) Oh, contraire...although one of the hardest editors to learn to use (IBM's XEDIT comes to mind as equally hard) vi is the best editor to use EVER. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808]
Re: timeout exception is ignored?
2011/12/1 Ronald Klop (Mailing List) ronald-mailingl...@base.nl:
Hi,
The method org.apache.catalina.connector.Request.parseParameters() contains
this code.
try {
if (readPostBody(formData, len) != len) {
return;
}
} catch (IOException e) {
// Client disconnect
if (context.getLogger().isDebugEnabled()) {
context.getLogger().debug(
sm.getString(coyoteRequest.parseParameters), e);
}
return;
}
When there is a timeout exception during reading of the postbody it is
ignored and my servlet runs without parameters. Why is this? Why don't I get
the exception in my code, so I can handle it?
Simply because getParameter**() methods in ServletRequest as defined
by Servlet specification do not support throwing exceptions at all,
nor there are any provisions to rethrow them again on second
getParameter**() call if first one resulted in a failure.
(Compare that to getPart() method in Servlet 3.0 spec)
In latest 7.0 release I added indication of such failures using a
custom request attribute - see changelog. This feature will be in
upcoming 6.0.35 as well.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Logging and HTTP Header question
jmpaul012 wrote: So I am doing Tomcat STIGS and I am stuck on two of the STIGs. It would be nice to explain acronyms, so that nincompoops like me would understand what's going on without consulting Wikipedia.. 1. How do I change what tomcat logs? I think it's something I need to do in server.xml but I'm not sure. This is what I need to log: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: - Successful and unsuccessful attempts to access the web server software. - Successful and unsuccessful attempts to access the web site. - Successful and unsuccessful attempts to access the web application. Logging successful attempts should be feasible, but I can see problems for Tomcat logging cases where the request doesn't even make it to Tomcat. In any case, your first stop should probably be the on-line documentation for the AccessLog Valve. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Logging
On Thu, 2011-12-01 at 06:01 -0800, Thom Hehl wrote: I'm looking for stack traces. People report defects and we get a stack trace and I need to see it in the log, but instead, the log is still in the buffer. Usually I have to shutdown the server and start it back up to get the log entries. I'd just like to be able to flush the logs without shutting down the server. Is this happening for all of your log files? or just a specific one? If specific, what is the name of the log file where this is occurring? Also, can you confirm that Tomcat is writing the log file to a local disk and not a remote share like Samba or NFS? Lastly, you said you're running Tomcat 7.0.20 as a daemon. I'm assuming this means you're running it as a Windows Service. Please correct me if I'm wrong. Are you using the service wrapper that ships with Tomcat or are you using a different one? Like Java Service Wrapper (http://www.tanukisoftware.com/en/wrapper.php). Dan -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Thursday, December 01, 2011 8:38 AM To: Tomcat Users List Subject: Re: Logging On 01/12/2011 13:03, Thom Hehl wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 30, 2011 6:15 PM To: Tomcat Users List Subject: Re: Logging Thom, On 11/30/11 1:04 PM, Thom Hehl wrote: I'm using VI to reading the log file. I running a Windows RDP. Are you using 'vi' in a way that allows it to get updates from the file? I'm no 'vi' expert, but I'm sure it reads the entire file at startup and thinks that it doesn't change. Actually, it monitors the file and allows you to load changes if the file changes. The problem is that this is a test server and so it may take days to dump the log I need. So the tool reading it is not the problem, it's the fact that tomcat hasn't flushed to the file yet. Can you explain a little more about where what is generating log data and into which log it is being written? How long is the delay between when you expect the event to happen and the emission of a log record? p Try using: tail -f stdout.log If you have a POSIX environment handy (like Cygwin, or gnuutils or whatever). - -chris PS: vi on Windows? That's doing things the hard way. ;) Oh, contraire...although one of the hardest editors to learn to use (IBM's XEDIT comes to mind as equally hard) vi is the best editor to use EVER. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Logging
I'm not sure. Whichever log file the stack traces goto. Yes, they're writing to a local drive. Yes as a windows service which came with the installer. -Original Message- From: Daniel Mikusa [mailto:dmik...@vmware.com] Sent: Thursday, December 01, 2011 9:38 AM To: Tomcat Users List Subject: RE: Logging On Thu, 2011-12-01 at 06:01 -0800, Thom Hehl wrote: I'm looking for stack traces. People report defects and we get a stack trace and I need to see it in the log, but instead, the log is still in the buffer. Usually I have to shutdown the server and start it back up to get the log entries. I'd just like to be able to flush the logs without shutting down the server. Is this happening for all of your log files? or just a specific one? If specific, what is the name of the log file where this is occurring? Also, can you confirm that Tomcat is writing the log file to a local disk and not a remote share like Samba or NFS? Lastly, you said you're running Tomcat 7.0.20 as a daemon. I'm assuming this means you're running it as a Windows Service. Please correct me if I'm wrong. Are you using the service wrapper that ships with Tomcat or are you using a different one? Like Java Service Wrapper (http://www.tanukisoftware.com/en/wrapper.php). Dan -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Thursday, December 01, 2011 8:38 AM To: Tomcat Users List Subject: Re: Logging On 01/12/2011 13:03, Thom Hehl wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 30, 2011 6:15 PM To: Tomcat Users List Subject: Re: Logging Thom, On 11/30/11 1:04 PM, Thom Hehl wrote: I'm using VI to reading the log file. I running a Windows RDP. Are you using 'vi' in a way that allows it to get updates from the file? I'm no 'vi' expert, but I'm sure it reads the entire file at startup and thinks that it doesn't change. Actually, it monitors the file and allows you to load changes if the file changes. The problem is that this is a test server and so it may take days to dump the log I need. So the tool reading it is not the problem, it's the fact that tomcat hasn't flushed to the file yet. Can you explain a little more about where what is generating log data and into which log it is being written? How long is the delay between when you expect the event to happen and the emission of a log record? p Try using: tail -f stdout.log If you have a POSIX environment handy (like Cygwin, or gnuutils or whatever). - -chris PS: vi on Windows? That's doing things the hard way. ;) Oh, contraire...although one of the hardest editors to learn to use (IBM's XEDIT comes to mind as equally hard) vi is the best editor to use EVER. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems with forwaring HTTP to HTTPS
On 30/11/2011 18:32, Gregor S. wrote: My understanding was, that in the global web.xml ($catalina.home/conf/web.xml) the defaults are specified and promoted to all webapps. But it seems as the webapp doesn't inherit the element user-data-constraints from the global web.xml if it specifies it's own security-constraints - my expectation was, that it inherits those elements not specified inside the webapp's deployment-descriptor. Your understanding is wrong. You need to read the 2.5 servlet specification, particularly section SRV.12.7.1. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
The OS has little to do with the calculation. The CPU hardware is doing it. The processor's address logic uses registers which are wider than 32 bits. Just as you can add a 1-digit number to a 3-digit number and get a 3-digit result, the widget that maps a process' virtual address space to the hardware's physical address space can add the content of a 32-bit register to the content of a 36-bit register and get a 36-bit result. (I'm ignoring the possibility of overflow, like adding 1 to 999 in a 3-digit field. With good management they can be avoided.) Only a tiny bit of the OS kernel, and nothing in any process, needs to know about physical memory. The hardware is set up by that bit and makes processes, and the rest of the kernel, think they each live in a block of memory that starts at 0 and ends at, say, 3GB. In physical memory they live side-by-side (to oversimplify a bit). For how it does that, track down a little story called The Paging Game. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpjKSIiRF27q.pgp Description: PGP signature
RE: Problems with forwaring HTTP to HTTPS
I might be a little off (and I'm sure Pid or Chuck will correct me), but
security-constraints are applied based on matching url-patterns, and you're
using the same pattern in both places. Therefore, the webapp's definition will
take precedence over the global.
Looks like it is best to bite the bullet and update each one individually.
-Original Message-
From: Gregor S. [mailto:rc4...@googlemail.com]
Sent: Wednesday, November 30, 2011 12:32 PM
To: Tomcat Users List
Subject: Problems with forwaring HTTP to HTTPS
Hi list,
I'm a bit puzzled.
I want to forward all incoming HTTP-traffic to HTTPS.
Within my $catalina.home/conf/server.xml I've specified the following
connectors:
Connector port=80 protocol=HTTP/1.1
connectionTimeout=2
redirectPort=443 /
Connector port=443 maxHttpHeaderSize=8192
maxThreads=150
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
SSLEnabled=true
SSLCertificateFile=${catalina.base}/conf/test.dom.crt
SSLCertificateKeyFile=${catalina.base}/conf/test.dom.key /
Then I specified in $catalina.home/conf/web.xml the following
transport-guarantee:
security-constraint
web-resource-collection
web-resource-nameProtected Context/web-
resource-name
url-pattern/*/url-pattern
/web-resource-collection
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-
guarantee
/user-data-constraint
/security-constraint
In my webapp, additionally I also specified some additional
security-constraints as follows:
security-constraint
web-resource-collection
web-resource-nameProtected Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-namesomeuser/role-name
/auth-constraint
/security-constraint
However, when I call the webapp using http://mywebapp.something, it is
not redirected to HTTPS but the HTTP-scheme is used.
However, when I remove the security-constraints from
$catalina.base/conf/web.xml and change the webapp's
deployment-descriptor to
security-constraint
web-resource-collection
web-resource-nameProtected Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
!-- describes the valid roles for this app --
auth-constraint
role-namedomuser/role-name
/auth-constraint
/security-constraint
it's working.
My understanding was, that in the global web.xml
($catalina.home/conf/web.xml) the defaults are specified and promoted
to all webapps. But it seems as the webapp doesn't inherit the element
user-data-constraints from the global web.xml if it specifies it's
own security-constraints - my expectation was, that it inherits
those elements not specified inside the webapp's
deployment-descriptor.
Is is such, that if I specify security-constraints in my local
webapp, the global setting in $catalina.home/conf/web.xml are always
overwritten? If not - where does the inheritiance start and where does
it end?
My business-case is, that I do have a whole bunch of webapps which
have to be re-directed to HTTPS, each of them having their own
security-constraints since you'll have to login to access them, and
additionally multiple domains, so that changing each
deployment-descriptor is giving me a major headache.
I couldn't find anything in the documentation - or let me re-phrase
it: I understood it that way that each element is inherited from the
global deployment-descriptor if not specified in the webapp's own
deployment-descriptor.
If somebody could shed some light here or point me to to right docs,
that would be great.
My configuration:
Using CATALINA_BASE: /home/tomcat/local/apache-tomcat-6.0.33
Using CATALINA_HOME: /home/tomcat/local/apache-tomcat-6.0.33
Using CATALINA_TMPDIR: /home/tomcat/local/apache-tomcat-6.0.33/temp
Using JRE_HOME:/usr/lib/jvm/java-6-sun
Using CLASSPATH: /home/tomcat/local/apache-tomcat-
6.0.33/bin/bootstrap.jar
Server version: Apache Tomcat/6.0.33
Server built: Aug 16 2011 02:16:34
Server number: 6.0.33.0
OS Name:Linux
OS Version: 2.6.26-2-686
Architecture: i386
JVM Version:1.6.0_26-b03
JVM Vendor: Sun Microsystems Inc.
I'm also using the APR, thus using OpenSSL as SSL-implementation.
TIA
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD
skype:rc46fi
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
On Thu, Dec 01, 2011 at 12:38:01PM +0100, Mikolaj Rydzewski wrote: On the other hand, increasing java heap size is not always the best option. It heavily depends on memory usage pattern in your application. In general: the bigger heap, the longer GC will run. I was thinking that someone should bring this up. When a program uses unexpectedly huge amounts of memory in practice, the *first* thing to consider is: 1. does it actually need that much? 2. ...or is it leaking dynamically created objects? 3. ...or has cheap allocation and garbage collection lured me into doing something suboptimal, like sucking down an entire database table into an array or list and then walking it sequentially, when I could have used an iterator and let the DBMS code work out near-optimal buffering? IOW is my problem fundamentally this big, or is something else going on? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpIowkiM39ep.pgp Description: PGP signature
Re: Logging
On 01/12/2011 14:10, Pid wrote: On 01/12/2011 14:01, Thom Hehl wrote: I'm looking for stack traces. People report defects and we get a stack trace and I need to see it in the log, but instead, the log is still in the buffer. Usually I have to shutdown the server and start it back up to get the log entries. I'd just like to be able to flush the logs without shutting down the server. (I sent this direct, somehow by accident) (Please don't top post.) Yes, it's this 'buffering' problem that I'm interested in as I do not see this in my own copies of Tomcat, nor in the ones I observe in my professional capacity. This is why I asked for: a) which log file b) what is generating the log message If you can also provide an example of a stack trace that was only flushed during shutdown, that would also be good. p -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Thursday, December 01, 2011 8:38 AM To: Tomcat Users List Subject: Re: Logging On 01/12/2011 13:03, Thom Hehl wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 30, 2011 6:15 PM To: Tomcat Users List Subject: Re: Logging Thom, On 11/30/11 1:04 PM, Thom Hehl wrote: I'm using VI to reading the log file. I running a Windows RDP. Are you using 'vi' in a way that allows it to get updates from the file? I'm no 'vi' expert, but I'm sure it reads the entire file at startup and thinks that it doesn't change. Actually, it monitors the file and allows you to load changes if the file changes. The problem is that this is a test server and so it may take days to dump the log I need. So the tool reading it is not the problem, it's the fact that tomcat hasn't flushed to the file yet. Can you explain a little more about where what is generating log data and into which log it is being written? How long is the delay between when you expect the event to happen and the emission of a log record? p Try using: tail -f stdout.log If you have a POSIX environment handy (like Cygwin, or gnuutils or whatever). - -chris PS: vi on Windows? That's doing things the hard way. ;) Oh, contraire...although one of the hardest editors to learn to use (IBM's XEDIT comes to mind as equally hard) vi is the best editor to use EVER. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode where no password or credentials are required? It's hard to imagine a valid use case for this -- I hope you know what you're doing. That said, you could use JAASRealm with http://code.google.com/p/vt-middleware/source/browse/vt-ldap/tags/vt-ldap-3.3.4/src/main/java/edu/vt/middleware/ldap/jaas/LdapDnAuthorizationModule.java to accomplish this. I should note that the intention is for LdapDnAuthorizationModule to be combined with another module that actually performs authentication (e.g. bind or compare), but you could abuse it for your use case I believe. M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problems with forwaring HTTP to HTTPS
Jeffrey Janner jeffrey.jan...@polydyne.com wrote: I might be a little off You are a long way off and also need to read the Servlet 2.5 spec. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 + exception while adding cookies
Hi Mallick, hi all,
To me it appears this setting is ignored by tc 7.0.x. I created a servlet:
protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
request.getSession().invalidate();
final int NUM_COOKIES = 500;
for (int i = 0; i NUM_COOKIES; i++) {
Cookie c = new Cookie(foo + i, UUID.randomUUID().toString());
response.addCookie(c);
}
response.setContentType(text/html);
response.getWriter().write(
htmlhead/headbodyh1A ton of cookies/h1/body
);
System.out.println(sent + NUM_COOKIES);
}
Accessing it causes the exception to be thrown. Whereas tc 6.0.33 behaviour
is changed by increasing maxHttpHeaderSize, 7.0.0, 7.0.14, 7.0.21 ignore
the setting.
i.e.
for tc 6 setting maxHttpHeaderSize=8193 will cause OOB exception at index
8193.
for tc 7 OOB always happens at 8192.
I first blamed eclipse wtp doing sth. wrong when applying the
configuration. Therefore, I checked the connector's jmx properties and to
my surprise I could no longer find a property called maxHttpHeaderSize
for the connector (comparing tc 6 to 7).
Was it dropped by intention? I skimmed through the changelogs but couldn't
find an explanation . . .
Afaik as I know this is a configurable setting for (at least most)
webservers
Best Regards,
Martin
Re: Logging
On 01/12/2011 14:39, Thom Hehl wrote: I'm not sure. Whichever log file the stack traces goto. Yes, they're writing to a local drive. Yes as a windows service which came with the installer. Well, given that this is configurable, it could be anywhere... You could find out let us know. A precise answer may help us explain why you're seeing a behavior that is unusual. p -Original Message- From: Daniel Mikusa [mailto:dmik...@vmware.com] Sent: Thursday, December 01, 2011 9:38 AM To: Tomcat Users List Subject: RE: Logging On Thu, 2011-12-01 at 06:01 -0800, Thom Hehl wrote: I'm looking for stack traces. People report defects and we get a stack trace and I need to see it in the log, but instead, the log is still in the buffer. Usually I have to shutdown the server and start it back up to get the log entries. I'd just like to be able to flush the logs without shutting down the server. Is this happening for all of your log files? or just a specific one? If specific, what is the name of the log file where this is occurring? Also, can you confirm that Tomcat is writing the log file to a local disk and not a remote share like Samba or NFS? Lastly, you said you're running Tomcat 7.0.20 as a daemon. I'm assuming this means you're running it as a Windows Service. Please correct me if I'm wrong. Are you using the service wrapper that ships with Tomcat or are you using a different one? Like Java Service Wrapper (http://www.tanukisoftware.com/en/wrapper.php). Dan -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Thursday, December 01, 2011 8:38 AM To: Tomcat Users List Subject: Re: Logging On 01/12/2011 13:03, Thom Hehl wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 30, 2011 6:15 PM To: Tomcat Users List Subject: Re: Logging Thom, On 11/30/11 1:04 PM, Thom Hehl wrote: I'm using VI to reading the log file. I running a Windows RDP. Are you using 'vi' in a way that allows it to get updates from the file? I'm no 'vi' expert, but I'm sure it reads the entire file at startup and thinks that it doesn't change. Actually, it monitors the file and allows you to load changes if the file changes. The problem is that this is a test server and so it may take days to dump the log I need. So the tool reading it is not the problem, it's the fact that tomcat hasn't flushed to the file yet. Can you explain a little more about where what is generating log data and into which log it is being written? How long is the delay between when you expect the event to happen and the emission of a log record? p Try using: tail -f stdout.log If you have a POSIX environment handy (like Cygwin, or gnuutils or whatever). - -chris PS: vi on Windows? That's doing things the hard way. ;) Oh, contraire...although one of the hardest editors to learn to use (IBM's XEDIT comes to mind as equally hard) vi is the best editor to use EVER. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Tomcat 7 + exception while adding cookies
On 01/12/2011 15:49, Martin Kuen wrote: I first blamed eclipse wtp doing sth. wrong when applying the configuration. Therefore, I checked the connector's jmx properties and to my surprise I could no longer find a property called maxHttpHeaderSize for the connector (comparing tc 6 to 7). The JMX properties are not the definitive list of supported properties. That is provided by the documentation and maxHttpHeaderSize is still listed. Was it dropped by intention? I skimmed through the changelogs but couldn't find an explanation . . . It was dropped from JMX as part of the GSOC attribute clean-up since that attribute is implemented in the ProtocolHandler (where it is available via JMX). Afaik as I know this is a configurable setting for (at least most) webservers As it is (or should be if it is working properly) for all version of Tomcat. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems with forwaring HTTP to HTTPS
Marc, thanks for your comment and thanks for pointing me to the right direction. I guess this one is the matching excerpt from the specs: = [snip ] The combination of user-data-constraints that apply to a common urlpattern and http-method shall yield the union of connection types accepted by the individual constraints as acceptable connection types. A security constraint that does not contain a user-data-constraint shall combine with other userdata-constraints to cause the unprotected connection type to be an accepted connection type. = [snap ] As Jeffrey mentioned, I guess I'll have to byte the bullet, but before doing that, I'll try my luck writing a valve forwarding all http to https. Still, I guess the specs do have some room for improvement here, meaning, it would be more than helpful if default settings could be specified inside the global deployment descriptor. Wondering if I'm the first person missing such a feature. Thanks! Gregor On Thu, Dec 1, 2011 at 3:43 PM, Mark Thomas ma...@apache.org wrote: On 30/11/2011 18:32, Gregor S. wrote: My understanding was, that in the global web.xml ($catalina.home/conf/web.xml) the defaults are specified and promoted to all webapps. But it seems as the webapp doesn't inherit the element user-data-constraints from the global web.xml if it specifies it's own security-constraints - my expectation was, that it inherits those elements not specified inside the webapp's deployment-descriptor. Your understanding is wrong. You need to read the 2.5 servlet specification, particularly section SRV.12.7.1. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Logging and HTTP Header question
Sorry, the only acronym I really used was STIG, but I probably shouldn'tve included that in the question since it isn't really relavent to the question. STIGs are security proceduers the govt has to lock down their software, servers, etc. awarnier wrote: jmpaul012 wrote: So I am doing Tomcat STIGS and I am stuck on two of the STIGs. It would be nice to explain acronyms, so that nincompoops like me would understand what's going on without consulting Wikipedia.. 1. How do I change what tomcat logs? I think it's something I need to do in server.xml but I'm not sure. This is what I need to log: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: - Successful and unsuccessful attempts to access the web server software. - Successful and unsuccessful attempts to access the web site. - Successful and unsuccessful attempts to access the web application. Logging successful attempts should be feasible, but I can see problems for Tomcat logging cases where the request doesn't even make it to Tomcat. In any case, your first stop should probably be the on-line documentation for the AccessLog Valve. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Tomcat-Logging-and-HTTP-Header-question-tp32892450p32896365.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode where no password or credentials are required? In other words, where just a userID/username is presented, and if that userID/username is present in the LDAP, then the user gets authenticated? You have to be VERY specific here about what you mean, because this is a very delicate area. If you mean : does there exist any way by which Tomcat can authenticate a user, without forcing this user to go through a login dialog with userid and password ? then the answer is : yes, several (*). But the applicability of each depends very much on the exact circumstances. If you mean : does there exist any /standard/ authentication mechanism in Tomcat whereby, /with/ a login dialog, the user could be authenticated without providing a password, although the authentication back-end (e.g. LDAP) has a non-empty password registered for that user ? then the answer is no, definitely. Because such a mechanism would be a HUGE security hole, so it is certainly not provided as any standard authentication framework. (which does not mean that you could not invent your own mechanism). Also, when you are mentioning LDAP, do you really mean the standard LDAP (which is just basically a database, and is not per se an authentication mechanism), or do you mean Windows domain authentication, backed up by an Active Directory server ? Or something else ? There is so much variation possible here, that it may be better to describe what you want to achieve really, rather than asking questions about this or that mechanism right away. (*) for example, look here : http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html http://waffle.codeplex.com/ http://www.ioplex.com/jespa.html Hi Andre, Sorry. I should have been clearer in my explanation and my question, so let me try again. Our configuration has an Apache in front of the Tomcat, with the Apache reverse-proxying (using mod_proxy, for now) to the Tomcat. In the Apache proxy, we do client-authenticated certificate authentication, and we also have a web agent/module that authenticates the user into a commercial SSO product. After the user is authenticated, the requests that go to/get proxied to the Tomcat have some HTTP headers, including a header containing the userID of the user that got authenticated by the SSO product. I've been working on Tomcat valve that does ID assertion, i.e., when the code in my valve sees the HTTP header with the authenticated userID, it asserts the user into Tomcat. Specifically, my valve code calls org.apache.catalina.connector.Request.setUserPrincipal(getPrincipal(paramRequest)), where paramRequest is the org.apache.catalina.connector.Request object. When I posted my message, I had just started on my valve code. As I said, I'm kind of new to Tomcat security, but at that time, I *thought* that after my valve did the setUserPrincipal(), that the user had to somehow be authenticated into the Tomcat realm (i.e., that the asserted userID had to actually exist in the Tomcat realm). I've since gotten an initial version of my valve code kind of working, but I'm still a little. I can get the userID from the request header and call the setUserPrincipal() in the valve code successfully, and from some test JSP pages I use, I can see that when the JSP calls request.getUserPrincipal(), it appears to return the asserted user. The thing that is puzzling me is that, on my test Tomcat, I just have the default realm (the one that uses tomcat-user.xml for the user base), with only the default set of dummy users. And yet, when I test with my valve and the test JSP, it appears that everything just works, even when the userID that I assert is not in the Tomcat realm! For example, I guess in the default realm, there's only a comple of users (tomcat, etc.), but if I send a request into the Tomcat with a header with a userID of foobar (and even though there is no user foobar in the Tomcat realm), things seem to work ok, i.e., my JSP displays foobar for request.getUserPrincipal(). Having said all of that, I guess that my question has changed somewhat. Specifically, now I'm wondering: With what I described above, and with my valve as described above, does the asserted user NOT have to be in the Tomcat realm at all? It's almost like, with Tomcat, when my valve code calls setUserPrincipal(), Tomcat doesn't care whether the user that I'm asserting actually exists or doesn't exist in the Tomcat realm? Again, as I said, I'm new, so I may (and probably am) misunderstanding something about how Tomcat security works... Sorry for the longish post, but I hope that things are clearer now? Thanks, Jim
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
On 01/12/2011 18:17, oh...@cox.net wrote: Having said all of that, I guess that my question has changed somewhat. Specifically, now I'm wondering: With what I described above, and with my valve as described above, does the asserted user NOT have to be in the Tomcat realm at all? Correct. If you populate the user Principal, Tomcat doesn't care whether or not it is in the Realm. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode where no password or credentials are required? In other words, where just a userID/username is presented, and if that userID/username is present in the LDAP, then the user gets authenticated? You have to be VERY specific here about what you mean, because this is a very delicate area. If you mean : does there exist any way by which Tomcat can authenticate a user, without forcing this user to go through a login dialog with userid and password ? then the answer is : yes, several (*). But the applicability of each depends very much on the exact circumstances. If you mean : does there exist any /standard/ authentication mechanism in Tomcat whereby, /with/ a login dialog, the user could be authenticated without providing a password, although the authentication back-end (e.g. LDAP) has a non-empty password registered for that user ? then the answer is no, definitely. Because such a mechanism would be a HUGE security hole, so it is certainly not provided as any standard authentication framework. (which does not mean that you could not invent your own mechanism). Also, when you are mentioning LDAP, do you really mean the standard LDAP (which is just basically a database, and is not per se an authentication mechanism), or do you mean Windows domain authentication, backed up by an Active Directory server ? Or something else ? There is so much variation possible here, that it may be better to describe what you want to achieve really, rather than asking questions about this or that mechanism right away. (*) for example, look here : http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html http://waffle.codeplex.com/ http://www.ioplex.com/jespa.html Hi Andre, Sorry. I should have been clearer in my explanation and my question, so let me try again. Our configuration has an Apache in front of the Tomcat, with the Apache reverse-proxying (using mod_proxy, for now) to the Tomcat. In the Apache proxy, we do client-authenticated certificate authentication, and we also have a web agent/module that authenticates the user into a commercial SSO product. After the user is authenticated, the requests that go to/get proxied to the Tomcat have some HTTP headers, including a header containing the userID of the user that got authenticated by the SSO product. I've been working on Tomcat valve that does ID assertion, i.e., when the code in my valve sees the HTTP header with the authenticated userID, it asserts the user into Tomcat. Specifically, my valve code calls org.apache.catalina.connector.Request.setUserPrincipal(getPrincipal(paramRequest)), where paramRequest is the org.apache.catalina.connector.Request object. When I posted my message, I had just started on my valve code. As I said, I'm kind of new to Tomcat security, but at that time, I *thought* that after my valve did the setUserPrincipal(), that the user had to somehow be authenticated into the Tomcat realm (i.e., that the asserted userID had to actually exist in the Tomcat realm). I've since gotten an initial version of my valve code kind of working, but I'm still a little. I can get the userID from the request header and call the setUserPrincipal() in the valve code successfully, and from some test JSP pages I use, I can see that when the JSP calls request.getUserPrincipal(), it appears to return the asserted user. The thing that is puzzling me is that, on my test Tomcat, I just have the default realm (the one that uses tomcat-user.xml for the user base), with only the default set of dummy users. And yet, when I test with my valve and the test JSP, it appears that everything just works, even when the userID that I assert is not in the Tomcat realm! For example, I guess in the default realm, there's only a comple of users (tomcat, etc.), but if I send a request into the Tomcat with a header with a userID of foobar (and even though there is no user foobar in the Tomcat realm), things seem to work ok, i.e., my JSP displays foobar for request.getUserPrincipal(). Having said all of that, I guess that my question has changed somewhat. Specifically, now I'm wondering: With what I described above, and with my valve as described above, does the asserted user NOT have to be in the Tomcat realm at all? It's almost like, with Tomcat, when my valve code calls setUserPrincipal(), Tomcat doesn't care whether the user that I'm asserting actually exists or doesn't exist in the Tomcat realm? Again, as I said, I'm new, so I may (and probably am) misunderstanding something about how Tomcat security works... Sorry for the longish post, but I hope that things are clearer now? Better a long and clear post, than a short and obscure one. Two things : I am
Re: Logging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thom, On 12/1/11 9:39 AM, Thom Hehl wrote: I'm not sure. Whichever log file the stack traces goto. Yes, they're writing to a local drive. Yes as a windows service which came with the installer. As Pid says, it's all configurable. The log files that Tomcat itself opens are controlled by logging.properties and, AFAIK, not buffered. Running Tomcat as a Windows Service usually uses a service wrapped that dumps stdout to stdout.txt or stdout.log or whatever. I believe that is also not buffered. If your webapp is doing any of it's own logging, then you are completely at the mercy of whatever component is configuring that logging system, and it has nothing to do with Tomcat. If you could tell us the name of the file, it might help because there are certain filenames that are likely to be Tomcat-generated and others are likely to be webapp-generated. Saying I dunno, the one where the logs go is not helpful. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7YBIkACgkQ9CaO5/Lv0PCbEgCfZ1eoQ/KrAFJyxbExSbmRT/AN bNkAn3OkigB8GL3OEULQPvz7khX2Fqat =1L6y -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 + exception while adding cookies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 12/1/11 4:29 AM, Pid wrote: On 01/12/2011 04:38, Debraj Mallick wrote: hi Christopher, my tomcat version is : 7.0.14 working on Window7 with JDK 1.6 Can you try again with at least 7.0.21? +1 There are 9 releases between your version and the current version. I'm not going to read the changelog to see if anything in those 9 releases could affect the OP. But the OP could. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7YBV0ACgkQ9CaO5/Lv0PCx6QCgwmx9b8XrHcA3kocHZhHTSnkp jzcAoL5LAsLYDHTieDFDV8tox3Mv5qHs =LTSD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Antw.: how to properly configure tomcat 7 cluster with BackupManager
http://www.datadisk.co.uk/html_docs/java_app/tomcat6/tomcat6_clustering.htm http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html http://tomcat.apache.org/tomcat-6.0-doc/tribes/introduction.html On 10/27/2011 9:29 AM, juergen.l...@gmail.com wrote: Hi Mark, thanks a lot for this clarification! Is there any reference you recommend for learning about tomcat clustering (apart from the source code)? Cheers Jürgen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Casper, On 12/1/11 3:39 AM, Casper Wandahl Schmidt wrote: Aha so I learned something new today :) I'm still puzzled as to how a 32 bit CPU can compute and fetch a memory cell with address above 4GB since it cannot hold this large value. OS != CPU Also, OS != process While the chips and OSs are officially 32-bit, both are able to handle integers that don't fit into 32-bit registers in various ways. Usually, CPUs have registers that are larger than their architecture would suggest, and uses them even to perform computations on 32-bit data. The real issue here is that in a 32-bit environment, word-sized pointers are 32-bits and therefore an individual process gets a 4GiB maximum process space, which can be mapped-into a much larger space by the kernel, and even by the underlying hardware if it's in on the deal. Anyway that is just too much low-level computer science for me, all I ever had was a seven week course on architecture and networking (a single week out of the seven) :) It never hurts to learn more. Unless your brain is full. Then it *really* hurts. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7YKp0ACgkQ9CaO5/Lv0PDpDgCgwNXVZ1k43CrOFDjcDryl3JTw dSkAoK5XWk47MjE+fbsNnOS3CbGBdjxb =nuE/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mikolaj, On 12/1/11 6:38 AM, Mikolaj Rydzewski wrote: On Thu, 1 Dec 2011 12:29:14 +0100, Casper Wandahl Schmidt wrote: That didn't quite help me understand, because how can the OS map from ie. 0-4GB to 4-8GB (the window is moved) when it can only use a 32bit register to tell the machine where to look in the psysical memory, that is where my knowledge ends :) So I read about PAE and found out that it uses 2 registers (36 bits due to some bits being used as flags) and that makes good sense, but how can the cpu calculate an address without overflow and send a command to the bus containing a 36bit address (or whatever fetches the bits from RAM)? That is where I'm puzzled but I guess it is because I'm not at all into ISA-level and below :) Well, it's rather out of the scope of this list. On the other hand, increasing java heap size is not always the best option. It heavily depends on memory usage pattern in your application. In general: the bigger heap, the longer GC will run. That's a rather sweeping generalization. The heap size doesn't matter directly.. it's the number of objects being managed within that heap that matters. Of course, with a larger heap, you can fit more objects into it before a major collection is required. Generational heap strategies are fairly efficient, and performance depends upon the number of LIVE objects, not just the total number of objects. Oddly enough, most garbage collection is really collecting non-garbage and ignoring the actual garbage. It's a bit like moving to a different house when yours gets too cluttered: you just take the things you want to keep and leave everything else behind. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7YK88ACgkQ9CaO5/Lv0PDzdACgmYJEuWHFNkFyEVWRcucJo4Yu 6uwAoK2JWcjX0SRY6PPIWwd1m7Fhx+f8 =XY04 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT]RE: Maximum memory that can be assigned to Tomcat on windows platform
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 12/1/11 9:50 AM, Mark H. Wood wrote: On Thu, Dec 01, 2011 at 12:38:01PM +0100, Mikolaj Rydzewski wrote: On the other hand, increasing java heap size is not always the best option. It heavily depends on memory usage pattern in your application. In general: the bigger heap, the longer GC will run. I was thinking that someone should bring this up. When a program uses unexpectedly huge amounts of memory in practice, the *first* thing to consider is: 1. does it actually need that much? +1 !! 2. ...or is it leaking dynamically created objects? 3. ...or has cheap allocation and garbage collection lured me into doing something suboptimal, like sucking down an entire database table into an array or list and then walking it sequentially, when I could have used an iterator and let the DBMS code work out near-optimal buffering? IOW is my problem fundamentally this big, or is something else going on? The 2 times our production servers have suffered OOMEs, it's been because we were running with fairly small, (intentionally) restricted heaps (64MiB at first, then 192MiB) and our traffic simply increased beyond our heap size: we had a legitimate reason to increase the heap size (and plenty of physical RAM available to do it). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7YLEwACgkQ9CaO5/Lv0PCGTQCfSwBVBLSKIW2OMjYZWVobxrKY JzkAoJQmi4JK2CHqo23DCuMRGE5Fzq/0 =Qte1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode where no password or credentials are required? In other words, where just a userID/username is presented, and if that userID/username is present in the LDAP, then the user gets authenticated? You have to be VERY specific here about what you mean, because this is a very delicate area. If you mean : does there exist any way by which Tomcat can authenticate a user, without forcing this user to go through a login dialog with userid and password ? then the answer is : yes, several (*). But the applicability of each depends very much on the exact circumstances. If you mean : does there exist any /standard/ authentication mechanism in Tomcat whereby, /with/ a login dialog, the user could be authenticated without providing a password, although the authentication back-end (e.g. LDAP) has a non-empty password registered for that user ? then the answer is no, definitely. Because such a mechanism would be a HUGE security hole, so it is certainly not provided as any standard authentication framework. (which does not mean that you could not invent your own mechanism). Also, when you are mentioning LDAP, do you really mean the standard LDAP (which is just basically a database, and is not per se an authentication mechanism), or do you mean Windows domain authentication, backed up by an Active Directory server ? Or something else ? There is so much variation possible here, that it may be better to describe what you want to achieve really, rather than asking questions about this or that mechanism right away. (*) for example, look here : http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html http://waffle.codeplex.com/ http://www.ioplex.com/jespa.html Hi Andre, Sorry. I should have been clearer in my explanation and my question, so let me try again. Our configuration has an Apache in front of the Tomcat, with the Apache reverse-proxying (using mod_proxy, for now) to the Tomcat. In the Apache proxy, we do client-authenticated certificate authentication, and we also have a web agent/module that authenticates the user into a commercial SSO product. After the user is authenticated, the requests that go to/get proxied to the Tomcat have some HTTP headers, including a header containing the userID of the user that got authenticated by the SSO product. I've been working on Tomcat valve that does ID assertion, i.e., when the code in my valve sees the HTTP header with the authenticated userID, it asserts the user into Tomcat. Specifically, my valve code calls org.apache.catalina.connector.Request.setUserPrincipal(getPrincipal(paramRequest)), where paramRequest is the org.apache.catalina.connector.Request object. When I posted my message, I had just started on my valve code. As I said, I'm kind of new to Tomcat security, but at that time, I *thought* that after my valve did the setUserPrincipal(), that the user had to somehow be authenticated into the Tomcat realm (i.e., that the asserted userID had to actually exist in the Tomcat realm). I've since gotten an initial version of my valve code kind of working, but I'm still a little. I can get the userID from the request header and call the setUserPrincipal() in the valve code successfully, and from some test JSP pages I use, I can see that when the JSP calls request.getUserPrincipal(), it appears to return the asserted user. The thing that is puzzling me is that, on my test Tomcat, I just have the default realm (the one that uses tomcat-user.xml for the user base), with only the default set of dummy users. And yet, when I test with my valve and the test JSP, it appears that everything just works, even when the userID that I assert is not in the Tomcat realm! For example, I guess in the default realm, there's only a comple of users (tomcat, etc.), but if I send a request into the Tomcat with a header with a userID of foobar (and even though there is no user foobar in the Tomcat realm), things seem to work ok, i.e., my JSP displays foobar for request.getUserPrincipal(). Having said all of that, I guess that my question has changed somewhat. Specifically, now I'm wondering: With what I described above, and with my valve as described above, does the asserted user NOT have to be in the Tomcat realm at all? It's almost like, with Tomcat, when my valve code calls setUserPrincipal(), Tomcat doesn't care whether the user that I'm asserting actually exists or doesn't exist in the
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
Mark Thomas ma...@apache.org wrote: On 01/12/2011 18:17, oh...@cox.net wrote: Having said all of that, I guess that my question has changed somewhat. Specifically, now I'm wondering: With what I described above, and with my valve as described above, does the asserted user NOT have to be in the Tomcat realm at all? Correct. If you populate the user Principal, Tomcat doesn't care whether or not it is in the Realm. Mark Hi Mark, See my response to Andre's last msg. If you happen to be able to pinpoint that thread that he mentions about this, I'd really like to look at it. Thanks, Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Logging - including host name in log file?
I'm trying to get my hands around the whole tomcat logging system. I've
read the docs, wikis, samples, etc. But I still struggling a bit. I've
been just using System.out.println for years, and it's getting totally out
of control. So time to learn tomcat logging.
Basically, I host quite a few domains. I'd like to separate the log files
per host (and possibly further subdivide by webapps). I can't find any way
to specify the host as part of the logger file handler directory. This may
be something intuitively obvious. But I haven't found it yet.
If it can't be configured statically to plug the host name into the log
file name with a variable or something like ${catalina_home}, alternatively
is there a way to change the file name on the fly after getting an instance
of the java.utils.logging.Logger class?
Thanks.
Jerry
Form-based Login question
I have been using form-based auth for several years. I understand the challenge concept where TC puts up the pre-defined login page when the first page requiring auth is requested. But I have a slightly different situation. I want all of my non-protected pages (guest-level) to include the id/pw fields at the top of the page. At any time when the user chooses to go to the protected area of the site, they enter their id/pw and hit the login button and it takes them to a page in the protected area. Basically, I want to bypass the forced login page if the user entered an id/pw unless obviously the auth failed on the provided id/pw. Is there a way to 'force' provide credentials under the covers at the time the first protected page is requested to get the user signed on without the intermediate login form appearing? Thanks. Jerry
Re: Logging - including host name in log file?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jerry,
On 12/1/11 9:21 PM, Jerry Malcolm wrote:
I'm trying to get my hands around the whole tomcat logging system.
I've read the docs, wikis, samples, etc. But I still struggling a
bit. I've been just using System.out.println for years, and it's
getting totally out of control. So time to learn tomcat logging.
Yup. System.out is insanely inflexible.
Basically, I host quite a few domains. I'd like to separate the
log files per host (and possibly further subdivide by webapps). I
can't find any way to specify the host as part of the logger file
handler directory. This may be something intuitively obvious. But
I haven't found it yet.
Which logging system are you using? Tomcat's default is to use JULI
which connects commons-logging up to the java.util.logging (or J-U-L
Interface, hence JULI).
At any rate, the standard logging.properties file should have examples
that make this work. For instance, I can see the following in mine:
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level
= INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers
= 3manager.org.apache.juli.FileHandler
All that mess configures a logger that captures the logs for the
manager Context that is deployed into the localhost Host under
the Catalina Service.
You can easily create one of these for each of your webapps (or even
just per host) in the same way: just use the proper Service, Host, and
context path (contexts don't have names, so you use the context path
instead -- the above for an example).
So, let's say that you have:
Service name=Catalina
Host name=www.awesomehost.com
Context path=/sweetwebapp docBase=... ... /
/Host
/Service
(But, of course, you don't have that because you shouldn't put
Contexts in server.xml, but I have it here for the sake of brevity).
Anyhow, you can configure a logger for that context like this:
org.apache.catalina.core.ContainerBase.[Catalina].[www.awesomehost.com].[/sweetwebapp].level=INFO
(plus the other configuration you'll need like which file to use, etc.)
If it can't be configured statically to plug the host name into the
log file name with a variable or something like ${catalina_home},
alternatively is there a way to change the file name on the fly
after getting an instance of the java.utils.logging.Logger class?
If you are using Tomcat's internal logging (which is done by calling
ServletContext.log(...)) then you should use lib/logging.properties as
described above.
If you are using java.util.logging directly in your own webapp, then
you are on your own :(
If you are using AccessLogValve, well then you just need to use %v
to get the name of the local server -- but that's for the actual log
data, not for the filename.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7YPN4ACgkQ9CaO5/Lv0PA0ZgCgq2ckmo/fw88FbeV0UhOVuYTm
7uwAn1D/sE+YHVw3juxVWFVZTdMMey6T
=0R0X
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based Login question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry, On 12/1/11 9:30 PM, Jerry Malcolm wrote: I have been using form-based auth for several years. I understand the challenge concept where TC puts up the pre-defined login page when the first page requiring auth is requested. But I have a slightly different situation. I want all of my non-protected pages (guest-level) to include the id/pw fields at the top of the page. At any time when the user chooses to go to the protected area of the site, they enter their id/pw and hit the login button and it takes them to a page in the protected area. Basically, I want to bypass the forced login page if the user entered an id/pw unless obviously the auth failed on the provided id/pw. Is there a way to 'force' provide credentials under the covers at the time the first protected page is requested to get the user signed on without the intermediate login form appearing? The easiest thing to do it to upgrade to Tomcat 7 which supports servlet spec 3.0. There is a new method in the HttpServletRequest class called login that takes a username and password. Just take the username and password from the request (in a servlet you write yourself) and call request.login(). After that, forward (or redirect) the user wherever you want -- some kind of you're logged-in landing page. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7YPZEACgkQ9CaO5/Lv0PAldwCfQ7XLKMTDwNtNpgWh7anwNUIo P5MAnjoAsGuqxmQsv2jeg+C1gvkmLaRK =Wvqf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote:
André Warnier a...@ice-sa.com wrote:
oh...@cox.net wrote:
André Warnier a...@ice-sa.com wrote:
oh...@cox.net wrote:
Hi,
I'm new here, and hope that someone can help.
I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.)
support an authentication mode where no password or credentials are
required? In other words, where just a userID/username is presented,
and if that userID/username is present in the LDAP, then the user gets
authenticated?
You have to be VERY specific here about what you mean, because this is a
very delicate area.
If you mean : does there exist any way by which Tomcat can authenticate
a user, without
forcing this user to go through a login dialog with userid and password
?
then the answer is : yes, several (*). But the applicability of each
depends very much on
the exact circumstances.
If you mean : does there exist any /standard/ authentication mechanism
in Tomcat whereby,
/with/ a login dialog, the user could be authenticated without providing
a password,
although the authentication back-end (e.g. LDAP) has a non-empty
password registered for
that user ?
then the answer is no, definitely. Because such a mechanism would be a
HUGE security
hole, so it is certainly not provided as any standard authentication
framework.
(which does not mean that you could not invent your own mechanism).
Also, when you are mentioning LDAP, do you really mean the standard LDAP
(which is just
basically a database, and is not per se an authentication mechanism),
or do you mean
Windows domain authentication, backed up by an Active Directory server
?
Or something else ?
There is so much variation possible here, that it may be better to
describe what you want
to achieve really, rather than asking questions about this or that
mechanism right away.
(*) for example, look here :
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
http://waffle.codeplex.com/
http://www.ioplex.com/jespa.html
Hi Andre,
Sorry. I should have been clearer in my explanation and my question, so
let me try again.
Our configuration has an Apache in front of the Tomcat, with the Apache
reverse-proxying (using mod_proxy, for now) to the Tomcat.
In the Apache proxy, we do client-authenticated certificate
authentication, and we also have a web agent/module that authenticates
the user into a commercial SSO product. After the user is authenticated,
the requests that go to/get proxied to the Tomcat have some HTTP headers,
including a header containing the userID of the user that got
authenticated by the SSO product.
I've been working on Tomcat valve that does ID assertion, i.e., when
the code in my valve sees the HTTP header with the authenticated userID,
it asserts the user into Tomcat.
Specifically, my valve code calls
org.apache.catalina.connector.Request.setUserPrincipal(getPrincipal(paramRequest)),
where paramRequest is the org.apache.catalina.connector.Request object.
When I posted my message, I had just started on my valve code. As I
said, I'm kind of new to Tomcat security, but at that time, I *thought*
that after my valve did the setUserPrincipal(), that the user had to
somehow be authenticated into the Tomcat realm (i.e., that the asserted
userID had to actually exist in the Tomcat realm).
I've since gotten an initial version of my valve code kind of working,
but I'm still a little.
I can get the userID from the request header and call the
setUserPrincipal() in the valve code successfully, and from some test JSP
pages I use, I can see that when the JSP calls
request.getUserPrincipal(), it appears to return the asserted user.
The thing that is puzzling me is that, on my test Tomcat, I just have the
default realm (the one that uses tomcat-user.xml for the user base), with
only the default set of dummy users.
And yet, when I test with my valve and the test JSP, it appears that
everything just works, even when the userID that I assert is not in the
Tomcat realm!
For example, I guess in the default realm, there's only a comple of users
(tomcat, etc.), but if I send a request into the Tomcat with a header
with a userID of foobar (and even though there is no user foobar in
the Tomcat realm), things seem to work ok, i.e., my JSP displays foobar
for request.getUserPrincipal().
Having said all of that, I guess that my question has changed somewhat.
Specifically, now I'm wondering: With what I described above, and with
my valve as described above, does the asserted user NOT have to be in the
Tomcat realm at all?
It's almost like, with
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode where no password or credentials are required? In other words, where just a userID/username is presented, and if that userID/username is present in the LDAP, then the user gets authenticated? You have to be VERY specific here about what you mean, because this is a very delicate area. If you mean : does there exist any way by which Tomcat can authenticate a user, without forcing this user to go through a login dialog with userid and password ? then the answer is : yes, several (*). But the applicability of each depends very much on the exact circumstances. If you mean : does there exist any /standard/ authentication mechanism in Tomcat whereby, /with/ a login dialog, the user could be authenticated without providing a password, although the authentication back-end (e.g. LDAP) has a non-empty password registered for that user ? then the answer is no, definitely. Because such a mechanism would be a HUGE security hole, so it is certainly not provided as any standard authentication framework. (which does not mean that you could not invent your own mechanism). Also, when you are mentioning LDAP, do you really mean the standard LDAP (which is just basically a database, and is not per se an authentication mechanism), or do you mean Windows domain authentication, backed up by an Active Directory server ? Or something else ? There is so much variation possible here, that it may be better to describe what you want to achieve really, rather than asking questions about this or that mechanism right away. (*) for example, look here : http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html http://waffle.codeplex.com/ http://www.ioplex.com/jespa.html Hi Andre, Sorry. I should have been clearer in my explanation and my question, so let me try again. Our configuration has an Apache in front of the Tomcat, with the Apache reverse-proxying (using mod_proxy, for now) to the Tomcat. In the Apache proxy, we do client-authenticated certificate authentication, and we also have a web agent/module that authenticates the user into a commercial SSO product. After the user is authenticated, the requests that go to/get proxied to the Tomcat have some HTTP headers, including a header containing the userID of the user that got authenticated by the SSO product. I've been working on Tomcat valve that does ID assertion, i.e., when the code in my valve sees the HTTP header with the authenticated userID, it asserts the user into Tomcat. Specifically, my valve code calls org.apache.catalina.connector.Request.setUserPrincipal(getPrincipal(paramRequest)), where paramRequest is the org.apache.catalina.connector.Request object. When I posted my message, I had just started on my valve code. As I said, I'm kind of new to Tomcat security, but at that time, I *thought* that after my valve did the setUserPrincipal(), that the user had to somehow be authenticated into the Tomcat realm (i.e., that the asserted userID had to actually exist in the Tomcat realm). I've since gotten an initial version of my valve code kind of working, but I'm still a little. I can get the userID from the request header and call the setUserPrincipal() in the valve code successfully, and from some test JSP pages I use, I can see that when the JSP calls request.getUserPrincipal(), it appears to return the asserted user. The thing that is puzzling me is that, on my test Tomcat, I just have the default realm (the one that uses tomcat-user.xml for the user base), with only the default set of dummy users. And yet, when I test with my valve and the test JSP, it appears that everything just works, even when the userID that I assert is not in the Tomcat realm! For example, I guess in the default realm, there's only a comple of users (tomcat, etc.), but if I send a request into the Tomcat with a header with a userID of foobar (and even though there is no user foobar in the Tomcat realm), things seem to work ok, i.e., my JSP displays foobar for request.getUserPrincipal(). Having said all of that, I guess that my question has changed somewhat. Specifically, now I'm wondering: With what I
Re: Logging - including host name in log file?
Thanks so much, Chris. Yes, I did see those lines in the properties file.
But it didn't have a lot of explanation. Thanks for the clarification.
Where should the properties file be located? All of the docs say it should
be in /common/classes. But in my install, it's in /conf.
At the risk of opening another bag of worms in your example, you said:
(But, of course, you don't have that because you shouldn't put Contexts
in server.xml, but I have it here for the sake of brevity). Ok, I DO have
context statements in my server.xml. I'm obviously not following best
practices but it's worked fine for years. Can you point me to
documentation that explains the negatives of doing it the way I'm doing it
vs. the best practices way, and what the best practices way to do that is?
Thanks again.
Jerry
On Thu, Dec 1, 2011 at 8:50 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jerry,
On 12/1/11 9:21 PM, Jerry Malcolm wrote:
I'm trying to get my hands around the whole tomcat logging system.
I've read the docs, wikis, samples, etc. But I still struggling a
bit. I've been just using System.out.println for years, and it's
getting totally out of control. So time to learn tomcat logging.
Yup. System.out is insanely inflexible.
Basically, I host quite a few domains. I'd like to separate the
log files per host (and possibly further subdivide by webapps). I
can't find any way to specify the host as part of the logger file
handler directory. This may be something intuitively obvious. But
I haven't found it yet.
Which logging system are you using? Tomcat's default is to use JULI
which connects commons-logging up to the java.util.logging (or J-U-L
Interface, hence JULI).
At any rate, the standard logging.properties file should have examples
that make this work. For instance, I can see the following in mine:
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level
= INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers
= 3manager.org.apache.juli.FileHandler
All that mess configures a logger that captures the logs for the
manager Context that is deployed into the localhost Host under
the Catalina Service.
You can easily create one of these for each of your webapps (or even
just per host) in the same way: just use the proper Service, Host, and
context path (contexts don't have names, so you use the context path
instead -- the above for an example).
So, let's say that you have:
Service name=Catalina
Host name=www.awesomehost.com
Context path=/sweetwebapp docBase=... ... /
/Host
/Service
(But, of course, you don't have that because you shouldn't put
Contexts in server.xml, but I have it here for the sake of brevity).
Anyhow, you can configure a logger for that context like this:
org.apache.catalina.core.ContainerBase.[Catalina].[www.awesomehost.com
].[/sweetwebapp].level=INFO
(plus the other configuration you'll need like which file to use, etc.)
If it can't be configured statically to plug the host name into the
log file name with a variable or something like ${catalina_home},
alternatively is there a way to change the file name on the fly
after getting an instance of the java.utils.logging.Logger class?
If you are using Tomcat's internal logging (which is done by calling
ServletContext.log(...)) then you should use lib/logging.properties as
described above.
If you are using java.util.logging directly in your own webapp, then
you are on your own :(
If you are using AccessLogValve, well then you just need to use %v
to get the name of the local server -- but that's for the actual log
data, not for the filename.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7YPN4ACgkQ9CaO5/Lv0PA0ZgCgq2ckmo/fw88FbeV0UhOVuYTm
7uwAn1D/sE+YHVw3juxVWFVZTdMMey6T
=0R0X
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based Login question
Ouch... you said a curse word Upgrade :-) I know I've needed to do it for a long time now... I'm still on 5.5. But if it ain't broke You've at least given me a good excuse to dive in and upgrade to get this login feature. Before I start, any words of advice for migrating? Should it be relatively painless (e.g. install, copy current server.xml, and go?) or is this something I'd better allocate a few days for? Thanks. Jerry On Thu, Dec 1, 2011 at 8:53 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry, On 12/1/11 9:30 PM, Jerry Malcolm wrote: I have been using form-based auth for several years. I understand the challenge concept where TC puts up the pre-defined login page when the first page requiring auth is requested. But I have a slightly different situation. I want all of my non-protected pages (guest-level) to include the id/pw fields at the top of the page. At any time when the user chooses to go to the protected area of the site, they enter their id/pw and hit the login button and it takes them to a page in the protected area. Basically, I want to bypass the forced login page if the user entered an id/pw unless obviously the auth failed on the provided id/pw. Is there a way to 'force' provide credentials under the covers at the time the first protected page is requested to get the user signed on without the intermediate login form appearing? The easiest thing to do it to upgrade to Tomcat 7 which supports servlet spec 3.0. There is a new method in the HttpServletRequest class called login that takes a username and password. Just take the username and password from the request (in a servlet you write yourself) and call request.login(). After that, forward (or redirect) the user wherever you want -- some kind of you're logged-in landing page. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7YPZEACgkQ9CaO5/Lv0PAldwCfQ7XLKMTDwNtNpgWh7anwNUIo P5MAnjoAsGuqxmQsv2jeg+C1gvkmLaRK =Wvqf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form-based Login question
From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Form-based Login question Before I start, any words of advice for migrating? Should it be relatively painless It's pretty painless, if your webapps are well-behaved. Tomcat 7 is better at detecting errors (e.g., memory leaks) and enforcing compliance with the spec. Read the migration guide: http://tomcat.apache.org/migration.html (e.g. install, copy current server.xml, and go?) Never, never, never copy your current server.xml to a new version of Tomcat. (Can't emphasize that enough.) Lots of configuration tags have changed, disappeared, or have been added. Read the config docs for the target level, then apply the differences between your server.xml and the 5.5 original to the 7.0 server.xml, adjusting for the aforementioned config changes. And if you're still keeping Context elements in server.xml, now is your opportunity to eliminate that archaic behavior. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Logging - including host name in log file?
From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Logging - including host name in log file? Where should the properties file be located? All of the docs say it should be in /common/classes. What docs are those? Please be specific, because they're wrong and need correcting. I DO have context statements in my server.xml. Bad practice - even in Tomcat 5.0, predating your version. Look at the doc for the Context element; note that the 7.0 doc is much improved over the ancient version you have, although obviously some of it is not applicable to 5.5. http://tomcat.apache.org/tomcat-7.0-doc/config/context.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Do any of the Tomcat LDAP-type realms support no password authentication?
From: oh...@cox.net [mailto:oh...@cox.net] Subject: Re: Do any of the Tomcat LDAP-type realms support no password authentication? In my sniffer, I can see the REMOTE_USER set to the hard-coded string, but in my test JSP on Tomcat, there getUserPrincipal() is returning null. I've tried this test with 'tomcatAuthentication' attribute in server.xml set to both true and false, with the same results :(... You might want to post (not attach) your server.xml so we can see exactly what you're setting. Simple typos are often difficult for the author to see. Please remove comments beforehand to reduce the amount of crud we have to wade through. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Do any of the Tomcat LDAP-type realms support no password authentication?
Caldarale wrote: From: oh...@cox.net [mailto:oh...@cox.net] Subject: Re: Do any of the Tomcat LDAP-type realms support no password authentication? In my sniffer, I can see the REMOTE_USER set to the hard-coded string, but in my test JSP on Tomcat, there getUserPrincipal() is returning null. I've tried this test with 'tomcatAuthentication' attribute in server.xml set to both true and false, with the same results :(... You might want to post (not attach) your server.xml so we can see exactly what you're setting. Simple typos are often difficult for the author to see. Please remove comments beforehand to reduce the amount of crud we have to wade through. - Chuck Chuck, Thanks for the suggestion. Here it is, minus most of the curd :). It's basically vanilla Tomcat (note: what I posted below has false for tomcatAuthentication, but I tried with both true and false). ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- Prevent memory leaks due to use of particular java/javax APIs-- Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / !-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -- Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
