Re: Logging
On 1:59 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thom, On 12/1/11 9:39 AM, Thom Hehl wrote: I'm not sure. Whichever log file the stack traces goto. Yes, they're writing to a local drive. Yes as a windows service which came with the installer. As Pid says, it's all configurable. The log files that Tomcat itself opens are controlled by logging.properties and, AFAIK, not buffered. Running Tomcat as a Windows Service usually uses a service wrapped that dumps stdout to stdout.txt or stdout.log or whatever. I believe that is also not buffered. If your webapp is doing any of it's own logging, then you are completely at the mercy of whatever component is configuring that logging system, and it has nothing to do with Tomcat. If you could tell us the name of the file, it might help because there are certain filenames that are likely to be Tomcat-generated and others are likely to be webapp-generated. Saying I dunno, the one where the logs go is not helpful. Thanks, - -chris Hi, Thom- See http://tomcat.apache.org/tomcat-6.0-doc/logging.html for Tomcat 6. Search for bufferSize which appears to work as documented on my system. Also, with Tomcat 6 executing as a Windows service, calls to System.out.println on my system are written to stdout_MMDD.log in the Tomcat logs directory. There does not appear to be any buffering nor any way to control buffering of output to System.out. What you're experiencing may be related to file locking on Windows. Try opening a log file in Notepad without stopping Tomcat after you're sure something has been output to that file. The most recent output should be included. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
Dear Sir/Ma, I have already deployed an application running perfectly on tomcat 6.0.20 on port 8080 on my Oracle EL 5 server. But now I want all request to go through SSL. See below my configurations on server.xml: !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on SSLRandomSeed=builtin / Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEngine=on SSLCerticateFile=/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.crt SSLCertificateKeyFile=/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.p12 SSLPassword=optix10$ / After doing all this, I still couldn't access it https://localhost:443/;. It display error message internet explorer cannot display the webpage. But when i try http://localhost:8080/, it works fine. There is a clause I don't understand in the HowTo configure SSL with APR - (the APR library must be available). How do I know if the APR is available or not? Please assist. Regards, Moshood
Re: SSL Tomcat 6 7
Hi everybody, I'm stuck on this SSL over a month. I hope somebody can help me here. I'm getting a Warning on WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLEngine' to 'on' did not find a matching property. I have tried using all this 3 Connection type but it still does not work. I'm running on Tomcat 7.0 protocol=org.apache.coyote.http11.Http11Protocol protocol=org.apache.coyote.http11.Http11NioProtocol protocol=org.apache.coyote.http11.Http11AprProtocol 1. # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf Using configuration from ./openssl.cnfGenerating a 1024 bit RSA private key...++..++writing new private key to 'private/cakey.pem'Enter PEM pass phrase:tomcatVerifying password - Enter PEM pass phrase:tomcat-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-Organization Name (company) [The Sample Company]:enterOrganizational Unit Name (department, division) []:CA DivisionEmail Address []:ca@sample.comLocality Name (city, district) [Metropolis]:enterState or Province Name (full name) [New York]:enterCountry Name (2 letter code) [US]:enterCommon Name (hostname, IP, or your name) []:TSC Root CA 2. openssl req -new -nodes -out req.pem -config ./openssl.cnf 3. openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem Using configuration from ./openssl.cnfEnter PEM pass phrase:demoCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followsorganizationName :PRINTABLE:'The Sample Company'organizationalUnitName:PRINTABLE:'Mail Server'emailAddress :IA5STRING:'postmas...@sample.com'localityName :PRINTABLE:'Metropolis'stateOrProvinceName :PRINTABLE:'New York'countryName :PRINTABLE:'US'commonName :PRINTABLE:'mail.sample.com'Certificate is to be certified until Dec 8 04:37:38 2002 GMT (365 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated 4. copy cert.pem tmp.pem5. openssl x509 -in tmp.pem -out cert.pem //== OPENSSL.CFG == Attached here is the openssl.cfg dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days= 365 default_md = md5 preserve= no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #-- -- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #-- -- 0.organizationName_default = The Sample Company localityName_default= Metropolis stateOrProvinceName_default = New York countryName_default = US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash = SERVER.XML ===
Re: Tomcat 7 + exception while adding cookies
Hi, On Thu, Dec 1, 2011 at 5:10 PM, Mark Thomas ma...@apache.org wrote: On 01/12/2011 15:49, Martin Kuen wrote: I first blamed eclipse wtp doing sth. wrong when applying the configuration. Therefore, I checked the connector's jmx properties and to my surprise I could no longer find a property called maxHttpHeaderSize for the connector (comparing tc 6 to 7). The JMX properties are not the definitive list of supported properties. That is provided by the documentation and maxHttpHeaderSize is still listed. Was it dropped by intention? I skimmed through the changelogs but couldn't find an explanation . . . It was dropped from JMX as part of the GSOC attribute clean-up since that attribute is implemented in the ProtocolHandler (where it is available via JMX). thanks for the info. Afaik as I know this is a configurable setting for (at least most) webservers As it is (or should be if it is working properly) for all version of Tomcat. Well, oc it's working. Don't know what went wrong on my side yesterday. I just got rather confused, when I could not find aforementioned jmx property. Things make sense again :) Best Regards, Martin
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the authenticated user-id passed by the front-end server. Now could you also show us the section of your Apache front-end configuration, containing the directives which forward the requests to Tomcat ? (proxy or rewrite stanzas) Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the authenticated user-id to Tomcat along with the proxied request, depends on the fact that within Apache (more precisely within the internal Apache request record), the request is really authenticated (*). I am saying this because in an earlier post, you mentioned that you were using a third-party authentication package at the Apache httpd level. It is unlikely, but possible, that this authentication package would use its own logic, and never populate the internal Apache request record with this user-id (**). In such a case, the automatic forwarding of the user-id by the Apache-level connector module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal Apache request record, and have no knowledge of another user-id source. (*) in Tomcat terms, the equivalent of populating the userPrincipal object (**) for example, it may act as a filter, and rely on each request always containing a cookie which authenticates the request, and do its own access control independently of Apache httpd itself - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Tomcat 6 7
On Fri, 2011-12-02 at 01:12 -0800, Lau Eng Huat wrote: Hi everybody, I'm stuck on this SSL over a month. I hope somebody can help me here. I'm getting a Warning on WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLEngine' to 'on' did not find a matching property. Tomcat is telling you that the property SSLEngine does not exist on a Connector object. Note that it is not listed in the documentation either. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Perhaps you are confused with the SSLEngine attribute of the AprLifecycleListener? Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / and perhaps you meant SSLEnabled=true on your Connector? Example from docs: Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/usr/local/ssl/server.crt SSLCertificateKeyFile=/usr/local/ssl/server.pem clientAuth=optional SSLProtocol=TLSv1/ https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html Dan I have tried using all this 3 Connection type but it still does not work. I'm running on Tomcat 7.0 protocol=org.apache.coyote.http11.Http11Protocol protocol=org.apache.coyote.http11.Http11NioProtocol protocol=org.apache.coyote.http11.Http11AprProtocol 1. # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf Using configuration from ./openssl.cnfGenerating a 1024 bit RSA private key...++..++writing new private key to 'private/cakey.pem'Enter PEM pass phrase:tomcatVerifying password - Enter PEM pass phrase:tomcat-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-Organization Name (company) [The Sample Company]:enterOrganizational Unit Name (department, division) []:CA DivisionEmail Address []:ca@sample.comLocality Name (city, district) [Metropolis]:enterState or Province Name (full name) [New York]:enterCountry Name (2 letter code) [US]:enterCommon Name (hostname, IP, or your name) []:TSC Root CA 2. openssl req -new -nodes -out req.pem -config ./openssl.cnf 3. openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem Using configuration from ./openssl.cnfEnter PEM pass phrase:demoCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followsorganizationName :PRINTABLE:'The Sample Company'organizationalUnitName:PRINTABLE:'Mail Server'emailAddress :IA5STRING:'postmas...@sample.com'localityName :PRINTABLE:'Metropolis'stateOrProvinceName :PRINTABLE:'New York'countryName :PRINTABLE:'US'commonName :PRINTABLE:'mail.sample.com'Certificate is to be certified until Dec 8 04:37:38 2002 GMT (365 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated 4. copy cert.pem tmp.pem5. openssl x509 -in tmp.pem -out cert.pem //== OPENSSL.CFG == Attached here is the openssl.cfg dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days= 365 default_md = md5 preserve= no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #-- -- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality
Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
On Fri, 2011-12-02 at 00:56 -0800, moshood oladapo wrote: Dear Sir/Ma, I have already deployed an application running perfectly on tomcat 6.0.20 on port 8080 on my Oracle EL 5 server. But now I want all request to go through SSL. If you want to force all traffic to go through SSL, you need to do two things. 1.) Configure an Connector with SSL. Example using BIO connector: Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=${user.home}/.keystore keystorePass=changeit clientAuth=false sslProtocol=TLS/ Example using APR connector: Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/usr/local/ssl/server.crt SSLCertificateKeyFile=/usr/local/ssl/server.pem clientAuth=optional SSLProtocol=TLSv1/ For details, see https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support 2.) Define user-data-constraint in web.xml to indicate that the application's traffic must be secured. security-constraint ... user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint See this link for details. http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html#bncbm See below my configurations on server.xml: !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on SSLRandomSeed=builtin / Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEngine=on SSLCerticateFile=/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.crt SSLCertificateKeyFile=/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.p12 SSLPassword=optix10$ / After doing all this, I still couldn't access it https://localhost:443/;. It display error message internet explorer cannot display the webpage. But when i try http://localhost:8080/, it works fine. There is a clause I don't understand in the HowTo configure SSL with APR - (the APR library must be available). How do I know if the APR is available or not? If you don't know if APR is installed, then it's likely that it is not installed. The APR library is a native library that you must compile and install manually. https://tomcat.apache.org/tomcat-6.0-doc/apr.html Did you or another system admin compile and install it on your server? Dan
Re: SSL Tomcat 6 7
I'm still stuck after correcting the recommendation made by Daniel. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector protocol=org.apache.coyote.http11.Http11AprProtocol port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEngine=true SSLCertificateFile=${catalina.base}\conf\cert.pem SSLCertificateKeyFile=${catalina.base}\conf\key.pem SSLPassword=tomcat / Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ It still gives me this error WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLEngine' to 'true' did not find a matching property. i'm running tomcat as localhoat under netbeans. On Fri, Dec 2, 2011 at 9:57 PM, Daniel Mikusa dmik...@vmware.com wrote: On Fri, 2011-12-02 at 01:12 -0800, Lau Eng Huat wrote: Hi everybody, I'm stuck on this SSL over a month. I hope somebody can help me here. I'm getting a Warning on WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLEngine' to 'on' did not find a matching property. Tomcat is telling you that the property SSLEngine does not exist on a Connector object. Note that it is not listed in the documentation either. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Perhaps you are confused with the SSLEngine attribute of the AprLifecycleListener? Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / and perhaps you meant SSLEnabled=true on your Connector? Example from docs: Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/usr/local/ssl/server.crt SSLCertificateKeyFile=/usr/local/ssl/server.pem clientAuth=optional SSLProtocol=TLSv1/ https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html Dan I have tried using all this 3 Connection type but it still does not work. I'm running on Tomcat 7.0 protocol=org.apache.coyote.http11.Http11Protocol protocol=org.apache.coyote.http11.Http11NioProtocol protocol=org.apache.coyote.http11.Http11AprProtocol 1. # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf Using configuration from ./openssl.cnfGenerating a 1024 bit RSA private key...++..++writing new private key to 'private/cakey.pem'Enter PEM pass phrase:tomcatVerifying password - Enter PEM pass phrase:tomcat-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-Organization Name (company) [The Sample Company]:enterOrganizational Unit Name (department, division) []:CA DivisionEmail Address []:ca@sample.comLocality Name (city, district) [Metropolis]:enterState or Province Name (full name) [New York]:enterCountry Name (2 letter code) [US]:enterCommon Name (hostname, IP, or your name) []:TSC Root CA 2. openssl req -new -nodes -out req.pem -config ./openssl.cnf 3. openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem Using configuration from ./openssl.cnfEnter PEM pass phrase:demoCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followsorganizationName :PRINTABLE:'The Sample Company'organizationalUnitName:PRINTABLE:'Mail Server'emailAddress :IA5STRING:'postmas...@sample.com'localityName :PRINTABLE:'Metropolis'stateOrProvinceName :PRINTABLE:'New York'countryName :PRINTABLE:'US'commonName :PRINTABLE:'mail.sample.com'Certificate is to be certified until Dec 8 04:37:38 2002 GMT (365 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated 4. copy cert.pem tmp.pem5. openssl x509 -in tmp.pem -out cert.pem //== OPENSSL.CFG == Attached here is the openssl.cfg dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days= 365 default_md = md5 preserve= no email_in_dn = no nameopt = default_ca certopt = default_ca
Re: SSL Tomcat 6 7
On 12/2/2011 10:39 AM, Lau Eng Huat wrote: I'm still stuck after correcting the recommendation made by Daniel. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector protocol=org.apache.coyote.http11.Http11AprProtocol port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEngine=true ^^ You still have SSLEngine set in the connector, where it doesn't belong. SSLCertificateFile=${catalina.base}\conf\cert.pem SSLCertificateKeyFile=${catalina.base}\conf\key.pem SSLPassword=tomcat / Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ It still gives me this error WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLEngine' to 'true' did not find a matching property. i'm running tomcat as localhoat under netbeans. On Fri, Dec 2, 2011 at 9:57 PM, Daniel Mikusadmik...@vmware.com wrote: On Fri, 2011-12-02 at 01:12 -0800, Lau Eng Huat wrote: Hi everybody, I'm stuck on this SSL over a month. I hope somebody can help me here. I'm getting a Warning on WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLEngine' to 'on' did not find a matching property. Tomcat is telling you that the property SSLEngine does not exist on a Connector object. Note that it is not listed in the documentation either. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Perhaps you are confused with the SSLEngine attribute of the AprLifecycleListener? Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / and perhaps you meant SSLEnabled=true on your Connector? Example from docs: Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/usr/local/ssl/server.crt SSLCertificateKeyFile=/usr/local/ssl/server.pem clientAuth=optional SSLProtocol=TLSv1/ https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html Dan I have tried using all this 3 Connection type but it still does not work. I'm running on Tomcat 7.0 protocol=org.apache.coyote.http11.Http11Protocol protocol=org.apache.coyote.http11.Http11NioProtocol protocol=org.apache.coyote.http11.Http11AprProtocol 1. # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf Using configuration from ./openssl.cnfGenerating a 1024 bit RSA private key...++..++writing new private key to 'private/cakey.pem'Enter PEM pass phrase:tomcatVerifying password - Enter PEM pass phrase:tomcat-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-Organization Name (company) [The Sample Company]:enterOrganizational Unit Name (department, division) []:CA DivisionEmail Address []:ca@sample.comLocality Name (city, district) [Metropolis]:enterState or Province Name (full name) [New York]:enterCountry Name (2 letter code) [US]:enterCommon Name (hostname, IP, or your name) []:TSC Root CA 2. openssl req -new -nodes -out req.pem -config ./openssl.cnf 3. openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem Using configuration from ./openssl.cnfEnter PEM pass phrase:demoCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followsorganizationName :PRINTABLE:'The Sample Company'organizationalUnitName:PRINTABLE:'Mail Server'emailAddress :IA5STRING:'postmas...@sample.com'localityName :PRINTABLE:'Metropolis'stateOrProvinceName :PRINTABLE:'New York'countryName :PRINTABLE:'US'commonName :PRINTABLE:'mail.sample.com'Certificate is to be certified until Dec 8 04:37:38 2002 GMT (365 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated 4. copy cert.pem tmp.pem5. openssl x509 -in tmp.pem -out cert.pem //== OPENSSL.CFG == Attached here is the openssl.cfg dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days= 365 default_md = md5 preserve= no email_in_dn = no nameopt = default_ca certopt =
Re: Logging - including host name in log file?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry, On 12/1/11 11:34 PM, Jerry Malcolm wrote: Where should the properties file be located? All of the docs say it should be in /common/classes. But in my install, it's in /conf. Something conspicuously missing in your original post was what version of Tomcat you are using. If you are reading docs that mention /common/classes, I suspect you're working with something less than Tomcat 6.x. If that's true, are you able to upgrade? Tomcat 6 and 7 both have significant improvements and should be backward-compatible. You can work with an older version of Tomcat, but 5.0 EOL'd a long time ago and I think 5.5's days are numbered. Tomcat 7 is where the real action is these days. At the risk of opening another bag of worms in your example, you said: (But, of course, you don't have that because you shouldn't put Contexts in server.xml, but I have it here for the sake of brevity). Ok, I DO have context statements in my server.xml. I'm obviously not following best practices but it's worked fine for years. Can you point me to documentation that explains the negatives of doing it the way I'm doing it vs. the best practices way, and what the best practices way to do that is? If you are using Tomcat 5.5 or later (which I hope you are), the best thing to do is to use a file in your webapp's META-INF/context.xml -- that should contain your Context element and should contain neither a docBase (because the file was loaded out of the webapp's docBase, so Tomcat already knows where it is) nor a path (because the name of the WAR file or exploded-WAR-structure already dictates the context path). If you have an odd configuration where you want your WAR file somewhere other than the webapps/ auto-deploy directory for your host, then you can use a file in Tomcat's conf/[Service]/[Host]/[webappname].xml, and you'll have to specify the docBase attribute and point it at your webapp's WAR file (or exploded-WAR-structure). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Y8qgACgkQ9CaO5/Lv0PBuJACdE+kgpshbQyuBcPwnq0rgtkz+ pcUAn2I2xFL7U6kfjnQ8lsdAfHGtjQx3 =2tmu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based Login question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 12/1/11 11:46 PM, Caldarale, Charles R wrote: From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Form-based Login question Before I start, any words of advice for migrating? Should it be relatively painless (e.g. install, copy current server.xml, and go?) Never, never, never copy your current server.xml to a new version of Tomcat. (Can't emphasize that enough.) +lots Lots of configuration tags have changed, disappeared, or have been added. ... and class names have changed or disappeared altogether, logging is different, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Y8xIACgkQ9CaO5/Lv0PCKsgCgt4Yq875Co9Y+96N3FjxronSc tEoAnjguQYygvTKnSimRXphdRMMFDEob =kGWP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Tomcat 6 7
Thank You, God Bless You a Thousand Fold !!! On Fri, Dec 2, 2011 at 11:43 PM, David kerber dcker...@verizon.net wrote: On 12/2/2011 10:39 AM, Lau Eng Huat wrote: I'm still stuck after correcting the recommendation made by Daniel. Listener className=org.apache.**catalina.core.** AprLifecycleListener SSLEngine=on / Connector protocol=org.apache.coyote.**http11.Http11AprProtocol port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEngine=true ^^ You still have SSLEngine set in the connector, where it doesn't belong. SSLCertificateFile=${**catalina.base}\conf\cert.pem SSLCertificateKeyFile=${**catalina.base}\conf\key.pem SSLPassword=tomcat / Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ It still gives me this error WARNING: [SetAllPropertiesRule]{Server/**Service/Connector} Setting property 'SSLEngine' to 'true' did not find a matching property. i'm running tomcat as localhoat under netbeans. On Fri, Dec 2, 2011 at 9:57 PM, Daniel Mikusadmik...@vmware.com wrote: On Fri, 2011-12-02 at 01:12 -0800, Lau Eng Huat wrote: Hi everybody, I'm stuck on this SSL over a month. I hope somebody can help me here. I'm getting a Warning on WARNING: [SetAllPropertiesRule]{Server/**Service/Connector} Setting property 'SSLEngine' to 'on' did not find a matching property. Tomcat is telling you that the property SSLEngine does not exist on a Connector object. Note that it is not listed in the documentation either. https://tomcat.apache.org/**tomcat-7.0-doc/config/http.** html#SSL_Supporthttps://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Perhaps you are confused with the SSLEngine attribute of the AprLifecycleListener? Listener className=org.apache.**catalina.core.**AprLifecycleListener SSLEngine=on / and perhaps you meant SSLEnabled=true on your Connector? Example from docs: Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/usr/**local/ssl/server.crt SSLCertificateKeyFile=/usr/**local/ssl/server.pem clientAuth=optional SSLProtocol=TLSv1/ https://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.htmlhttps://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html Dan I have tried using all this 3 Connection type but it still does not work. I'm running on Tomcat 7.0 protocol=org.apache.coyote.**http11.Http11Protocol protocol=org.apache.coyote.**http11.Http11NioProtocol protocol=org.apache.coyote.**http11.Http11AprProtocol 1. # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf Using configuration from ./openssl.cnfGenerating a 1024 bit RSA private key...++..**++writing new private key to 'private/cakey.pem'Enter PEM pass phrase:tomcatVerifying password - Enter PEM pass phrase:tomcat-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-Organization Name (company) [The Sample Company]:enterOrganizational Unit Name (department, division) []:CA DivisionEmail Address []:ca@sample.comLocality Name (city, district) [Metropolis]:enterState or Province Name (full name) [New York]:enterCountry Name (2 letter code) [US]:enterCommon Name (hostname, IP, or your name) []:TSC Root CA 2. openssl req -new -nodes -out req.pem -config ./openssl.cnf 3. openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem Using configuration from ./openssl.cnfEnter PEM pass phrase:demoCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followsorganizationName :PRINTABLE:'The Sample Company'**organizationalUnitName:**PRINTABLE:'Mail Server'emailAddress :IA5STRING:'postmaster@sample.**comia5string%3a%27postmas...@sample.com 'localityName :PRINTABLE:'Metropolis'**stateOrProvinceName :PRINTABLE:'New York'countryName :PRINTABLE:'US'commonName :PRINTABLE:'mail.sample.com'**Certificate is to be certified until Dec 8 04:37:38 2002 GMT (365 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated 4. copy cert.pem tmp.pem5. openssl x509 -in tmp.pem -out cert.pem //**== OPENSSL.CFG ==** Attached here is the openssl.cfg dir = . [ ca ] default_ca =
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the authenticated user-id passed by the front-end server. Now could you also show us the section of your Apache front-end configuration, containing the directives which forward the requests to Tomcat ? (proxy or rewrite stanzas) Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the authenticated user-id to Tomcat along with the proxied request, depends on the fact that within Apache (more precisely within the internal Apache request record), the request is really authenticated (*). I am saying this because in an earlier post, you mentioned that you were using a third-party authentication package at the Apache httpd level. It is unlikely, but possible, that this authentication package would use its own logic, and never populate the internal Apache request record with this user-id (**). In such a case, the automatic forwarding of the user-id by the Apache-level connector module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal Apache request record, and have no knowledge of another user-id source. (*) in Tomcat terms, the equivalent of populating the userPrincipal object (**) for example, it may act as a filter, and rely on each request always containing a cookie which authenticates the request, and do its own access control independently of Apache httpd itself Andre, Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). # Proxy to Tomcat on weblogic1 machine, using AJP Location /samplesajp RequestHeader set REMOTE_USER 9test ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp ProxyPassReverseajp://weblogic1.whatever.com:8009/samplesajp /Location Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the authenticated user-id passed by the front-end server. Now could you also show us the section of your Apache front-end configuration, containing the directives which forward the requests to Tomcat ? (proxy or rewrite stanzas) Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the authenticated user-id to Tomcat along with the proxied request, depends on the fact that within Apache (more precisely within the internal Apache request record), the request is really authenticated (*). I am saying this because in an earlier post, you mentioned that you were using a third-party authentication package at the Apache httpd level. It is unlikely, but possible, that this authentication package would use its own logic, and never populate the internal Apache request record with this user-id (**). In such a case, the automatic forwarding of the user-id by the Apache-level connector module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal Apache request record, and have no knowledge of another user-id source. (*) in Tomcat terms, the equivalent of populating the userPrincipal object (**) for example, it may act as a filter, and rely on each request always containing a cookie which authenticates the request, and do its own access control independently of Apache httpd itself Andre, Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). # Proxy to Tomcat on weblogic1 machine, using AJP Location /samplesajp RequestHeader set REMOTE_USER 9test ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp /Location Jim Hi, BTW, I asked about this earlier, but is it possible to turn on some debugging on the Tomcat side, that might help diagnose why the AJP connector is not working the expected way? I'm not that familiar with Tomcat or AJP logging, but I've only been able to set logging in logging.properties so that there's either almost no logging or it generated a ton of logging (but not stuff on AJP connection/processing) :(... Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the authenticated user-id passed by the front-end server. Now could you also show us the section of your Apache front-end configuration, containing the directives which forward the requests to Tomcat ? (proxy or rewrite stanzas) Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the authenticated user-id to Tomcat along with the proxied request, depends on the fact that within Apache (more precisely within the internal Apache request record), the request is really authenticated (*). I am saying this because in an earlier post, you mentioned that you were using a third-party authentication package at the Apache httpd level. It is unlikely, but possible, that this authentication package would use its own logic, and never populate the internal Apache request record with this user-id (**). In such a case, the automatic forwarding of the user-id by the Apache-level connector module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal Apache request record, and have no knowledge of another user-id source. (*) in Tomcat terms, the equivalent of populating the userPrincipal object (**) for example, it may act as a filter, and rely on each request always containing a cookie which authenticates the request, and do its own access control independently of Apache httpd itself Andre, Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). # Proxy to Tomcat on weblogic1 machine, using AJP Location /samplesajp RequestHeader set REMOTE_USER 9test ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp ProxyPassReverseajp://weblogic1.whatever.com:8009/samplesajp /Location Jim Hi, BTW, I asked about this earlier, but is it possible to turn on some debugging on the Tomcat side, that might help diagnose why the AJP connector is not working the expected way? I'm not that familiar with Tomcat or AJP logging, but I've only been able to set logging in logging.properties so that there's either almost no logging or it generated a ton of logging (but not stuff on AJP connection/processing) :(... Sorry, dunno. Logging is not my favorite area in Tomcat.. Also, to tell the truth, I do not know exactly /how/ the Apache user-id is passed to Tomcat. I strongly suspect that the REMOTE_USER HTTP header may not be it, and that it may be via what Tomcat calls request attributes, and Apache calls environment variables (but not in the usual shell sense). But I don't know how this particular one may be named. Since you seem better at Java that I am, you may be able to find it in the Tomcat AJP Connector code somewhere. I would start looking for request attribute rather than header. This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html seems to hint at ditto, and even mentions a request attribute named remote_user (lowercase). Maybe you could try to set this environment variable in Apache, and see where it leads you ? In this page : http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule it shows how to do that (but there it calls them server variables). The terminology is not very consistent.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Anybody can help me?Thank you!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 孙文, On 12/2/11 11:20 AM, 孙文 wrote: I use tomcat 7.0.22,when i use getResponse().sendRedirect(url) in action(Struts2 ),i watch tomcat log ,record this in following picture. [java.net.SocketException] why? It could be many things: the error message itself is in Chinese, and it's in an image so there's no way for me to plug it into Google Translate to see what it actually says. My guess is that the client disconnected before you were able to send the redirect, and so there's nowhere for the data to go -- that would be a case where this exception is entirely expected and shouldn't be considered a problem. and sometimes tomcat is not in service.but cpu \ memory and tomcat thread is normal in solaris. So, you're saying that Tomcat isn't running but it is somehow still running? Can you be more specific? Why do you think it's running? Why do you think it's not running? By the way, you have code after your sendRedirect call that might affect the response -- that's probably a bad idea. Generally, you want sendRedirect to be the last thing your code does before returning from the doGet (or functionally-equivalent) method. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZAmUACgkQ9CaO5/Lv0PDfjACffipobj44hK2dJOcivFMO/ecL QPgAnAzLzhtFy8orswVBguQFi/xDrVCA =zYHj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Moshood, On 12/2/11 3:56 AM, moshood oladapo wrote: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true SSLEngine=on That's the second message today from someone trying to use SSLEngine=on in their Connector. Is the documentation for Connector not clear enough? http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Search for SSLEngine. Can't find it? Because it's not he right attribute to use. Please read the documentation and configure the Connector properly. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZA6kACgkQ9CaO5/Lv0PCm3ACeLYBsmH8L8u2FIX/862FJ7DwU YmUAn1+siGbB+f/H0DA0ebRVxbaA/V7/ =jmDt -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the authenticated user-id passed by the front-end server. Now could you also show us the section of your Apache front-end configuration, containing the directives which forward the requests to Tomcat ? (proxy or rewrite stanzas) Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the authenticated user-id to Tomcat along with the proxied request, depends on the fact that within Apache (more precisely within the internal Apache request record), the request is really authenticated (*). I am saying this because in an earlier post, you mentioned that you were using a third-party authentication package at the Apache httpd level. It is unlikely, but possible, that this authentication package would use its own logic, and never populate the internal Apache request record with this user-id (**). In such a case, the automatic forwarding of the user-id by the Apache-level connector module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal Apache request record, and have no knowledge of another user-id source. (*) in Tomcat terms, the equivalent of populating the userPrincipal object (**) for example, it may act as a filter, and rely on each request always containing a cookie which authenticates the request, and do its own access control independently of Apache httpd itself Andre, Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). # Proxy to Tomcat on weblogic1 machine, using AJP Location /samplesajp RequestHeader set REMOTE_USER 9test ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp /Location Jim Hi, BTW, I asked about this earlier, but is it possible to turn on some debugging on the Tomcat side, that might help diagnose why the AJP connector is not working the expected way? I'm not that familiar with Tomcat or AJP logging, but I've only been able to set logging in logging.properties so that there's either almost no logging or it generated a ton of logging (but not stuff on AJP connection/processing) :(... Sorry, dunno. Logging is not my favorite area in Tomcat.. Also, to tell the truth, I do not know exactly /how/ the Apache user-id is passed to Tomcat. I strongly suspect that the REMOTE_USER HTTP header may not be it, and that it may be via what Tomcat calls request attributes, and Apache calls environment variables (but not in the usual shell sense). But I don't know how this particular one may be named. Since you seem better at Java that I am, you may be able to find it in the Tomcat AJP Connector code somewhere. I would start looking for request attribute rather than header. This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html seems to hint at ditto, and even mentions a request attribute named remote_user (lowercase). Maybe you could try to set this environment variable in Apache, and see where it leads you ? In this page : http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule it shows how to do that (but there it calls them server variables). The terminology is not very consistent.. Hi, Ok, I'll take a look at those. FYI, I have debug level on the Apache side, and there is some stuff there, which I think confirms that I am indeed including REMOTE_USER in the requests to Tomcat/AJP: [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(44): proxy: AJP: canonicalising URL //weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1412): [client 192.168.0.7] proxy: ajp: found worker ajp://weblogic1.whatever.com:8009/samplesajp for ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp [Fri Dec 02 02:55:41 2011] [debug] mod_proxy.c(819): Running scheme ajp handler (attempt 0) [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_http.c(1683): proxy: HTTP: declining URL ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp [Fri Dec 02 02:55:41 2011] [debug]
Re: Tomcat Logging and HTTP Header question
can anyone help?? jmpaul012 wrote: So I am doing Tomcat STIGS and I am stuck on two of the STIGs. 1. How do I change what tomcat logs? I think it's something I need to do in server.xml but I'm not sure. This is what I need to log: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: - Successful and unsuccessful attempts to access the web server software. - Successful and unsuccessful attempts to access the web site. - Successful and unsuccessful attempts to access the web application. 2. How do I view/change the HTTP header information of an intranet site that is using Tomcat? I have to make sure the HTTP header does not show information about the web server which would include, web server product, version, or host operating system -- View this message in context: http://old.nabble.com/Tomcat-Logging-and-HTTP-Header-question-tp32892450p32903676.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/1/11 11:29 PM, oh...@cox.net wrote: Also, BTW, I just did a test where, in the Apache httpd.conf, I hard-coded REMOTE_USER header using RequestHeader. In my sniffer, I can see the REMOTE_USER set to the hard-coded string, but in my test JSP on Tomcat, there getUserPrincipal() is returning null. I've tried this test with 'tomcatAuthentication' attribute in server.xml set to both true and false, with the same results :(... That rings a bell. I seem to recall that if the resource isn't protected by a security-constraint then getUserPrincipal will return null during that request. That may only be when Tomcat is doing it's own authentication, though. I suspect that if you (or the AJP connector) sets the principal in the request, it's there regardless of the authentication settings of Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZB4IACgkQ9CaO5/Lv0PD4+wCfYUpbHjASjkZ1NNSwRj1X1B2g yUUAoKs9V0PXp05T4hp6lucrcBAfNfdh =UwDd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim, On 12/2/11 11:26 AM, oh...@cox.net wrote: Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). The problem is that AJP sends the authentication information as part of the AJP protocol, not as a request header. You are setting a request header which is not the mechanism AJP uses to transfer the userid. You might want to check to see if your SSO module works the way that other httpd modules expect -- like the other mod_auth_[xyz], for instance. See http://tomcat.apache.org/connectors-doc/reference/apache.html. Specifically, the JkRemoteUserIndicator directive which allows you to override the environment variable whose value will be used to send-over the username to Tomcat. I wouldn't think you'd have to do that (REMOTE_USER should already be set by your auth module and mod_proxy_jk should already be using that), but you might be able to force it for some testing. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZCWgACgkQ9CaO5/Lv0PDPWACgt07Uz0jf04GNXI9ws3aUOmnV 33gAoIh992DyrYkydFVdviUy2zlrQtue =acs6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Logging and HTTP Header question
On Fri, 2011-12-02 at 09:10 -0800, jmpaul012 wrote: can anyone help?? jmpaul012 wrote: So I am doing Tomcat STIGS and I am stuck on two of the STIGs. 1. How do I change what tomcat logs? I think it's something I need to do in server.xml but I'm not sure. This is what I need to log: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: - Successful and unsuccessful attempts to access the web server software. - Successful and unsuccessful attempts to access the web site. - Successful and unsuccessful attempts to access the web application. I believe this one was already answered. In any case, your first stop should probably be the on-line documentation for the AccessLog Valve. https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Access_Log_Valve 2. How do I view/change the HTTP header information of an intranet site that is using Tomcat? I have to make sure the HTTP header does not show information about the web server which would include, web server product, version, or host operating system I think you want the server attribute of the Connector/ element. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html Dan
Re: Tomcat Logging and HTTP Header question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 12/2/11 12:10 PM, jmpaul012 wrote: So I am doing Tomcat STIGS and I am stuck on two of the STIGs. 1. How do I change what tomcat logs? I think it's something I need to do in server.xml but I'm not sure. What have you tried so far? This is a community mailing list, not a consulting agency. We're here to help, not to do things for you. This is what I need to log: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: That sounds a lot like an HTTP access log. Have you looked through the logging documentation for your version of Tomcat for how to do access logging? - Successful and unsuccessful attempts to access the web server software. Depends upon your definition of successful, attempt, and access. - Successful and unsuccessful attempts to access the web site. Ditto. - Successful and unsuccessful attempts to access the web application. Ditto. 2. How do I view/change the HTTP header information of an intranet site that is using Tomcat? I have to make sure the HTTP header does not show information about the web server which would include, web server product, version, or host operating system Generally speaking, it's nice to post different questions in separate threads. It's not a huge deal, but it makes following a conversation easier for others. Anyhow, you are looking for changing the Server response header, right? That's in the documentation as well, but it might not be the easiest thing to find. See below. Since you are looking at securing Tomcat, you might want to have a look at the Security Considerations section of the Tomcat User Guide: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html (Make sure you use the right version -- I chose TC 7 because you never told us what you were running). Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZDaoACgkQ9CaO5/Lv0PB8QACgvfmekninLwMlIuafcwsG2WZ4 HnAAni9XbJ15C0/wv0RgiJuCaZavt/wQ =GVw2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging - including host name in log file?
Ok, I'm digging into this. Slowly but surely Just to confirm... So if I have, say 2 hosts, each with 3 web apps, and I want a different log file for each web app on each host, I need to define 6 of the following: 10host1webapp1.org.apache.juli.FileHandler.level = FINE 10host1webapp1.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 10host1webapp1.org.apache.juli.FileHandler.prefix = Host1App1. through 15host2webapp3.org.apache.juli.FileHandler.level = FINE 15host2webapp3.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 15host2webapp3.org.apache.juli.FileHandler.prefix = Host2App3. And then define 6 of the following: org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].handlers = 10host1webapp1.org.apache.juli.FileHandler ...through org.apache.catalina.core.ContainerBase.[Catalina].[host2].[/webapp3].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[host2].[/webapp3].handlers = 15host2webapp3.org.apache.juli.FileHandler and I put all of this in /conf/logging.properties All of this is required in order to get separate log files per webapp per host, right? Thanks. Jerry On Thu, Dec 1, 2011 at 8:50 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry, On 12/1/11 9:21 PM, Jerry Malcolm wrote: I'm trying to get my hands around the whole tomcat logging system. I've read the docs, wikis, samples, etc. But I still struggling a bit. I've been just using System.out.println for years, and it's getting totally out of control. So time to learn tomcat logging. Yup. System.out is insanely inflexible. Basically, I host quite a few domains. I'd like to separate the log files per host (and possibly further subdivide by webapps). I can't find any way to specify the host as part of the logger file handler directory. This may be something intuitively obvious. But I haven't found it yet. Which logging system are you using? Tomcat's default is to use JULI which connects commons-logging up to the java.util.logging (or J-U-L Interface, hence JULI). At any rate, the standard logging.properties file should have examples that make this work. For instance, I can see the following in mine: org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler All that mess configures a logger that captures the logs for the manager Context that is deployed into the localhost Host under the Catalina Service. You can easily create one of these for each of your webapps (or even just per host) in the same way: just use the proper Service, Host, and context path (contexts don't have names, so you use the context path instead -- the above for an example). So, let's say that you have: Service name=Catalina Host name=www.awesomehost.com Context path=/sweetwebapp docBase=... ... / /Host /Service (But, of course, you don't have that because you shouldn't put Contexts in server.xml, but I have it here for the sake of brevity). Anyhow, you can configure a logger for that context like this: org.apache.catalina.core.ContainerBase.[Catalina].[www.awesomehost.com ].[/sweetwebapp].level=INFO (plus the other configuration you'll need like which file to use, etc.) If it can't be configured statically to plug the host name into the log file name with a variable or something like ${catalina_home}, alternatively is there a way to change the file name on the fly after getting an instance of the java.utils.logging.Logger class? If you are using Tomcat's internal logging (which is done by calling ServletContext.log(...)) then you should use lib/logging.properties as described above. If you are using java.util.logging directly in your own webapp, then you are on your own :( If you are using AccessLogValve, well then you just need to use %v to get the name of the local server -- but that's for the actual log data, not for the filename. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7YPN4ACgkQ9CaO5/Lv0PA0ZgCgq2ckmo/fw88FbeV0UhOVuYTm 7uwAn1D/sE+YHVw3juxVWFVZTdMMey6T =0R0X -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
hi
please send me the tomcat5.5 software link,i traid but setup file is not visible there
RE: hi
http://tomcat.apache.org/download-55.cgi Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 9:56 PM To: users@tomcat.apache.org Subject: hi please send me the tomcat5.5 software link,i traid but setup file is not visible there - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hi
thanq On Fri, Dec 2, 2011 at 11:27 PM, Ilya Kazakevich ilya.kazakev...@jetbrains.com wrote: http://tomcat.apache.org/download-55.cgi Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 9:56 PM To: users@tomcat.apache.org Subject: hi please send me the tomcat5.5 software link,i traid but setup file is not visible there - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hi
where is the download option there, i didnt get that On Fri, Dec 2, 2011 at 11:27 PM, Ilya Kazakevich ilya.kazakev...@jetbrains.com wrote: http://tomcat.apache.org/download-55.cgi Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 9:56 PM To: users@tomcat.apache.org Subject: hi please send me the tomcat5.5 software link,i traid but setup file is not visible there - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: hi
Navigate to Windows Service Installer link and click it. Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 10:00 PM To: Tomcat Users List Subject: Re: hi where is the download option there, i didnt get that On Fri, Dec 2, 2011 at 11:27 PM, Ilya Kazakevich ilya.kazakev...@jetbrains.com wrote: http://tomcat.apache.org/download-55.cgi Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 9:56 PM To: users@tomcat.apache.org Subject: hi please send me the tomcat5.5 software link,i traid but setup file is not visible there - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hi
hi , am going to execute the web application based on structs,what are the basic procedurefor deploy the web application On Fri, Dec 2, 2011 at 11:30 PM, srilaxmi deevela deevelasrila...@gmail.com wrote: where is the download option there, i didnt get that On Fri, Dec 2, 2011 at 11:27 PM, Ilya Kazakevich ilya.kazakev...@jetbrains.com wrote: http://tomcat.apache.org/download-55.cgi Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 9:56 PM To: users@tomcat.apache.org Subject: hi please send me the tomcat5.5 software link,i traid but setup file is not visible there - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
hi
Hi, iam going to install the tomcat5.5,but there is no setup file, how can i install it?
Re: hi
tanq, i got it On Fri, Dec 2, 2011 at 11:32 PM, Ilya Kazakevich ilya.kazakev...@jetbrains.com wrote: Navigate to Windows Service Installer link and click it. Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 10:00 PM To: Tomcat Users List Subject: Re: hi where is the download option there, i didnt get that On Fri, Dec 2, 2011 at 11:27 PM, Ilya Kazakevich ilya.kazakev...@jetbrains.com wrote: http://tomcat.apache.org/download-55.cgi Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 9:56 PM To: users@tomcat.apache.org Subject: hi please send me the tomcat5.5 software link,i traid but setup file is not visible there - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Logging and HTTP Header question
Sorry I didn't mean to ask the questions as though this forum is my private consulting firm. I have done everything I could before I posted on this forum. I have searched google, experts exchange, asked coworkers, and asked my previous Tomcat professor. I will use your suggestions and I hope I can figure this out. Thanks! Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 12/2/11 12:10 PM, jmpaul012 wrote: So I am doing Tomcat STIGS and I am stuck on two of the STIGs. 1. How do I change what tomcat logs? I think it's something I need to do in server.xml but I'm not sure. What have you tried so far? This is a community mailing list, not a consulting agency. We're here to help, not to do things for you. This is what I need to log: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: That sounds a lot like an HTTP access log. Have you looked through the logging documentation for your version of Tomcat for how to do access logging? - Successful and unsuccessful attempts to access the web server software. Depends upon your definition of successful, attempt, and access. - Successful and unsuccessful attempts to access the web site. Ditto. - Successful and unsuccessful attempts to access the web application. Ditto. 2. How do I view/change the HTTP header information of an intranet site that is using Tomcat? I have to make sure the HTTP header does not show information about the web server which would include, web server product, version, or host operating system Generally speaking, it's nice to post different questions in separate threads. It's not a huge deal, but it makes following a conversation easier for others. Anyhow, you are looking for changing the Server response header, right? That's in the documentation as well, but it might not be the easiest thing to find. See below. Since you are looking at securing Tomcat, you might want to have a look at the Security Considerations section of the Tomcat User Guide: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html (Make sure you use the right version -- I chose TC 7 because you never told us what you were running). Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZDaoACgkQ9CaO5/Lv0PB8QACgvfmekninLwMlIuafcwsG2WZ4 HnAAni9XbJ15C0/wv0RgiJuCaZavt/wQ =GVw2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Tomcat-Logging-and-HTTP-Header-question-tp32892450p32904101.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim, On 12/2/11 11:26 AM, oh...@cox.net wrote: Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). The problem is that AJP sends the authentication information as part of the AJP protocol, not as a request header. You are setting a request header which is not the mechanism AJP uses to transfer the userid. You might want to check to see if your SSO module works the way that other httpd modules expect -- like the other mod_auth_[xyz], for instance. See http://tomcat.apache.org/connectors-doc/reference/apache.html. Specifically, the JkRemoteUserIndicator directive which allows you to override the environment variable whose value will be used to send-over the username to Tomcat. I wouldn't think you'd have to do that (REMOTE_USER should already be set by your auth module and mod_proxy_jk should already be using that), but you might be able to force it for some testing. - -chris Chris, FYI, that link you posted give as 404 error. To be clear, in the discussion before now, I was just using mod_ajp (built into/included with Apache), and NOT mod_jk. I'm now in the process of trying to switch my Apache conf to use mod_jk. The reason is that I'm starting to get the feeling that the Apache 3rd party agent (it's Oracle's OAM webgate, which I haven't said till now, sorry) might not be setting things in the Apache environment that are needed for AJP. I've been checking, and there's very little (= none) that I can do with trying to change the OAM webgate behavior, and if it's not setting whatever Apache/AJP needs, then I'm stuck, so I'm trying mod_jk, hoping that that'll give me some way to set what AJP needs. Now that I'm doing that, I'm starting to remember how confusing (to me at least) configuring mod_jk is :) (vs. mod_ajp). I just got the initial part of the re-configuration done. I got the mod_jk.so (my test Apache is on Windows, BTW), and added the LoadModule. I have the Apache pointed to a new simple workers.properties file, and the Apache comes up, but it doesn't seem to be proxing my test URLs to the Tomcat anymore (/samplesajp/*). Here's what I added to my Apache httpd.conf: # 2011-12-02 - ADDING MOD_JK LoadModule jk_module modules/mod_jk.so JkWorkersFile c:/Apache2.2/conf/workers.properties # some other configuration JkLogFile c:/Apache2.2/logs/jk.log JkLogLevel debug JkShmFile c:/Apache2.2/logs/jk.shm JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories # forwarding URL prefixes to Tomcat instances JkMount /samplesajp/* tomcatA JkEnvVar REMOTE_USER And, here's the workers.properties: IfModule mod_jk.c # a list of Tomcat instances #JkWorkerProperty worker.list=tomcatA worker.list=tomcatA # connection properties to instance A on localhost # JkWorkerProperty worker.tomcatA.type=ajp13 # JkWorkerProperty worker.tomcatA.host=weblogic1.whatever.com # JkWorkerProperty worker.tomcatA.port=8009 worker.tomcatA.type=ajp13 worker.tomcatA.host=weblogic1.whatever.com worker.tomcatA.port=8009 /IfModule And, here's what I'm seeing in jk.log when I try to access my test URL (via the Apache): [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] jk_set_time_fmt::jk_util.c (459): Pre-processed log time stamp format is '[%a %b %d %H:%M:%S.000 %Y] ' [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] uri_worker_map_open::jk_uri_worker_map.c (770): rule map size is 1 [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] uri_worker_map_add::jk_uri_worker_map.c (720): wildchar rule '/samplesajp/*=tomcatA' source 'JkMount' was added [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] uri_worker_map_dump::jk_uri_worker_map.c (171): uri map dump after map open: index=0 file='(null)' reject_unsafe=0 reload=60 modified=0 checked=0 [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] uri_worker_map_dump::jk_uri_worker_map.c (176): generation 0: size=0 nosize=0 capacity=0 [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] uri_worker_map_dump::jk_uri_worker_map.c (176): generation 1: size=1 nosize=0 capacity=4 [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] uri_worker_map_dump::jk_uri_worker_map.c (186): NEXT (1) map #0: uri=/samplesajp/* worker=tomcatA context=/samplesajp/* source=JkMount type=Wildchar len=13 [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] jk_set_time_fmt::jk_util.c (459): Pre-processed log time stamp format is '[%a %b %d %H:%M:%S.000 %Y] ' [Fri Dec 02 14:04:26.468 2011] [444:1724] [debug] init_jk::mod_jk.c (3179):
Re: Tomcat 7 - New attribut aliases in the context configuration item
keep a watch on https://issues.apache.org/bugzilla/show_bug.cgi?id=51741 . When it is implemented, it should give you this functionality. On 30 nov. 2011, at 14:58, Sylvain Goulmy wrote: So the effect is that multiple physical directories must be searched for a given resource? Correct. The alias maps a given path to an external directory. Ok, that's what i had understood. Can you give an example of how you would like it to work? Here is the description of the EDR (Extended Document Root) mecanism in Websphere : Let's assume i have the following application : - Webapps/ - MyApplication/ - images/ - css/ - META-INF/ - WEB-INF/ - index.html I can define an EDR directory in the configuration of my application so that the ressource i access are first retrieved from my application and then in the EDR directory if they don't exist in my application. - /.../.../.../.../EDR/ - images/ - index.html These directories are defined as extension of my application and another important thing is that i can also extend files which are at the root of my application (as index.html). After a few more test with Tomcat i understand that : - You cannot extend directory, if you define an external location which math an existing directory of your application, the ressources of your application become unreachable. - As the documentation say Using '/' as an aliasPath is not allowed., you cannot extend any ressource which is at the root of your application. Things seems clear for me now, please tell if i have missed something. Thank you in advance for your support. On Wed, Nov 30, 2011 at 11:53 AM, Pid p...@pidster.com wrote: On 29/11/2011 17:47, Sylvain Goulmy wrote: Hi all, I'd like to know it is possible to have equivalent functionality to the extended document root provided by the WebSphere product. This feature allows you to define a location outside the webapp to make contribution without having to redeploy the application. This mechanism first checks if the resource is present in the application and if not will look for it in the directory extension. So the effect is that multiple physical directories must be searched for a given resource? I thought that the functionality provided by the new attribute aliases for the configuration item context would have a similar behavior, but I see another operation. First of all it is not possible to set an alias on the context '/', making it necessary to declare all the directories in which you want to make the contribution. Also when I set an alias for a directory present in my webapp, it becomes a priority and files in my webapp are no longer available. Do I understand correctly how this new attribute aliases has to be used ? The alias maps a given path to an external directory. Is it possible with Tomcat 7 to set up a mechanism similar to the extended document root of Websphere? Can you give an example of how you would like it to work? p -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
hi
Hi, i havesome doubts on web applications in java, is there any websites like users@tomcat.apache.org
hi
hi, please anyone send me the structs 1.x version software link
Re: hi
srilaxmi deevela wrote: Hi, i havesome doubts on web applications in java, is there any websites like users@tomcat.apache.org this is going to be a hard case.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: hi
Don't use it. Why build applications on a platform you have doubts about? I think you should build all of your applications using snobol. See http://en.wikipedia.org/wiki/SNOBOL for websites. -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 2:14 PM To: Tomcat Users List Subject: hi Hi, i havesome doubts on web applications in java, is there any websites like users@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hi
where is the link On Sat, Dec 3, 2011 at 12:47 AM, André Warnier a...@ice-sa.com wrote: srilaxmi deevela wrote: Hi, i havesome doubts on web applications in java, is there any websites like users@tomcat.apache.org this is going to be a hard case.. --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: hi
From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Subject: hi please anyone send me the structs 1.x version software link If you're going to program computers, you need to do your own homework. (And at least learn how to spell struts.) Perhaps you've heard of Google? Before you do _anything_ else, read this: http://www.catb.org/~esr/faqs/smart-questions.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim, On 12/2/11 11:26 AM, oh...@cox.net wrote: Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). The problem is that AJP sends the authentication information as part of the AJP protocol, not as a request header. You are setting a request header which is not the mechanism AJP uses to transfer the userid. You might want to check to see if your SSO module works the way that other httpd modules expect -- like the other mod_auth_[xyz], for instance. See http://tomcat.apache.org/connectors-doc/reference/apache.html. Specifically, the JkRemoteUserIndicator directive which allows you to override the environment variable whose value will be used to send-over the username to Tomcat. I wouldn't think you'd have to do that (REMOTE_USER should already be set by your auth module and mod_proxy_jk should already be using that), but you might be able to force it for some testing. - -chris Chris, FYI, that link you posted give as 404 error. To be clear, in the discussion before now, I was just using mod_ajp (built into/included with Apache), and NOT mod_jk. I'm now in the process of trying to switch my Apache conf to use mod_jk. The reason is that I'm starting to get the feeling that the Apache 3rd party agent (it's Oracle's OAM webgate, which I haven't said till now, sorry) might not be setting things in the Apache environment that are needed for AJP. I've been checking, and there's very little (= none) that I can do with trying to change the OAM webgate behavior, and if it's not setting whatever Apache/AJP needs, then I'm stuck, so I'm trying mod_jk, hoping that that'll give me some way to set what AJP needs. Now that I'm doing that, I'm starting to remember how confusing (to me at least) configuring mod_jk is :) (vs. mod_ajp). I just got the initial part of the re-configuration done. I got the mod_jk.so (my test Apache is on Windows, BTW), and added the LoadModule. I have the Apache pointed to a new simple workers.properties file, and the Apache comes up, but it doesn't seem to be proxing my test URLs to the Tomcat anymore (/samplesajp/*). Here's what I added to my Apache httpd.conf: # 2011-12-02 - ADDING MOD_JK LoadModule jk_module modules/mod_jk.so JkWorkersFile c:/Apache2.2/conf/workers.properties # some other configuration JkLogFile c:/Apache2.2/logs/jk.log JkLogLevel debug JkShmFile c:/Apache2.2/logs/jk.shm JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories # forwarding URL prefixes to Tomcat instances JkMount /samplesajp/* tomcatA JkEnvVar REMOTE_USER And, here's the workers.properties: IfModule mod_jk.c # a list of Tomcat instances #JkWorkerProperty worker.list=tomcatA worker.list=tomcatA # connection properties to instance A on localhost # JkWorkerProperty worker.tomcatA.type=ajp13 # JkWorkerProperty worker.tomcatA.host=weblogic1.whatever.com # JkWorkerProperty worker.tomcatA.port=8009 worker.tomcatA.type=ajp13 worker.tomcatA.host=weblogic1.whatever.com worker.tomcatA.port=8009 /IfModule And, here's what I'm seeing in jk.log when I try to access my test URL (via the Apache): Hi, I stripped the jk.log stuff (too long) above. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still not logging me into the Tomcat :(... I don't want to post the entire jk.log, so can someone point me to what to look for in there, maybe? Thanks, Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
hi
i installed tomcat5.5 and jdk1.5 i want to deploy the structs appliction? i have one apllication,but i dont know how to run the application?
Re: Logging - including host name in log file?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry, On 12/2/11 12:46 PM, Jerry Malcolm wrote: Ok, I'm digging into this. Slowly but surely Just to confirm... So if I have, say 2 hosts, each with 3 web apps, and I want a different log file for each web app on each host, I need to define 6 of the following: 10host1webapp1.org.apache.juli.FileHandler.level = FINE 10host1webapp1.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 10host1webapp1.org.apache.juli.FileHandler.prefix = Host1App1. Yes, although the format of the property base doesn't need to be that complex. You could do this: Host1App1.level=FINE Host1App1.directory=... Host1App1.prefix=Host1App1. Tomcat has those odd property names so they will be unlikely to conflict with anything you might want to define yourself. The magic happens here, when you actually configure Tomcat's logger(s): And then define 6 of the following: org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].handlers = 10host1webapp1.org.apache.juli.FileHandler You could instead do: org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].handlers=Host1App1 and I put all of this in /conf/logging.properties Yes: this will tell Tomcat that, when your webapp uses ServletContext.log(...) that the output should go to those loggers listed in the handlers property for that particular webapp. All of this is required in order to get separate log files per webapp per host, right? - From ServletContext.log(..), yes. Again, if your webapp is logging in some other way, then Tomcat's configuration does not apply at all. It's fairly common for webapps to use their own logging mechanism rather than logging to the servlet container, so I wouldn't be surprised if you have more work to do. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZL1QACgkQ9CaO5/Lv0PCOtACgrrhT1KS0QjOOF+Swh+jGqfZS bGYAn3sg6wcPwg9HtLrXDcHkMFxXIz3W =LSuQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 - New attribut aliases in the context configuration item
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sylvain, On 11/30/11 8:58 AM, Sylvain Goulmy wrote: These directories are defined as extension of my application and another important thing is that i can also extend files which are at the root of my application (as index.html). What does it mean to extend an existing file? Replace it or do some kind of horrendous merge? After a few more test with Tomcat i understand that : - You cannot extend directory, if you define an external location which math an existing directory of your application, the ressources of your application become unreachable. That sounds about right. - As the documentation say Using '/' as an aliasPath is not allowed., you cannot extend any ressource which is at the root of your application. Right: if you alias /, you are essentially deploying another webapp -- so you should just do that instead. Tomcat's alias mechanism is intended for use in the case where you have a bunch of static content in a separate directory and you just want to be able to serve it through the same webapp without actually deploying two separate contexts. That's why it works the way it does. You might be able to build this capability yourself by writing your own DirContext and specifying it with a Resources element within your Context element. See http://tomcat.apache.org/tomcat-7.0-doc/config/resources.html for details. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZMaIACgkQ9CaO5/Lv0PDfsgCgjRhQvBbs0DDkCu4ckHZc2Gtl ckMAnAuBNfU8UwZyqNfP1JvWX0oDeYAc =PL/2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: Christopher Schultz ch...@christopherschultz.net wrote: Chris, you managed to confuse the guy.. ... To be clear, in the discussion before now, I was just using mod_ajp and that was a perfectly valid way to connect Apache to Tomcat. ... I'm now in the process of trying to switch my Apache conf to use mod_jk. Aaaah. Why did you do that ? Not that it is not /also/ a valid way to connect Apache to Tomcat, but both are pretty much equivalent, and now you're starting a whole new bag of possible complications. The reason is that I'm starting to get the feeling that the Apache 3rd party agent (it's Oracle's OAM webgate, which I haven't said till now, sorry) might not be setting things in the Apache environment that are needed for AJP. Well, in that case it won't be doing it for mod_jk either, because mod_jk and mod_proxy_ajp use exactly the same protocol (AJP) to talk to Tomcat. That's because they are both talking to the same Connector protocol=AJP in Tomcat, so of course they have to speak the same dialect. I hope you saved your prior configuration.. ... skipping a whole big chunk ... Shouldn't the one JkMount /samplesajp/* that I have be enough to proxy through the mod_jk? Yes it should, if used in the right place. But maybe you are using VirtualHost sections, in which case the JkMount directive might not be in the right place. Also, why is it appearing to try to process the /oam/... URIs? That is because, to Apache, mod_jk is a content handler or response handler. Apache doesn't know that Tomcat even exists. When Apache gets a request, it processes it in a series of steps, of which the response generation is one of the last. Apache will pass the request to all registered response-generating modules which are (potentially) applicable for this request, one after the other. Each such module gets a chance to look at the request and decide if it is for him or not. If it decides not, then it returns a declined response to Apache, and Apache passes the request to the next response-generating module in the chain. The first response-generator in the chain which decides hey, this is for me, generates the appropriate response, and returns an ok response to Apache. Then Apache knows that the response was generated, and that it does not need to call the next module in the chain anymore. mod_jk is such a response handler, so it gets /every/ request that Apache processes, and it can decide if it wants to take it or not. It does this by examining the URI, and deciding if it matches one of the entries in its URI mapping table (the one it built from the JkMount directives). That's what you see in the log. If it decides that the URI does not match (as in the case of that /oam/ URI), it immediately returns a declined response to Apache, and Apache will call the next possible response handler. If it decides that it does match one of the entries in its table, then mod_jk will generate the response for that request (and let Apache know later that it did). But mod_jk is a cheat. It does not really generate a response itself. Behind the scenes (and unknown to Apache), it slily passes the request to the back-end Tomcat (via AJP), and lets Tomcat do the work. And when Tomcat sends back a response, mod_jk presents it to Apache as if it has produced it all by itself, and Apache is none the wiser. Now since I have berated poor mod_jk, I should mention that any other proxy module (like mod_proxy_http or mod_proxy_ajp) does exactly the same. They get to have a peek at any Apache request (at least any that falls into their scope, be that the whole VirtualHost or just a Location), and they decide if they want to handle it or not. (This is a difference between Apache and Tomcat : in Tomcat, it is Tomcat which does the work of matching a request to a webapp; in Apache, it is the modules who do that work). So now that this is out of the way, let's get back to the core of the issue. You wanted to pass the Apache authenticated user-id to Tomcat, right ? And we have not yet established, but pretty much guessed, that this should happen via a request attribute within the AJP protocol exchange between Apache (via mod_proxy_ajp OR mod_jk) and Tomcat, said request attribute being very likely to be the one named remote_user (lowercase). (And if not, one would be allowed to wonder what this AJP request attribute might be for). And Apache has a different terminology, and what AJP and Tomcat call request attributes, Apache seems to name server variables or environment variables, depending on where you look. And in any case, as you have yourself established, it seems that Tomcat is pretty much ignoring the HTTP header REMOTE_USER that you have set, at least for any purpose of authentication. So the whole point is, how do you set this Apache server or environment variable within Apache, before the request gets proxied to Tomcat ? And how do
RE: Casting a Connection as an OracleConnection in Tomcat 7
So, I can't cast the connection Tomcat returns as a DelegatingConnection. DelegatingConnection is from Commons DBCP and this connection is org.apache.tomcat.dbcp.dbcp.PoolableConnection. I do not want to reference any Tomcat libraries directly because our product is container agnostic. Any suggestions would be greatly appreciated. Thank you. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, November 29, 2011 5:08 PM To: Tomcat Users List Subject: Re: Casting a Connection as an OracleConnection in Tomcat 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason, On 11/29/11 2:34 PM, Jason Perrone wrote: Has anyone yet figured out how to cast the PoolableConnection that Tomcat 7 now returns when you get a Connection from a DataSource as an OracleConnection? If you are using the standard pool (which uses DBCP under the hood), I think you get use getInnermostDelegate after casting to DelegatingConnection. That thing that gets returned should be an OracleConnection. You also might need to set accessToUnderlyingConnectionAllowed on the DataSource in order to actually call getInnermostDelegate. See the DBCP configuration page and look for that setting for more info. As always, remember to close the connection you got from the DataSource, not the inner delegate, or you will be toast. In Tomcat 6 the connection was returned as T4CConnection and had no problem being cast as an OracleConnection. Now, I just can't figure it out. Tried using the Commons DBCP package to get native JDBC connections, and every other thing I found by Googling it. What did you actually try? What is the runtime type of the Connection object returned from DataSource.getConnection? For me, it's BasicDataSource. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7VV8wACgkQ9CaO5/Lv0PDTOgCgqC3q35DFDoGaCGsdWwnRfN48 k5gAn3J+wzFTrzN3kmrsLWDAnLxHNxBo =ro6R -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim, On 12/2/11 2:08 PM, oh...@cox.net wrote: Christopher Schultz ch...@christopherschultz.net wrote: See http://tomcat.apache.org/connectors-doc/reference/apache.html. Specifically, the JkRemoteUserIndicator directive which allows you to override the environment variable whose value will be used to send-over the username to Tomcat. FYI, that link you posted give as 404 error. WFM... ??! To be clear, in the discussion before now, I was just using mod_ajp (built into/included with Apache), and NOT mod_jk. That's mod_proxy_ajp, but I understand. I believe they both provide that capability, but I'm not sure... the documentation for mod_proxy_ajp is sorely lacking. I'm now in the process of trying to switch my Apache conf to use mod_jk. The reason is that I'm starting to get the feeling that the Apache 3rd party agent (it's Oracle's OAM webgate, which I haven't said till now, sorry) might not be setting things in the Apache environment that are needed for AJP. I've been checking, and there's very little (= none) that I can do with trying to change the OAM webgate behavior, and if it's not setting whatever Apache/AJP needs, then I'm stuck, so I'm trying mod_jk, hoping that that'll give me some way to set what AJP needs. mod_jk definitely has a lot more capabilities than mod_proxy_ajp. I have only ever used mod_jk for historical reasons (project predates mod_proxy_ajp) and because we can't do certain things with mod_proxy_ajp and actually require mod_jk at this point. Fortunately, mod_jk isn't tough configure -- though mod_proxy_ajp can do a lot with tro simple directives :) # 2011-12-02 - ADDING MOD_JK LoadModule jk_module modules/mod_jk.so JkWorkersFile c:/Apache2.2/conf/workers.properties # some other configuration JkLogFile c:/Apache2.2/logs/jk.log JkLogLevel debug JkShmFile c:/Apache2.2/logs/jk.shm JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories # forwarding URL prefixes to Tomcat instances JkMount /samplesajp/* tomcatA Do you have any VirtualHosts? If so, the JkMounts at the top-level won't be copied-into the VirtualHosts unless you use another special directive: JkMountCopy. JkEnvVar REMOTE_USER This will put the REMOTE_USER environment variable (on the httpd side) into the request /attributes/ on the Tomcat side. And, here's the workers.properties: IfModule mod_jk.c ^^ That's not appropriate in workers.properties. If mod_jk isn't loaded, this file won't be loaded, either. # a list of Tomcat instances #JkWorkerProperty worker.list=tomcatA worker.list=tomcatA # connection properties to instance A on localhost # JkWorkerProperty worker.tomcatA.type=ajp13 # JkWorkerProperty worker.tomcatA.host=weblogic1.whatever.com # JkWorkerProperty worker.tomcatA.port=8009 worker.tomcatA.type=ajp13 worker.tomcatA.host=weblogic1.whatever.com worker.tomcatA.port=8009 All that looks just fine to me. And, here's what I'm seeing in jk.log when I try to access my test URL (via the Apache): [...] [Fri Dec 02 14:04:50.022 2011] [744:560] [debug] jk_translate::mod_jk.c (3488): missing uri map for apache1.whatever.com:/samplesajp/ssoAMTomcatTest.jsp [Fri Dec 02 14:04:50.022 2011] [744:560] [debug] jk_map_to_storage::mod_jk.c (3647): missing uri map for apache1.whatever.com:/samplesajp/ssoAMTomcatTest.jsp That certainly looks like you don't have any JkMounts in your VirtualHost. Try using JkMountCopy (if you want to be lazy) or move your JkMount directives into the VirtualHost that you are using. Shouldn't the one JkMount /samplesajp/* that I have be enough to proxy through the mod_jk? Also, why is it appearing to try to process the /oam/... URIs? mod_jk has to consider all URIs to determine if it's going to forward them. In that case, it wouldn't have forwarded to Tomcat because it wouldn't have matched any JkMount directive. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZNGcACgkQ9CaO5/Lv0PBesgCbBFKtc3b2FQyfZBt9hlRwa3BA 9PYAoKF8KB6OuZDSovKDQmt03t5ilfPx =67UA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hi
There's an amazing new tool, just released to the world, that will help you out. It's called a search engine. One very exciting search engine is Google. Those of us who have used it like to say Google is your friend because we use it look for things that we want to know. May I suggest you explore Google? The URL is http://google.com. -- Rhino On 2011-12-02 14:21, srilaxmi deevela wrote: where is the link On Sat, Dec 3, 2011 at 12:47 AM, André Warniera...@ice-sa.com wrote: srilaxmi deevela wrote: Hi, i havesome doubts on web applications in java, is there any websites like users@tomcat.apache.org this is going to be a hard case.. --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Casting a Connection as an OracleConnection in Tomcat 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason, On 12/2/11 3:23 PM, Jason Perrone wrote: So, I can't cast the connection Tomcat returns as a DelegatingConnection. DelegatingConnection is from Commons DBCP and this connection is org.apache.tomcat.dbcp.dbcp.PoolableConnection. I do not want to reference any Tomcat libraries directly because our product is container agnostic. Any suggestions would be greatly appreciated. Two thoughts: 1. Use reflection ;) 2. Stop trying to cast to OracleConnection What do you need OracleConnection for, anyway? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZNSgACgkQ9CaO5/Lv0PA8iACeIyzpkgEx7B49HKcx7ZquASYK UXEAnRAL4dcEPFENnatgp0WSJ+rQXMAN =AWRl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still not logging me into the Tomcat :(... I don't want to post the entire jk.log, so can someone point me to what to look for in there, maybe? Ok, so let's now continue on the mod_jk track, since you've got that part running. What you are looking for, is an AJP request attribute named remote_user (lowercase), in the packets which mod_jk sends to Tomcat. I don't know if that would be in the log, nor if there is any way to coerce mod_jk into putting it in the log. But since your Tomcat is not authenticating, chances are that it isn't there. So let's try to cheat, and force it to be there. In your Apache configuration, add this line : JkEnvVar remote_user blablabla and let's see what happens. (and after that, we'll try mod_rewrite or a combination) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Casting a Connection as an OracleConnection in Tomcat 7
I might be able to do it as an SQL statement instead of using this driver method... -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, December 02, 2011 3:29 PM To: Tomcat Users List Subject: Re: Casting a Connection as an OracleConnection in Tomcat 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason, On 12/2/11 3:23 PM, Jason Perrone wrote: So, I can't cast the connection Tomcat returns as a DelegatingConnection. DelegatingConnection is from Commons DBCP and this connection is org.apache.tomcat.dbcp.dbcp.PoolableConnection. I do not want to reference any Tomcat libraries directly because our product is container agnostic. Any suggestions would be greatly appreciated. Two thoughts: 1. Use reflection ;) 2. Stop trying to cast to OracleConnection What do you need OracleConnection for, anyway? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZNSgACgkQ9CaO5/Lv0PA8iACeIyzpkgEx7B49HKcx7ZquASYK UXEAnRAL4dcEPFENnatgp0WSJ+rQXMAN =AWRl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Casting a Connection as an OracleConnection in Tomcat 7
Bingo. Yep, screw casting as an Oracle connection. Just do this: session.beginTransaction(); PreparedStatement st = session.connection().prepareStatement(alter session set TIME_ZONE=' + timeZone.getID() + '); st.execute(); session.connection().commit(); st.close(); Thanks Christopher, for getting me to think outside the box :) -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, December 02, 2011 3:29 PM To: Tomcat Users List Subject: Re: Casting a Connection as an OracleConnection in Tomcat 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason, On 12/2/11 3:23 PM, Jason Perrone wrote: So, I can't cast the connection Tomcat returns as a DelegatingConnection. DelegatingConnection is from Commons DBCP and this connection is org.apache.tomcat.dbcp.dbcp.PoolableConnection. I do not want to reference any Tomcat libraries directly because our product is container agnostic. Any suggestions would be greatly appreciated. Two thoughts: 1. Use reflection ;) 2. Stop trying to cast to OracleConnection What do you need OracleConnection for, anyway? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZNSgACgkQ9CaO5/Lv0PA8iACeIyzpkgEx7B49HKcx7ZquASYK UXEAnRAL4dcEPFENnatgp0WSJ+rQXMAN =AWRl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hi
srilaxmi deevela wrote: i installed tomcat5.5 and jdk1.5 Ok, that was good practice. Now remove them both, and install java 1.7 and Tomcat 7.0, which are the current versions. i want to deploy the structs appliction? The real name is probably Struts, right ? i have one apllication,but i dont know how to run the application? Then maybe start here : http://www.lmgtfy.com/?q=struts+tutorial - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Casting a Connection as an OracleConnection in Tomcat 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason, On 12/2/11 3:54 PM, Jason Perrone wrote: Yep, screw casting as an Oracle connection. That would be my recommendation. People used to cast to OracleConnection because JDBC didn't have support for LOB types way back in the day. Some old online HOWTO must have been the meeting place for Google searchers to discover that great hint to make your life into a living hell by using underlying connections when it's not necessary. Just do this: session.beginTransaction(); PreparedStatement st = session.connection().prepareStatement(alter session set TIME_ZONE=' + timeZone.getID() + '); If you're going to use a PreparedStatement, you may as well actually used the parametric replacement that it offers. :) Thanks Christopher, for getting me to think outside the box :) I just think inside a different box. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZQO0ACgkQ9CaO5/Lv0PDDgQCdEkkWqfO7QC/zGxeV644EjE3U iGoAn3XtoIX93+3+uoCs97mP08MhBtQ3 =L1fD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still not logging me into the Tomcat :(... I don't want to post the entire jk.log, so can someone point me to what to look for in there, maybe? Ok, so let's now continue on the mod_jk track, since you've got that part running. What you are looking for, is an AJP request attribute named remote_user (lowercase), in the packets which mod_jk sends to Tomcat. I don't know if that would be in the log, nor if there is any way to coerce mod_jk into putting it in the log. But since your Tomcat is not authenticating, chances are that it isn't there. So let's try to cheat, and force it to be there. In your Apache configuration, add this line : JkEnvVar remote_user blablabla and let's see what happens. (and after that, we'll try mod_rewrite or a combination) Andre, I had already tried including a JkEnvVar as you suggested in my httpd.conf, in order to try to hard-code getting SOMETHING to show up, but no joy :(... I've also tried a bunch of other variants: JkEnvVar REMOTE_USER also: JkEnvVar remote_user foobar also: JkEnvVar AJP_REMOTE_USER foobar Nothing works :(... This is really getting discouraging :(. It almost seems to me like that 'tomcatAuthentication' functionality doesn't even exist at all. I've searched the jk.log for multiple things, attr, remo, etc., and find nothing relevant/significant at all in there... Thanks, Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still not logging me into the Tomcat :(... I don't want to post the entire jk.log, so can someone point me to what to look for in there, maybe? Ok, so let's now continue on the mod_jk track, since you've got that part running. What you are looking for, is an AJP request attribute named remote_user (lowercase), in the packets which mod_jk sends to Tomcat. I don't know if that would be in the log, nor if there is any way to coerce mod_jk into putting it in the log. But since your Tomcat is not authenticating, chances are that it isn't there. So let's try to cheat, and force it to be there. In your Apache configuration, add this line : JkEnvVar remote_user blablabla and let's see what happens. (and after that, we'll try mod_rewrite or a combination) Andre, I had already tried including a JkEnvVar as you suggested in my httpd.conf, in order to try to hard-code getting SOMETHING to show up, but no joy :(... I've also tried a bunch of other variants: JkEnvVar REMOTE_USER also: JkEnvVar remote_user foobar also: JkEnvVar AJP_REMOTE_USER foobar Nothing works :(... This is really getting discouraging :(. It almost seems to me like that 'tomcatAuthentication' functionality doesn't even exist at all. I've searched the jk.log for multiple things, attr, remo, etc., and find nothing relevant/significant at all in there... Do not get discouraged. I can guarantee that the tomcatAuthentication=false works, when the Apache front-end really does authenticate the user. I use this all the time. (Just not with the same SSO mechanism as you). I also know that JkEnvVar does work in general for setting request attributes at the Apache level, and have them passed to Tomcat by mod_jk, because I also us that regularly. (And there exists a similar functionality in mod_proxy_ajp). What may not work in the trials above, is that specifically this remote_user request attribute may be overwritten by mod_jk or mod_proxy_ajp, even when you have set it explicitly in Apache. After all, this feature is designed to do one thing : examine the request record of Apache for an authenticated user-id, and if one is set, pass it along to Tomcat over the AJP channel. If mod_jk/mod_proxy_ajp do not find such a user-id in the request record, they may just /clear/ the remote_user attribute, thus voiding our attempts at cheating. To verify this is relatively simple. Create the following Location section in Apache : Location /sampleajp AuthType Basic AuthName toTomcat AuthUserFile /some-path/passwords Require user testuser SetHandler jakarta-servlet SetEnv JK_WORKER_NAME tomcatA (- or whatever name your worker has) Location Note: the SetHandler and SetEnv lines above, in that Location, are equivalent to saying : JkMount /sampleajp/* tomcatA Then follow the instructions here to create the password file and the user testuser in it : http://httpd.apache.org/docs/2.2/howto/auth.html section : Getting it working If you try to access such a URL /sampleajp/*, the browser will popup a bssic auth dialog and force you to login. This will result in the request being duly authenticated for Apache, which /will/ result in the Apache user-id being passed to Tomcat. Then, once you have verified (in Tomcat) that it is so, have another look at the mod_jk logfile, to see if then you spot the attribute being passed. (You will know that it is passed, but it may still not show up the logs). If all of that works, then we know that in order for your scheme to work, you must somehow force the user-id obtained by your SSO system, to be also set in the Apache request record. Which should be a solvable problem. And if not, then you still have your Valve.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still not logging me into the Tomcat :(... I don't want to post the entire jk.log, so can someone point me to what to look for in there, maybe? Ok, so let's now continue on the mod_jk track, since you've got that part running. What you are looking for, is an AJP request attribute named remote_user (lowercase), in the packets which mod_jk sends to Tomcat. I don't know if that would be in the log, nor if there is any way to coerce mod_jk into putting it in the log. But since your Tomcat is not authenticating, chances are that it isn't there. So let's try to cheat, and force it to be there. In your Apache configuration, add this line : JkEnvVar remote_user blablabla and let's see what happens. (and after that, we'll try mod_rewrite or a combination) Andre, I had already tried including a JkEnvVar as you suggested in my httpd.conf, in order to try to hard-code getting SOMETHING to show up, but no joy :(... I've also tried a bunch of other variants: JkEnvVar REMOTE_USER also: JkEnvVar remote_user foobar also: JkEnvVar AJP_REMOTE_USER foobar Nothing works :(... This is really getting discouraging :(. It almost seems to me like that 'tomcatAuthentication' functionality doesn't even exist at all. I've searched the jk.log for multiple things, attr, remo, etc., and find nothing relevant/significant at all in there... Do not get discouraged. I can guarantee that the tomcatAuthentication=false works, when the Apache front-end really does authenticate the user. I use this all the time. (Just not with the same SSO mechanism as you). I also know that JkEnvVar does work in general for setting request attributes at the Apache level, and have them passed to Tomcat by mod_jk, because I also us that regularly. (And there exists a similar functionality in mod_proxy_ajp). What may not work in the trials above, is that specifically this remote_user request attribute may be overwritten by mod_jk or mod_proxy_ajp, even when you have set it explicitly in Apache. After all, this feature is designed to do one thing : examine the request record of Apache for an authenticated user-id, and if one is set, pass it along to Tomcat over the AJP channel. If mod_jk/mod_proxy_ajp do not find such a user-id in the request record, they may just /clear/ the remote_user attribute, thus voiding our attempts at cheating. To verify this is relatively simple. Create the following Location section in Apache : Location /sampleajp AuthType Basic AuthName toTomcat AuthUserFile /some-path/passwords Require user testuser SetHandler jakarta-servlet SetEnv JK_WORKER_NAME tomcatA (- or whatever name your worker has) Location Note: the SetHandler and SetEnv lines above, in that Location, are equivalent to saying : JkMount /sampleajp/* tomcatA Then follow the instructions here to create the password file and the user testuser in it : http://httpd.apache.org/docs/2.2/howto/auth.html section : Getting it working If you try to access such a URL /sampleajp/*, the browser will popup a bssic auth dialog and force you to login. This will result in the request being duly authenticated for Apache, which /will/ result in the Apache user-id being passed to Tomcat. Then, once you have verified (in Tomcat) that it is so, have another look at the mod_jk logfile, to see if then you spot the attribute being passed. (You will know that it is passed, but it may still not show up the logs). If all of that works, then we know that in order for your scheme to work, you must somehow force the user-id obtained by your SSO system, to be also set in the Apache request record. Which should be a solvable problem. And if not, then you still have your Valve.. Andre, I haven't tried your full suggestion yet, but I removed all of the OAM SSO stuff out of my Apache httpd.conf, just to see what happens, but even after that, still am not getting logged into Tomcat, so it may be as you suggest, that mod_jk tries to get the userid from somewhere deep inside of Apache. So, I will try adding what you suggested, to get authenticated with just the Apache, and then see what happens, and will post back. If that works, we can go from there. Thanks for following up with this! Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hi
On 02/12/2011 18:03, srilaxmi deevela wrote: hi , am going to execute the web application based on structs,what are the basic procedurefor deploy the web application Is this for a homework assignment? p On Fri, Dec 2, 2011 at 11:30 PM, srilaxmi deevela deevelasrila...@gmail.com wrote: where is the download option there, i didnt get that On Fri, Dec 2, 2011 at 11:27 PM, Ilya Kazakevich ilya.kazakev...@jetbrains.com wrote: http://tomcat.apache.org/download-55.cgi Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 9:56 PM To: users@tomcat.apache.org Subject: hi please send me the tomcat5.5 software link,i traid but setup file is not visible there - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
On 02/12/2011 16:58, Christopher Schultz wrote: Moshood, On 12/2/11 3:56 AM, moshood oladapo wrote: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true SSLEngine=on That's the second message today from someone trying to use SSLEngine=on in their Connector. Is the documentation for Connector not clear enough? http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Search for SSLEngine. Can't find it? Because it's not he right attribute to use. Please read the documentation and configure the Connector properly. Typo in some random blog somewhere maybe? Hmm... p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Tomcat Logging and HTTP Header question
On 02/12/2011 18:12, jmpaul012 wrote: Sorry I didn't mean to ask the questions as though this forum is my private consulting firm. I have done everything I could before I posted on this forum. I have searched google, experts exchange, asked coworkers, and asked my previous Tomcat professor. I will use your suggestions and I hope I can figure this out. Thanks! There are Tomcat professors? p Christopher Schultz-2 wrote: To whom it may concern, On 12/2/11 12:10 PM, jmpaul012 wrote: So I am doing Tomcat STIGS and I am stuck on two of the STIGs. 1. How do I change what tomcat logs? I think it's something I need to do in server.xml but I'm not sure. What have you tried so far? This is a community mailing list, not a consulting agency. We're here to help, not to do things for you. This is what I need to log: • Date, Time • IP address of the host that initiated the request • User ID supplied for HTTP authentication • HTTP Method • URL in the request • The protocol and protocol version used to make the request • Source and destination port numbers • Status codes for the response • Size of the response in bytes • HTTP Status and Referrer for the following events: That sounds a lot like an HTTP access log. Have you looked through the logging documentation for your version of Tomcat for how to do access logging? - Successful and unsuccessful attempts to access the web server software. Depends upon your definition of successful, attempt, and access. - Successful and unsuccessful attempts to access the web site. Ditto. - Successful and unsuccessful attempts to access the web application. Ditto. 2. How do I view/change the HTTP header information of an intranet site that is using Tomcat? I have to make sure the HTTP header does not show information about the web server which would include, web server product, version, or host operating system Generally speaking, it's nice to post different questions in separate threads. It's not a huge deal, but it makes following a conversation easier for others. Anyhow, you are looking for changing the Server response header, right? That's in the documentation as well, but it might not be the easiest thing to find. See below. Since you are looking at securing Tomcat, you might want to have a look at the Security Considerations section of the Tomcat User Guide: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html (Make sure you use the right version -- I chose TC 7 because you never told us what you were running). Hope that helps, -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still not logging me into the Tomcat :(... I don't want to post the entire jk.log, so can someone point me to what to look for in there, maybe? Ok, so let's now continue on the mod_jk track, since you've got that part running. What you are looking for, is an AJP request attribute named remote_user (lowercase), in the packets which mod_jk sends to Tomcat. I don't know if that would be in the log, nor if there is any way to coerce mod_jk into putting it in the log. But since your Tomcat is not authenticating, chances are that it isn't there. So let's try to cheat, and force it to be there. In your Apache configuration, add this line : JkEnvVar remote_user blablabla and let's see what happens. (and after that, we'll try mod_rewrite or a combination) Andre, I had already tried including a JkEnvVar as you suggested in my httpd.conf, in order to try to hard-code getting SOMETHING to show up, but no joy :(... I've also tried a bunch of other variants: JkEnvVar REMOTE_USER also: JkEnvVar remote_user foobar also: JkEnvVar AJP_REMOTE_USER foobar Nothing works :(... This is really getting discouraging :(. It almost seems to me like that 'tomcatAuthentication' functionality doesn't even exist at all. I've searched the jk.log for multiple things, attr, remo, etc., and find nothing relevant/significant at all in there... Do not get discouraged. I can guarantee that the tomcatAuthentication=false works, when the Apache front-end really does authenticate the user. I use this all the time. (Just not with the same SSO mechanism as you). I also know that JkEnvVar does work in general for setting request attributes at the Apache level, and have them passed to Tomcat by mod_jk, because I also us that regularly. (And there exists a similar functionality in mod_proxy_ajp). What may not work in the trials above, is that specifically this remote_user request attribute may be overwritten by mod_jk or mod_proxy_ajp, even when you have set it explicitly in Apache. After all, this feature is designed to do one thing : examine the request record of Apache for an authenticated user-id, and if one is set, pass it along to Tomcat over the AJP channel. If mod_jk/mod_proxy_ajp do not find such a user-id in the request record, they may just /clear/ the remote_user attribute, thus voiding our attempts at cheating. To verify this is relatively simple. Create the following Location section in Apache : Location /sampleajp AuthType Basic AuthName toTomcat AuthUserFile /some-path/passwords Require user testuser SetHandler jakarta-servlet SetEnv JK_WORKER_NAME tomcatA (- or whatever name your worker has) Location Note: the SetHandler and SetEnv lines above, in that Location, are equivalent to saying : JkMount /sampleajp/* tomcatA Then follow the instructions here to create the password file and the user testuser in it : http://httpd.apache.org/docs/2.2/howto/auth.html section : Getting it working If you try to access such a URL /sampleajp/*, the browser will popup a bssic auth dialog and force you to login. This will result in the request being duly authenticated for Apache, which /will/ result in the Apache user-id being passed to Tomcat. Then, once you have verified (in Tomcat) that it is so, have another look at the mod_jk logfile, to see if then you spot the attribute being passed. (You will know that it is passed, but it may still not show up the logs). If all of that works, then we know that in order for your scheme to work, you must somehow force the user-id obtained by your SSO system, to be also set in the Apache request record. Which should be a solvable problem. And if not, then you still have your Valve.. Andre, I haven't tried your full suggestion yet, but I removed all of the OAM SSO stuff out of my Apache httpd.conf, just to see what happens, but even after that, still am not getting logged into Tomcat, so it may be as you suggest, that mod_jk tries to get the userid from somewhere deep inside of Apache. So, I will try adding what you suggested, to get authenticated with just the Apache, and then see what happens, and will post back. If that works, we can go from there. Thanks for following up with this! Jim Hi Andre,
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with your suggested Location, in the latter sniff, I can see the userID (testuser), whereas in the former, that same area in the hex dump is basically just null-terminated strings. So, it appears like, when the OAM stuff and the ajp: stuff is in the Apache .conf, as you were guessing, the userID isn't making it into the Apache-to-Tomcat/AJP connection at all. Jim oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still not logging me into the Tomcat :(... I don't want to post the entire jk.log, so can someone point me to what to look for in there, maybe? Ok, so let's now continue on the mod_jk track, since you've got that part running. What you are looking for, is an AJP request attribute named remote_user (lowercase), in the packets which mod_jk sends to Tomcat. I don't know if that would be in the log, nor if there is any way to coerce mod_jk into putting it in the log. But since your Tomcat is not authenticating, chances are that it isn't there. So let's try to cheat, and force it to be there. In your Apache configuration, add this line : JkEnvVar remote_user blablabla and let's see what happens. (and after that, we'll try mod_rewrite or a combination) Andre, I had already tried including a JkEnvVar as you suggested in my httpd.conf, in order to try to hard-code getting SOMETHING to show up, but no joy :(... I've also tried a bunch of other variants: JkEnvVar REMOTE_USER also: JkEnvVar remote_user foobar also: JkEnvVar AJP_REMOTE_USER foobar Nothing works :(... This is really getting discouraging :(. It almost seems to me like that 'tomcatAuthentication' functionality doesn't even exist at all. I've searched the jk.log for multiple things, attr, remo, etc., and find nothing relevant/significant at all in there... Do not get discouraged. I can guarantee that the tomcatAuthentication=false works, when the Apache front-end really does authenticate the user. I use this all the time. (Just not with the same SSO mechanism as you). I also know that JkEnvVar does work in general for setting request attributes at the Apache level, and have them passed to Tomcat by mod_jk, because I also us that regularly. (And there exists a similar functionality in mod_proxy_ajp). What may not work in the trials above, is that specifically this remote_user request attribute may be overwritten by mod_jk or mod_proxy_ajp, even when you have set it explicitly in Apache. After all, this feature is designed to do one thing : examine the request record of Apache for an authenticated user-id, and if one is set, pass it along to Tomcat over the AJP channel. If mod_jk/mod_proxy_ajp do not find such a user-id in the request record, they may just /clear/ the remote_user attribute, thus voiding our attempts at cheating. To verify this is relatively simple. Create the following Location section in Apache : Location /sampleajp AuthType Basic AuthName toTomcat AuthUserFile /some-path/passwords Require user testuser SetHandler jakarta-servlet SetEnv JK_WORKER_NAME tomcatA (- or whatever name your worker has) Location Note: the SetHandler and SetEnv lines above, in that Location, are equivalent to saying : JkMount /sampleajp/* tomcatA Then follow the instructions here to create the password file and the user testuser in it : http://httpd.apache.org/docs/2.2/howto/auth.html section : Getting it working If you try to access such a URL /sampleajp/*, the browser will popup a bssic auth dialog and force you to login. This will result in the request being duly authenticated for Apache, which /will/ result in the Apache user-id being passed to Tomcat. Then, once you have verified (in Tomcat) that it is so, have another look at the mod_jk logfile, to see if then you spot the attribute being passed. (You will know that it is passed, but it may still not show up the logs). If all of that works, then we know that in order for
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with your suggested Location, in the latter sniff, I can see the userID (testuser), whereas in the former, that same area in the hex dump is basically just null-terminated strings. So, it appears like, when the OAM stuff and the ajp: stuff is in the Apache .conf, as you were guessing, the userID isn't making it into the Apache-to-Tomcat/AJP connection at all. Jim Hi, Sorry for the top-post :(... Here're the sniffs from the tests that I did: a) Working (OAM disabled, Location per Andre): 12 34 02 AB 02 02 00 08 48 54 54 50 2F 31 2E 31 .4.« HTTP/1.1 0010 00 00 1F 2F 73 61 6D 70 6C 65 73 61 6A 70 2F 73 .../samp lesajp/s 0020 73 6F 41 4D 54 6F 6D 63 61 74 54 65 73 74 2E 6A soAMTomc atTest.j 0030 73 70 00 00 0B 31 39 32 2E 31 36 38 2E 30 2E 37 sp...192 .168.0.7 0040 00 FF FF 00 14 61 70 61 63 68 65 31 2E 77 68 61 .ÿÿ..apa che1.wha 0050 74 65 76 65 72 2E 63 6F 6D 00 01 BB 01 00 09 A0 tever.co m..»... 0060 0B 00 14 61 70 61 63 68 65 31 2E 77 68 61 74 65 ...apach e1.whate 0070 76 65 72 2E 63 6F 6D 00 A0 0E 00 3F 4D 6F 7A 69 ver.com. ..?Mozi 0080 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows 0090 20 4E 54 20 36 2E 31 3B 20 72 76 3A 38 2E 30 29NT 6.1; rv:8.0) 00A0 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30 31 20Gecko/2 0100101 00B0 46 69 72 65 66 6F 78 2F 38 2E 30 00 A0 01 00 3F Firefox/ 8.0. ..? 00C0 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 text/htm l,applic 00D0 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C ation/xh tml+xml, 00E0 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B applicat ion/xml; 00F0 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 q=0.9,*/ *;q=0.8. 0100 00 0F 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept -Languag 0110 65 00 00 0E 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30 e...en-u s,en;q=0 0120 2E 35 00 00 0F 41 63 63 65 70 74 2D 45 6E 63 6F .5...Acc ept-Enco 0130 64 69 6E 67 00 00 0D 67 7A 69 70 2C 20 64 65 66 ding...g zip, def 0140 6C 61 74 65 00 00 0E 41 63 63 65 70 74 2D 43 68 late...A ccept-Ch 0150 61 72 73 65 74 00 00 1E 49 53 4F 2D 38 38 35 39 arset... ISO-8859 0160 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A -1,utf-8 ;q=0.7,* 0170 3B 71 3D 30 2E 37 00 A0 06 00 0A 6B 65 65 70 2D ;q=0.7. ...keep- 0180 61 6C 69 76 65 00 A0 05 00 1A 42 61 73 69 63 20 alive. . ..Basic 0190 64 47 56 7A 64 48 56 7A 5A 58 49 36 59 6D 56 7A dGVzdHVz ZXI6YmVz 01A0 64 44 46 69 00 A0 08 00 01 30 00 03 00 08 74 65 dDFi. .. .0te 01B0 73 74 75 73 65 72 00 04 00 05 42 61 73 69 63 00 stuser.. ..Basic. 01C0 08 00 12 44 48 45 2D 52 53 41 2D 41 45 53 32 35 ...DHE-R SA-AES25 01D0 36 2D 53 48 41 00 09 00 40 35 41 38 35 44 36 33 6-SHA... @5A85D63 01E0 44 46 33 32 42 35 42 38 36 34 44 42 32 37 31 34 DF32B5B8 64DB2714 01F0 38 39 37 31 31 31 41 42 34 44 35 30 33 32 30 45 897111AB 4D50320E 0200 39 41 33 38 41 42 46 36 46 38 37 44 30 46 42 43 9A38ABF6 F87D0FBC 0210 42 38 36 38 31 35 38 37 30 00 0B 01 00 0A 00 0F B8681587 0... b) Not working (w/OAM enabled and ajp: ProxyPass): 12 34 09 28 02 02 00 08 48 54 54 50 2F 31 2E 31 .4.( HTTP/1.1 0010 00 00 1F 2F 73 61 6D 70 6C 65 73 61 6A 70 2F 73 .../samp lesajp/s 0020 73 6F 41 4D 54 6F 6D 63 61 74 54 65 73 74 2E 6A soAMTomc atTest.j 0030 73 70 00 00 0B 31 39 32 2E 31 36 38 2E 30 2E 37 sp...192 .168.0.7 0040 00 FF FF 00 14 61 70 61 63 68 65 31 2E 77 68 61 .ÿÿ..apa che1.wha 0050 74 65 76 65 72 2E 63 6F 6D 00 01 BB 01 00 0E A0 tever.co m..»... 0060 0B 00 14 61 70 61 63 68 65 31 2E 77 68 61 74 65 ...apach e1.whate 0070 76 65 72 2E 63 6F 6D 00 A0 0E 00 3F 4D 6F 7A 69 ver.com. ..?Mozi 0080 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows 0090 20 4E 54 20 36 2E 31 3B 20 72 76 3A 38 2E 30 29NT 6.1; rv:8.0) 00A0 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30 31 20Gecko/2 0100101 00B0 46 69 72 65 66 6F 78 2F 38 2E 30 00 A0 01 00 3F Firefox/ 8.0. ..? 00C0 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 text/htm l,applic 00D0 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C ation/xh tml+xml, 00E0 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B applicat ion/xml; 00F0 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 q=0.9,*/ *;q=0.8. 0100 A0 04 00 0E 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30 ...en-u s,en;q=0 0110 2E 35 00 A0 03 00 0D 67 7A 69 70 2C 20 64 65
RE: hi
you either need to tell us what a 'structs' application is OR go back to your school in india and learn how STRUTS Applications are built and deployed on a web container Viel Gluck__ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sat, 3 Dec 2011 01:01:01 +0530 Subject: hi From: deevelasrila...@gmail.com To: users@tomcat.apache.org i installed tomcat5.5 and jdk1.5 i want to deploy the structs appliction? i have one apllication,but i dont know how to run the application?
Re: Logging - including host name in log file?
Thanks for all of your help. I decided it was going to be difficult to maintain/update the static properties file for all of the different host/apps. So I decided to pursue dynamic configuration at runtime (with success). Each time I need a logger, I simply instantiate a tomcat FileHandler and build the file name from the catalina base, the server name, and the context. This seems fairly straightforward, and again, it is working. But if there is something in this implementation that's going to bite me, please let me know now. I've got it all working now, except for one specific situation... I have some servlets that run at startup. I have googled and looked everywhere i can think of but I cannot figure out how to find the host name while inside a servlet init method. In other situations, I pull the server name from the request object. But when a servlet is running at startup, there is no request object. I have a ServletConfig and can get the ServletContext. But I can't find the host name in those. A context runs in a host. It seems to me that the context would report the host it is in, independent of whether a request is in progress of not. This is not a show-stopper on the overall logging transition for me. But I would sure love to find a way to know the host that this context is running under without requiring a request object. Am I missing something obvious? Thanks again. Jerry On Fri, Dec 2, 2011 at 2:04 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry, On 12/2/11 12:46 PM, Jerry Malcolm wrote: Ok, I'm digging into this. Slowly but surely Just to confirm... So if I have, say 2 hosts, each with 3 web apps, and I want a different log file for each web app on each host, I need to define 6 of the following: 10host1webapp1.org.apache.juli.FileHandler.level = FINE 10host1webapp1.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 10host1webapp1.org.apache.juli.FileHandler.prefix = Host1App1. Yes, although the format of the property base doesn't need to be that complex. You could do this: Host1App1.level=FINE Host1App1.directory=... Host1App1.prefix=Host1App1. Tomcat has those odd property names so they will be unlikely to conflict with anything you might want to define yourself. The magic happens here, when you actually configure Tomcat's logger(s): And then define 6 of the following: org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].handlers = 10host1webapp1.org.apache.juli.FileHandler You could instead do: org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].handlers=Host1App1 and I put all of this in /conf/logging.properties Yes: this will tell Tomcat that, when your webapp uses ServletContext.log(...) that the output should go to those loggers listed in the handlers property for that particular webapp. All of this is required in order to get separate log files per webapp per host, right? - From ServletContext.log(..), yes. Again, if your webapp is logging in some other way, then Tomcat's configuration does not apply at all. It's fairly common for webapps to use their own logging mechanism rather than logging to the servlet container, so I wouldn't be surprised if you have more work to do. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZL1QACgkQ9CaO5/Lv0PCOtACgrrhT1KS0QjOOF+Swh+jGqfZS bGYAn3sg6wcPwg9HtLrXDcHkMFxXIz3W =LSuQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: hi
for example, if i have a struts project with context-folder name strutsproj as shown strutsproj WEB-INF classes web.xml struts-config.xml index.jsp i would run this like bellow open browser and type - http://localhost:8080/strutsproj/index.jsp; in url, this would get index page feel free to post back your success ... On Sat, Dec 3, 2011 at 1:01 AM, srilaxmi deevela deevelasrila...@gmail.comwrote: i installed tomcat5.5 and jdk1.5 i want to deploy the structs appliction? i have one apllication,but i dont know how to run the application? -- Thanks, Srinivas.
Re: hi
-- in-addition to above post: i was assuming tomcat is running on 8080 port On Sat, Dec 3, 2011 at 1:01 AM, srilaxmi deevela deevelasrila...@gmail.comwrote: i installed tomcat5.5 and jdk1.5 i want to deploy the structs appliction? i have one apllication,but i dont know how to run the application? -- Thanks, Srinivas.
Re: Logging - including host name in log file?
From: Jerry Malcolm 2ndgenfi...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, December 2, 2011 6:45 PM Subject: Re: Logging - including host name in log file? Thanks for all of your help. I decided it was going to be difficult to maintain/update the static properties file for all of the different host/apps. So I decided to pursue dynamic configuration at runtime (with success). Each time I need a logger, I simply instantiate a tomcat FileHandler and build the file name from the catalina base, the server name, and the context. This seems fairly straightforward, and again, it is working. But if there is something in this implementation that's going to bite me, please let me know now. I've got it all working now, except for one specific situation... I have some servlets that run at startup. I have googled and looked everywhere i can think of but I cannot figure out how to find the host name while inside a servlet init method. In other situations, I pull the server name from the request object. But when a servlet is running at startup, there is no request object. I have a ServletConfig and can get the ServletContext. But I can't find the host name in those. A context runs in a host. It seems to me that the context would report the host it is in, independent of whether a request is in progress of not. This is not a show-stopper on the overall logging transition for me. But I would sure love to find a way to know the host that this context is running under without requiring a request object. Am I missing something obvious? Thanks again. Jerry On Fri, Dec 2, 2011 at 2:04 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry, On 12/2/11 12:46 PM, Jerry Malcolm wrote: Ok, I'm digging into this. Slowly but surely Just to confirm... So if I have, say 2 hosts, each with 3 web apps, and I want a different log file for each web app on each host, I need to define 6 of the following: 10host1webapp1.org.apache.juli.FileHandler.level = FINE 10host1webapp1.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 10host1webapp1.org.apache.juli.FileHandler.prefix = Host1App1. Yes, although the format of the property base doesn't need to be that complex. You could do this: Host1App1.level=FINE Host1App1.directory=... Host1App1.prefix=Host1App1. Tomcat has those odd property names so they will be unlikely to conflict with anything you might want to define yourself. The magic happens here, when you actually configure Tomcat's logger(s): And then define 6 of the following: org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].handlers = 10host1webapp1.org.apache.juli.FileHandler You could instead do: org.apache.catalina.core.ContainerBase.[Catalina].[host1].[/webapp1].handlers=Host1App1 and I put all of this in /conf/logging.properties Yes: this will tell Tomcat that, when your webapp uses ServletContext.log(...) that the output should go to those loggers listed in the handlers property for that particular webapp. All of this is required in order to get separate log files per webapp per host, right? - From ServletContext.log(..), yes. Again, if your webapp is logging in some other way, then Tomcat's configuration does not apply at all. It's fairly common for webapps to use their own logging mechanism rather than logging to the servlet container, so I wouldn't be surprised if you have more work to do. - -chris Here's something that I came up with for application-level logging. This is based on Apache commons-logging and log4j. Please note that I'm a systems person, and only write Java code when I need to figure out how things are working (or not working). I start out with a ServletContextListener, and two pieces of configuration. In each Tomcat virtual host ($CATALINA_BASE/conf/[hostname]), I create a context.xml.default file. In it, I place a simple resource to retrieve via JNDI. The context.xml.default file is documented: http://tomcat.apache.org/tomcat-6.0-doc/config/context.html The resource documentation is: http://tomcat.apache.org/tomcat-6.0-doc/config/context.html#Environment Entries So for example, a context.xml.default file can look like: ?xml version=1.0 encoding=UTF-8? Context WatchedResourceWEB-INF/web.xml/WatchedResource Environment name=hostname value=avirtualhost type=java.lang.String/ /Context Now, in my application, I set up a base file name in log4j (log4j.xml) for my file appender. I use the Tomcat-defined variables, so the file name ends up looking like: ${catalina.base}/logs/applog.log Finally, in the ServletContextListener, I do something like the following: private Log log = LogFactory.getLog(this.getClass()); public void
RE: Logging - including host name in log file?
From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Logging - including host name in log file? A context runs in a host. That is a Tomcat-specific implementation mechanism, not something mandated by the servlet spec. Consequently, there is nothing in the spec that would let you see a Host associated with a webapp. You could use JMX from inside the webapp to poke through the Tomcat nodes and find the host name during the init() method. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org