Re: Do any of the Tomcat LDAP-type realms support no password authentication?
On 02.12.2011 17:49, André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the authenticated user-id passed by the front-end server. Now could you also show us the section of your Apache front-end configuration, containing the directives which forward the requests to Tomcat ? (proxy or rewrite stanzas) Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the authenticated user-id to Tomcat along with the proxied request, depends on the fact that within Apache (more precisely within the internal Apache request record), the request is really authenticated (*). I am saying this because in an earlier post, you mentioned that you were using a third-party authentication package at the Apache httpd level. It is unlikely, but possible, that this authentication package would use its own logic, and never populate the internal Apache request record with this user-id (**). In such a case, the automatic forwarding of the user-id by the Apache-level connector module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal Apache request record, and have no knowledge of another user-id source. (*) in Tomcat terms, the equivalent of populating the userPrincipal object (**) for example, it may act as a filter, and rely on each request always containing a cookie which authenticates the request, and do its own access control independently of Apache httpd itself Andre, Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). # Proxy to Tomcat on weblogic1 machine, using AJP Location /samplesajp RequestHeader set REMOTE_USER 9test ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp /Location Jim Hi, BTW, I asked about this earlier, but is it possible to turn on some debugging on the Tomcat side, that might help diagnose why the AJP connector is not working the expected way? I'm not that familiar with Tomcat or AJP logging, but I've only been able to set logging in logging.properties so that there's either almost no logging or it generated a ton of logging (but not stuff on AJP connection/processing) :(... Sorry, dunno. Logging is not my favorite area in Tomcat.. Also, to tell the truth, I do not know exactly /how/ the Apache user-id is passed to Tomcat. I strongly suspect that the REMOTE_USER HTTP header may not be it, and that it may be via what Tomcat calls request attributes, and Apache calls environment variables (but not in the usual shell sense). But I don't know how this particular one may be named. Since you seem better at Java that I am, you may be able to find it in the Tomcat AJP Connector code somewhere. I would start looking for request attribute rather than header. This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html seems to hint at ditto, and even mentions a request attribute named remote_user (lowercase). Maybe you could try to set this environment variable in Apache, and see where it leads you ? In this page : http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule it shows how to do that (but there it calls them server variables). The terminology is not very consistent.. Although this thread has moved forward towards the role topic, I want to give some infos about the user forwarding by mod_jk. Some of it was already present in previous posts. 1) In order to let Tomcat accept the user, you need to set tomcatAuthentication to false 2) mod_jk will always forward the user as detected by the following logic: - the user as authenticated by Apache - if this doesn't exist it will forward the value of an Apache environment variable. The default name of the variable is JK_REMOTE_USER, but it can be changed using the configuration directive JkRemoteUserIndicator 3) The user ID will *not* be forwarded in the form of a request header 4) The forwarded user id is logged in the JK log file on level debug as the user field in the line: Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d auth=%s user=%s laddr=%s raddr=%s uri=%s 5) There is no need to use JkEnvVar 6) When not using a real Apache authentication, you can instead set the Apache environment variable JK_REMOTE_USER e.g. via mod_setenvif or the E=
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
Rainer Jung rainer.j...@kippdata.de wrote: On 02.12.2011 17:49, André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the authenticated user-id passed by the front-end server. Now could you also show us the section of your Apache front-end configuration, containing the directives which forward the requests to Tomcat ? (proxy or rewrite stanzas) Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the authenticated user-id to Tomcat along with the proxied request, depends on the fact that within Apache (more precisely within the internal Apache request record), the request is really authenticated (*). I am saying this because in an earlier post, you mentioned that you were using a third-party authentication package at the Apache httpd level. It is unlikely, but possible, that this authentication package would use its own logic, and never populate the internal Apache request record with this user-id (**). In such a case, the automatic forwarding of the user-id by the Apache-level connector module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal Apache request record, and have no knowledge of another user-id source. (*) in Tomcat terms, the equivalent of populating the userPrincipal object (**) for example, it may act as a filter, and rely on each request always containing a cookie which authenticates the request, and do its own access control independently of Apache httpd itself Andre, Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). # Proxy to Tomcat on weblogic1 machine, using AJP Location /samplesajp RequestHeader set REMOTE_USER 9test ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp /Location Jim Hi, BTW, I asked about this earlier, but is it possible to turn on some debugging on the Tomcat side, that might help diagnose why the AJP connector is not working the expected way? I'm not that familiar with Tomcat or AJP logging, but I've only been able to set logging in logging.properties so that there's either almost no logging or it generated a ton of logging (but not stuff on AJP connection/processing) :(... Sorry, dunno. Logging is not my favorite area in Tomcat.. Also, to tell the truth, I do not know exactly /how/ the Apache user-id is passed to Tomcat. I strongly suspect that the REMOTE_USER HTTP header may not be it, and that it may be via what Tomcat calls request attributes, and Apache calls environment variables (but not in the usual shell sense). But I don't know how this particular one may be named. Since you seem better at Java that I am, you may be able to find it in the Tomcat AJP Connector code somewhere. I would start looking for request attribute rather than header. This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html seems to hint at ditto, and even mentions a request attribute named remote_user (lowercase). Maybe you could try to set this environment variable in Apache, and see where it leads you ? In this page : http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule it shows how to do that (but there it calls them server variables). The terminology is not very consistent.. Although this thread has moved forward towards the role topic, I want to give some infos about the user forwarding by mod_jk. Some of it was already present in previous posts. 1) In order to let Tomcat accept the user, you need to set tomcatAuthentication to false 2) mod_jk will always forward the user as detected by the following logic: - the user as authenticated by Apache - if this doesn't exist it will forward the value of an Apache environment variable. The default name of the variable is JK_REMOTE_USER, but it can be changed using the configuration directive JkRemoteUserIndicator 3) The user ID will *not* be forwarded in the form of a request header 4) The forwarded user id is logged in the JK log file on level debug as the user field in the line: Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote:
...
Rainer Jung rainer.j...@kippdata.de wrote:
Although this thread has moved forward towards the role topic, I want to
give some infos about the user forwarding by mod_jk. Some of it was
already present in previous posts.
1) In order to let Tomcat accept the user, you need to set
tomcatAuthentication to false
2) mod_jk will always forward the user as detected by the
following logic:
- the user as authenticated by Apache
- if this doesn't exist it will forward the value of
an Apache environment variable. The default name of the
variable is JK_REMOTE_USER, but it can be changed using
the configuration directive JkRemoteUserIndicator
3) The user ID will *not* be forwarded in the form of a request header
4) The forwarded user id is logged in the JK log file on level debug
as the user field in the line:
Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
auth=%s user=%s laddr=%s raddr=%s uri=%s
5) There is no need to use JkEnvVar
6) When not using a real Apache authentication, you can instead
set the Apache environment variable JK_REMOTE_USER
e.g. via mod_setenvif or the E= syntax of mod_rewrite.
If you change the name of the env var using JkRemoteUserIndicator
use the variable name given there instead.
7) The Apache authenticated user can be logged in the Apache AccessLog
using %u. Any environment variable XXX can be logged using
%{XXX}e.
8) The user can be logged in the Tomcat AccessLog using %u.
9) The user is returned by request.getRemoteUser() on the Tomcat side.
Regards,
Rainer
Hi Rainier,
Thanks for the great info above, esp. re. the JK_REMOTE_USER and
JkRemoteUserIndicator.
I'm kind of well along the way with my valve, but I still have mod_jk for one
proxy section, so I'll give those a try.
Hi Rainer.
Thanks also for the precise information. We've missed you..
Jim, one more question :
At the Apache httpd level, when the user has been authenticated by OAM, /can/ you get the
authenticated user's user-id ? and how ?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote:
oh...@cox.net wrote:
...
Rainer Jung rainer.j...@kippdata.de wrote:
Although this thread has moved forward towards the role topic, I want to
give some infos about the user forwarding by mod_jk. Some of it was
already present in previous posts.
1) In order to let Tomcat accept the user, you need to set
tomcatAuthentication to false
2) mod_jk will always forward the user as detected by the
following logic:
- the user as authenticated by Apache
- if this doesn't exist it will forward the value of
an Apache environment variable. The default name of the
variable is JK_REMOTE_USER, but it can be changed using
the configuration directive JkRemoteUserIndicator
3) The user ID will *not* be forwarded in the form of a request header
4) The forwarded user id is logged in the JK log file on level debug
as the user field in the line:
Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
auth=%s user=%s laddr=%s raddr=%s uri=%s
5) There is no need to use JkEnvVar
6) When not using a real Apache authentication, you can instead
set the Apache environment variable JK_REMOTE_USER
e.g. via mod_setenvif or the E= syntax of mod_rewrite.
If you change the name of the env var using JkRemoteUserIndicator
use the variable name given there instead.
7) The Apache authenticated user can be logged in the Apache AccessLog
using %u. Any environment variable XXX can be logged using
%{XXX}e.
8) The user can be logged in the Tomcat AccessLog using %u.
9) The user is returned by request.getRemoteUser() on the Tomcat side.
Regards,
Rainer
Hi Rainier,
Thanks for the great info above, esp. re. the JK_REMOTE_USER and
JkRemoteUserIndicator.
I'm kind of well along the way with my valve, but I still have mod_jk for
one proxy section, so I'll give those a try.
Hi Rainer.
Thanks also for the precise information. We've missed you..
Jim, one more question :
At the Apache httpd level, when the user has been authenticated by OAM, /can/
you get the
authenticated user's user-id ? and how ?
Hi,
On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that
gets populated by the OAM agent, called OAM_REMOTE_USER.
Jim
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Disabling Apps in host root
On 04/12/2011 23:52, Caldarale, Charles R wrote: From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Disabling Apps in host root When I start tomcat What exact version? We're not mind-readers, and capabilities vary considerably depending on what level you're on. it tries to start an app for every folder in the host root directory. What do you mean by host root directory? Do you really mean the Host appBase directory? Be precise. Some folders are really apps (with WEB-INF), and some are folders that are not apps at all. Then why are the non-apps folders there? +1 If you don't want them published, don't put them where they can be published. p But it doesn't seem to care if there is a context or not. Correct; nothing in the spec requires the existence of a Context element or even WEB-INF/web.xml. Is there a way to control the apps that start up Look at the deployIgnore attribute of the Host element: http://tomcat.apache.org/tomcat-7.0-doc/config/host.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
On 05.12.2011 10:42, oh...@cox.net wrote:
André Warniera...@ice-sa.com wrote:
oh...@cox.net wrote:
...
Rainer Jungrainer.j...@kippdata.de wrote:
Although this thread has moved forward towards the role topic, I want to
give some infos about the user forwarding by mod_jk. Some of it was
already present in previous posts.
1) In order to let Tomcat accept the user, you need to set
tomcatAuthentication to false
2) mod_jk will always forward the user as detected by the
following logic:
- the user as authenticated by Apache
- if this doesn't exist it will forward the value of
an Apache environment variable. The default name of the
variable is JK_REMOTE_USER, but it can be changed using
the configuration directive JkRemoteUserIndicator
3) The user ID will *not* be forwarded in the form of a request header
4) The forwarded user id is logged in the JK log file on level debug
as the user field in the line:
Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
auth=%s user=%s laddr=%s raddr=%s uri=%s
5) There is no need to use JkEnvVar
6) When not using a real Apache authentication, you can instead
set the Apache environment variable JK_REMOTE_USER
e.g. via mod_setenvif or the E= syntax of mod_rewrite.
If you change the name of the env var using JkRemoteUserIndicator
use the variable name given there instead.
7) The Apache authenticated user can be logged in the Apache AccessLog
using %u. Any environment variable XXX can be logged using
%{XXX}e.
8) The user can be logged in the Tomcat AccessLog using %u.
9) The user is returned by request.getRemoteUser() on the Tomcat side.
Regards,
Rainer
Hi Rainier,
Thanks for the great info above, esp. re. the JK_REMOTE_USER and
JkRemoteUserIndicator.
I'm kind of well along the way with my valve, but I still have mod_jk for one
proxy section, so I'll give those a try.
Hi Rainer.
Thanks also for the precise information. We've missed you..
Jim, one more question :
At the Apache httpd level, when the user has been authenticated by OAM, /can/
you get the
authenticated user's user-id ? and how ?
Hi,
On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that gets
populated by the OAM agent, called OAM_REMOTE_USER.
So if you want mod_jk to use the value of this header as the
authenticated user name and forward it to Tomcat, you either:
a) have to rely on the Oracle module to correctly set the Apache
internal request user field
b) or have to find a way to copy the value of this header into the
environment variable JK_REMOTE_USER
Concerning a): Usually there's %u in the default LogFormat used by
AccessLog. So have a look at the access log to check, whether Apache
outputs the correct user name. In that case mod_jk should automatically
forward it. This in turn can be checked by the mentioned Service debug
log line in the JK log.
If %u in the access log is empty, and the docs of the Oracle module do
not give a solution how to set the real Apache request user, we are up
to b).
First add %{OAM_REMOTE_USER} to the format/pattern configuration of your
Apache and Tomcat access logs, so you can easily check, what both think
about the value of that header. Check, that it is populated for both
with the right user id.
Now we try to copy the value of the header OAM_REMOTE_USER to the Apache
environment variable JK_REMOTE_USER.
As you can see in
http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif
It works like this (assuming you have enabled/loaded mod_setenvif):
SetEnvIf OAM_REMOTE_USER (.*) JK_REMOTE_USER=$1
Unfortunately this will only work, if the Oracle module that populates
the header runs before mod_setenvif.
Check, whether the copying works by adding %{JK_REMOTE_USER}e to the
format of your Apache AccessLog.
Finally look at the Service line in the jk debug log to see, whether
the right user info is now being forwarded. If so, the rest is to be
done in Tomcat land.
Set tomcatAuthentication to false and check via
request.getRemoteUser() whether you received the right user id.
I would do all this first using a basic test webapp in Tomcat, not your
real app.
Finally: this is probably not secure, because
- everyone can send a request which already has a populated
OAM_REMOTE_USER header. You would rely on the implementation detail,
that the Oracle module might always overwrite that header. Not sure if
it does!
- everyone having access to the network port could start talking AJP13
directly to your Tomcat adding whatever remote user id she likes. The
protocol is easy to fake.
Regards,
Rainer
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MVC or Model2 with Tomcat
anyway, here is the out put of the package query on my FreeBSD box: ap22-mo_jk-ap2-1.2.30_1 Apache2 JK module for connecting to Tomcat using AJP1X - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Its a virtual host with following lines have been added to main httpd.conf: LoadModule jk_module libexec/apache22/mod_jk.so JkWorkersFile /usr/local/etc/apache22/workers.properties JkShmFile /var/log/mod_jk.shm JkLogFile /var/log/mod_jk.log JkLogLevel debug JkLogStampFormat [%a %b %d %H:%M:%S %Y] and following JkMount directives for each virtual host: JkMount /appexmp1/* appexmp1 JkMount /appexmp1/*.jsp appexmp1 and following is the worker file for two of the sites: worker.list=appexmp2,appexmp1 worker.appexmp2.type=ajp13 worker.appexmp2.host=localhost worker.appexmp2.port=8009 worker.appexmp1.type=ajp13 worker.appexmp1.host=localhost worker.appexmp1.port=8109 Created separate directories in CATALINA_BASE/webapps/ for each application so , it contain following directories: CATALINA_BASE/webapps/ROOT CATALINA_BASE/webapps/appexmp1 CATALINA_BASE/webapps/appexmp2 context file for each application resides in CATALINA_BASE/conf/Catalina/localhost for example: CATALINA_BASE/conf/Catalina/localhost/appexmp1.xml CATALINA_BASE/conf/Catalina/localhost/appexmp2.xml cat CATALINA_BASE/conf/Catalina/localhost/appexmp1.xml Context path=/appexmp1 docBase=appexmp1 debug=0 reloadable=true crossContext=true /Context path docBase are surplus to requirements here. debug is no longer functional. and web.xml file as follow: cat CATALINA_BASE/webapps/appexmp1/WEB-INF/web.xml web-app xmlns=http://java.sun.com/xml/ns/javaee; version=2.5 servlet servlet-nameApp1/servlet-name servlet-classcom.appexmp1.App1/servlet-class /servlet servlet-mapping servlet-nameApp1/servlet-name url-pattern/APP1/url-pattern /servlet-mapping welcome-file-list welcome-fileindex.jsp/welcome-file /welcome-file-list /web-app I already can access mydomain.com/App1/index.jsp and every thing works fine but want to be able to serve .jsp files as follow: mydomain.com/index.jsp for each of my virtual hosts. If the ROOT application is just a default one, you can remove it. You will need a separate appBase for each virtual host. In server.xml, define multiple hosts, with _separate_ appBase's: Host name=hostexmp1 appBase=/path/to/host1/appBase ... /Host Host name=hostexmp2 appBase=/path/to/host2/appBase ... /Host copy appexmp1 and appexmp2 into the appBase rename them 'ROOT'. Your app is now the default app in each host, so in each HTTPD virtual host, add: JkMount /* appexmp1 p -- [key:62590808] signature.asc Description: OpenPGP digital signature
RE: hi
Don't use it. Why build applications on a platform you have doubts about? I think you should build all of your applications using snobol. See http://en.wikipedia.org/wiki/SNOBOL for websites. I do prefer Ook, but not sure if there are good web frameworks for it: http://www.dangermouse.net/esoteric/ook.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 - New attribut aliases in the context configuration item
Hi Christopher, What does it mean to extend an existing file? Replace it or do some kind of horrendous merge? Here is the order of the ressource research : - Files from my application - Files from the EDR If the ressource is defined both in my app and in the EDR directory then the one from the application has the priority. There is no horrendous merge ;-) I talk about an extension as you can have exactly the same directory/files defined in the your EDR and in your application. The main advantage of the EDR directory is that i can complete my application by adding ressources (html/jsp/...) without any deployment. This mecanism is used for application which have a daily contribution for example. You might be able to build this capability yourself by writing your own DirContext and specifying it with a Resources element within your Context element. See http://tomcat.apache.org/tomcat-7.0-doc/config/resources.html for details. This new track looks nice but the documentatino on the subject is a little short. I'll try to find more information on the subject but if you have additional information to tell me, let me know! Thank you for your support. On Fri, Dec 2, 2011 at 9:14 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sylvain, On 11/30/11 8:58 AM, Sylvain Goulmy wrote: These directories are defined as extension of my application and another important thing is that i can also extend files which are at the root of my application (as index.html). What does it mean to extend an existing file? Replace it or do some kind of horrendous merge? After a few more test with Tomcat i understand that : - You cannot extend directory, if you define an external location which math an existing directory of your application, the ressources of your application become unreachable. That sounds about right. - As the documentation say Using '/' as an aliasPath is not allowed., you cannot extend any ressource which is at the root of your application. Right: if you alias /, you are essentially deploying another webapp -- so you should just do that instead. Tomcat's alias mechanism is intended for use in the case where you have a bunch of static content in a separate directory and you just want to be able to serve it through the same webapp without actually deploying two separate contexts. That's why it works the way it does. You might be able to build this capability yourself by writing your own DirContext and specifying it with a Resources element within your Context element. See http://tomcat.apache.org/tomcat-7.0-doc/config/resources.html for details. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZMaIACgkQ9CaO5/Lv0PDfsgCgjRhQvBbs0DDkCu4ckHZc2Gtl ckMAnAuBNfU8UwZyqNfP1JvWX0oDeYAc =PL/2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 - New attribut aliases in the context configuration item
Well, what is described in this ticket seems to concern Tomcat in the Eclipse environment, i'd like to have the functionnality on the live environment, i'll keep on watching your patch to see if that can give me the functionnality i'm looking for. Thank you for this information. On Fri, Dec 2, 2011 at 8:11 PM, Sylvain Laurent slaur...@apache.org wrote: keep a watch on https://issues.apache.org/bugzilla/show_bug.cgi?id=51741. When it is implemented, it should give you this functionality. On 30 nov. 2011, at 14:58, Sylvain Goulmy wrote: So the effect is that multiple physical directories must be searched for a given resource? Correct. The alias maps a given path to an external directory. Ok, that's what i had understood. Can you give an example of how you would like it to work? Here is the description of the EDR (Extended Document Root) mecanism in Websphere : Let's assume i have the following application : - Webapps/ - MyApplication/ - images/ - css/ - META-INF/ - WEB-INF/ - index.html I can define an EDR directory in the configuration of my application so that the ressource i access are first retrieved from my application and then in the EDR directory if they don't exist in my application. - /.../.../.../.../EDR/ - images/ - index.html These directories are defined as extension of my application and another important thing is that i can also extend files which are at the root of my application (as index.html). After a few more test with Tomcat i understand that : - You cannot extend directory, if you define an external location which math an existing directory of your application, the ressources of your application become unreachable. - As the documentation say Using '/' as an aliasPath is not allowed., you cannot extend any ressource which is at the root of your application. Things seems clear for me now, please tell if i have missed something. Thank you in advance for your support. On Wed, Nov 30, 2011 at 11:53 AM, Pid p...@pidster.com wrote: On 29/11/2011 17:47, Sylvain Goulmy wrote: Hi all, I'd like to know it is possible to have equivalent functionality to the extended document root provided by the WebSphere product. This feature allows you to define a location outside the webapp to make contribution without having to redeploy the application. This mechanism first checks if the resource is present in the application and if not will look for it in the directory extension. So the effect is that multiple physical directories must be searched for a given resource? I thought that the functionality provided by the new attribute aliases for the configuration item context would have a similar behavior, but I see another operation. First of all it is not possible to set an alias on the context '/', making it necessary to declare all the directories in which you want to make the contribution. Also when I set an alias for a directory present in my webapp, it becomes a priority and files in my webapp are no longer available. Do I understand correctly how this new attribute aliases has to be used ? The alias maps a given path to an external directory. Is it possible with Tomcat 7 to set up a mechanism similar to the extended document root of Websphere? Can you give an example of how you would like it to work? p -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat filter-mapping dispatcher forward
Hi all, I am trying to configure dispatcher forward rule for filter in tomcat 7.0.22 filter-mapping filter-nameUrlRewriteFilter/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher dispatcherFORWARD/dispatcher /filter-mapping However, tomcat ignores dispatcher definition and does not fill dispatchers in org.apache.catalina.deploy.FilterMap (used debug) , so it always returns REQUEST in getDispatcherMapping. Best Regards, Paul Hodchenkov Senior Java developer, Oxagile Skype: paul.hodchenkov Email: mailto:paul.hodchen...@oxagile.com
Re: hi
no,but i want to practice those examples On Sat, Dec 3, 2011 at 5:12 AM, Pid p...@pidster.com wrote: On 02/12/2011 18:03, srilaxmi deevela wrote: hi , am going to execute the web application based on structs,what are the basic procedurefor deploy the web application Is this for a homework assignment? p On Fri, Dec 2, 2011 at 11:30 PM, srilaxmi deevela deevelasrila...@gmail.com wrote: where is the download option there, i didnt get that On Fri, Dec 2, 2011 at 11:27 PM, Ilya Kazakevich ilya.kazakev...@jetbrains.com wrote: http://tomcat.apache.org/download-55.cgi Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: srilaxmi deevela [mailto:deevelasrila...@gmail.com] Sent: Friday, December 02, 2011 9:56 PM To: users@tomcat.apache.org Subject: hi please send me the tomcat5.5 software link,i traid but setup file is not visible there - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808]
Re: Character set issue
/can/ the servlet (or one of the filters) do anything that would cause the value of name1 to /not/ be a correct Java TÜV string in the servlet ? Yes, absolutely. If this is a posted value and some filter fires that coerces the encoding (e.g. request.getParameter() in the case of POST) of the request, all subsequent filters and the servlet will see the string in the encoding of the first filter. This is why it's important to set the encoding as early in the servlet processing pipeline as possible. For your particular case it's hard to imagine an encoding in practice that would make that string appear incorrectly. Both iso-8859-1 and utf-8 should handle Ü correctly. M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat filter-mapping dispatcher forward
On 05/12/2011 14:45, Hodchenkov, Paul wrote: Hi all, I am trying to configure dispatcher forward rule for filter in tomcat 7.0.22 filter-mapping filter-nameUrlRewriteFilter/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher dispatcherFORWARD/dispatcher /filter-mapping That looks right at first glance. However, tomcat ignores dispatcher definition and does not fill dispatchers in org.apache.catalina.deploy.FilterMap (used debug) , so it always returns REQUEST in getDispatcherMapping. Hmm. Odd. This is tested by the TCK that every Tomcat release must pass so I don't think there is a bug - or if there is it is an odd edge case. I'd suggest that the way forward is to write the simplest possible test case (1 * JSP + 1 * Servlet + web.xml should be plenty) that demonstrates this issue. If you still see the issue with that test case, it will probably be time to open a bug. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat filter-mapping dispatcher forward
It works when using servlet 3.0 annotations api... I will write the simplest test case Sent from my iPad On 05.12.2011, at 20:49, Mark Thomas ma...@apache.org wrote: On 05/12/2011 14:45, Hodchenkov, Paul wrote: Hi all, I am trying to configure dispatcher forward rule for filter in tomcat 7.0.22 filter-mapping filter-nameUrlRewriteFilter/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher dispatcherFORWARD/dispatcher /filter-mapping That looks right at first glance. However, tomcat ignores dispatcher definition and does not fill dispatchers in org.apache.catalina.deploy.FilterMap (used debug) , so it always returns REQUEST in getDispatcherMapping. Hmm. Odd. This is tested by the TCK that every Tomcat release must pass so I don't think there is a bug - or if there is it is an odd edge case. I'd suggest that the way forward is to write the simplest possible test case (1 * JSP + 1 * Servlet + web.xml should be plenty) that demonstrates this issue. If you still see the issue with that test case, it will probably be time to open a bug. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat filter-mapping dispatcher forward
On Mon, Dec 5, 2011 at 2:12 PM, Hodchenkov, Paul paul.hodchen...@oxagile.com wrote: It works when using servlet 3.0 annotations api... I will write the simplest test case Sent from my iPad On 05.12.2011, at 20:49, Mark Thomas ma...@apache.org wrote: On 05/12/2011 14:45, Hodchenkov, Paul wrote: Hi all, I am trying to configure dispatcher forward rule for filter in tomcat 7.0.22 filter-mapping filter-nameUrlRewriteFilter/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher dispatcherFORWARD/dispatcher /filter-mapping That looks right at first glance. What does the web-app element look like? Is the proper version attribute being used, along with the correct namespaces/locations? However, tomcat ignores dispatcher definition and does not fill dispatchers in org.apache.catalina.deploy.FilterMap (used debug) , so it always returns REQUEST in getDispatcherMapping. Hmm. Odd. This is tested by the TCK that every Tomcat release must pass so I don't think there is a bug - or if there is it is an odd edge case. I'd suggest that the way forward is to write the simplest possible test case (1 * JSP + 1 * Servlet + web.xml should be plenty) that demonstrates this issue. If you still see the issue with that test case, it will probably be time to open a bug. Mark -- Kris Schneider - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat won't start after Windows Reboot
Hello, I just noticed after logging onto the Windows Server that my Tomcat service will not startup anymore. It was working fine on my last login (Nov 17th). I noticed the server was rebooted after some patches ... (I am not in the Windows Support Team so do now know). This is the catalina error log: Dec 5, 2011 3:02:39 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-18080 Dec 5, 2011 3:02:39 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Dec 5, 2011 3:02:39 PM org.apache.coyote.http11.Http11Protocol init SEVERE: Error initializing endpoint java.io.IOException: AnyCert TrustManagerFactory not available at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:527) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176) at org.apache.catalina.connector.Connector.initialize(Connector.java:1022) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Dec 5, 2011 3:02:39 PM org.apache.catalina.core.StandardService initialize SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8543]] LifecycleException: Protocol handler initialization failed: java.io.IOException: AnyCert TrustManagerFactory not available at org.apache.catalina.connector.Connector.initialize(Connector.java:1024) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Dec 5, 2011 3:02:39 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 493 ms Dec 5, 2011 3:02:39 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Dec 5, 2011 3:02:39 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.33 Dec 5, 2011 3:02:39 PM org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor manager.xml Dec 5, 2011 3:02:39 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive adminconsole.war Dec 5, 2011 3:02:39 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive admin_applet.war Dec 5, 2011 3:02:39 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive admin_images.war Dec 5, 2011 3:02:39 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive admin_webhelp.war Dec 5, 2011 3:02:39 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive bws.war Dec 5, 2011 3:02:41 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive dav.war Dec 5, 2011 3:02:41 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive dimensions.war Dec 5, 2011 3:02:41 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive dim_applet.war Dec 5, 2011 3:02:41 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive dim_images.war Dec 5, 2011 3:02:42 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive dmwebservice.war Dec 5, 2011 3:02:42 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive dmwebservices2.war Dec 5, 2011 3:02:42 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive inet_webhelp.war Dec 5, 2011
Apache HTTPD - Tomcat, Passing Errors
I am using Tomcat 7.0.22, Java 1.6 on a Linux box. Front-end is Apache/2.2.17 connected using proxypass with ajp. I'd like page-request errors on the Tomcat side to be to be passed back to httpd for handling. right now, Tomcat formats the error page passes that back. I've spent some time digging through docs, etc can;t find an answer. Any help appreciated. -- Jonathan Rosenberg Founder Executive Director Tabby's Place, a Cat Sanctuary http://www.tabbysplace.org/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTPD - Tomcat, Passing Errors
On December 5, 2011 15:42 , Jonathan Rosenberg shmol...@gmail.com wrote: I am using Tomcat 7.0.22, Java 1.6 on a Linux box. Front-end is Apache/2.2.17 connected using proxypass with ajp. I'd like page-request errors on the Tomcat side to be to be passed back to httpd for handling. right now, Tomcat formats the error page passes that back. This is controlled via the ProxyErrorOverride directive for Apache HTTP Server. See https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyerroroverride Unfortunately, while ProxyErrorOverride has been available for HTTP reverse-proxies, it was just added for AJP reverse-proxies in Apache HTTP Server 2.3.12. The feature will hopefully be backported into the next release of the 2.2 branch, though, so check again when 2.2.22 is released. For more information, see https://issues.apache.org/bugzilla/show_bug.cgi?id=50945 -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 - New attribut aliases in the context configuration item
It's not for eclipse only. The ticket talks about eclipse because that was the main motivation for the feature, but it's totally independent. On 5 déc. 2011, at 15:15, Sylvain Goulmy wrote: Well, what is described in this ticket seems to concern Tomcat in the Eclipse environment, i'd like to have the functionnality on the live environment, i'll keep on watching your patch to see if that can give me the functionnality i'm looking for. Thank you for this information. On Fri, Dec 2, 2011 at 8:11 PM, Sylvain Laurent slaur...@apache.org wrote: keep a watch on https://issues.apache.org/bugzilla/show_bug.cgi?id=51741. When it is implemented, it should give you this functionality. On 30 nov. 2011, at 14:58, Sylvain Goulmy wrote: So the effect is that multiple physical directories must be searched for a given resource? Correct. The alias maps a given path to an external directory. Ok, that's what i had understood. Can you give an example of how you would like it to work? Here is the description of the EDR (Extended Document Root) mecanism in Websphere : Let's assume i have the following application : - Webapps/ - MyApplication/ - images/ - css/ - META-INF/ - WEB-INF/ - index.html I can define an EDR directory in the configuration of my application so that the ressource i access are first retrieved from my application and then in the EDR directory if they don't exist in my application. - /.../.../.../.../EDR/ - images/ - index.html These directories are defined as extension of my application and another important thing is that i can also extend files which are at the root of my application (as index.html). After a few more test with Tomcat i understand that : - You cannot extend directory, if you define an external location which math an existing directory of your application, the ressources of your application become unreachable. - As the documentation say Using '/' as an aliasPath is not allowed., you cannot extend any ressource which is at the root of your application. Things seems clear for me now, please tell if i have missed something. Thank you in advance for your support. On Wed, Nov 30, 2011 at 11:53 AM, Pid p...@pidster.com wrote: On 29/11/2011 17:47, Sylvain Goulmy wrote: Hi all, I'd like to know it is possible to have equivalent functionality to the extended document root provided by the WebSphere product. This feature allows you to define a location outside the webapp to make contribution without having to redeploy the application. This mechanism first checks if the resource is present in the application and if not will look for it in the directory extension. So the effect is that multiple physical directories must be searched for a given resource? I thought that the functionality provided by the new attribute aliases for the configuration item context would have a similar behavior, but I see another operation. First of all it is not possible to set an alias on the context '/', making it necessary to declare all the directories in which you want to make the contribution. Also when I set an alias for a directory present in my webapp, it becomes a priority and files in my webapp are no longer available. Do I understand correctly how this new attribute aliases has to be used ? The alias maps a given path to an external directory. Is it possible with Tomcat 7 to set up a mechanism similar to the extended document root of Websphere? Can you give an example of how you would like it to work? p -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTPD - Tomcat, Passing Errors
On December 5, 2011 16:04 , Jonathan Rosenberg shmol...@gmail.com wrote: On Mon, Dec 5, 2011 at 3:51 PM, Mark Montaguem...@catseye.org wrote: On December 5, 2011 15:42 , Jonathan Rosenbergshmol...@gmail.com wrote: I'd like page-request errors on the Tomcat side to be to be passed back to httpd for handling. right now, Tomcat formats the error page passes that back. Unfortunately, while ProxyErrorOverride has been available for HTTP reverse-proxies, it was just added for AJP reverse-proxies in Apache HTTP Server 2.3.12. The feature will hopefully be backported into the next release of the 2.2 branch, though, so check again when 2.2.22 is released. For more information, see https://issues.apache.org/bugzilla/show_bug.cgi?id=50945 Thanks for the info. Is there any kind of simple, if ugly, workaround available? Please don't top-post; it destroys the natural flow of reading. Also, don't reply to people privately off-list, since it deprives other people who may be interested of subsequent information, and also prevents other people who might have additional information or better suggestions from offering them to you. Workarounds include: - Use HTTP instead of AJP between Apache HTTP Server and Tomcat. You can then use the ProxyErrorOverride directive. Or, - Apply the last patch at the Bugzilla link above to Apache HTTP Server 2.2.x source code and compile it. This will add support for ProxyErrorOverride for the AJP protocol. Or, - Upgrade to Apache HTTP Server 2.3.12 or later. Or, - Live with the Tomcat-generated error pages for now, and wait to see if ProxyErrorOverride support for AJP is in Apache HTTP Server 2.2.22 when it gets released. You can subscribe to the CC list for the bug to follow it, and possibly even vote on the bug. -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL configuration on apache tomcat 6 - Oracle EL5
Dear all, I have a very serious problem in making SSL work on apache tomcat 6 on my oracle EL5. I have been able to configure everything. If I access http://localhost:8443 it works but if I change the http to https, it doesn't work. I check my catalina.out log to see with and I saw: 5-Dec-2011 18:05:55 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Failed to initialize the SSLEngine. I see no other error apart from this error. What can I do? I need to replicate this at a client site tomorrow - I have to make it work. I WILL REALLY APPRECIATE ANY ASSISTANCE. Thank you
Re: SSL configuration on apache tomcat 6 - Oracle EL5
Still waiting to hear from you folks. I presume if I did not configure server.xml right, then I should see more errors than this. This is my only challenge, please help me out. On Mon, Dec 5, 2011 at 1:20 PM, Oladapo Moshood morec...@gmail.com wrote: Dear all, I have a very serious problem in making SSL work on apache tomcat 6 on my oracle EL5. I have been able to configure everything. If I access http://localhost:8443 it works but if I change the http to https, it doesn't work. I check my catalina.out log to see with and I saw: 5-Dec-2011 18:05:55 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Failed to initialize the SSLEngine. I see no other error apart from this error. What can I do? I need to replicate this at a client site tomorrow - I have to make it work. I WILL REALLY APPRECIATE ANY ASSISTANCE. Thank you
Re: Apache HTTPD - Tomcat, Passing Errors
Thanks for the additional info. I fell asleep at the wheel re: top posting hit reply (instead of reply to all) by accident. Repetently yours, -- Jonathan Rosenberg Founder Executive Director Tabby's Place, a Cat Sanctuary http://www.tabbysplace.org/ On Mon, Dec 5, 2011 at 4:18 PM, Mark Montague m...@catseye.org wrote: On December 5, 2011 16:04 , Jonathan Rosenberg shmol...@gmail.com wrote: On Mon, Dec 5, 2011 at 3:51 PM, Mark Montaguem...@catseye.org wrote: On December 5, 2011 15:42 , Jonathan Rosenbergshmol...@gmail.com wrote: I'd like page-request errors on the Tomcat side to be to be passed back to httpd for handling. right now, Tomcat formats the error page passes that back. Unfortunately, while ProxyErrorOverride has been available for HTTP reverse-proxies, it was just added for AJP reverse-proxies in Apache HTTP Server 2.3.12. The feature will hopefully be backported into the next release of the 2.2 branch, though, so check again when 2.2.22 is released. For more information, see https://issues.apache.org/bugzilla/show_bug.cgi?id=50945 Thanks for the info. Is there any kind of simple, if ugly, workaround available? Please don't top-post; it destroys the natural flow of reading. Also, don't reply to people privately off-list, since it deprives other people who may be interested of subsequent information, and also prevents other people who might have additional information or better suggestions from offering them to you. Workarounds include: - Use HTTP instead of AJP between Apache HTTP Server and Tomcat. You can then use the ProxyErrorOverride directive. Or, - Apply the last patch at the Bugzilla link above to Apache HTTP Server 2.2.x source code and compile it. This will add support for ProxyErrorOverride for the AJP protocol. Or, - Upgrade to Apache HTTP Server 2.3.12 or later. Or, - Live with the Tomcat-generated error pages for now, and wait to see if ProxyErrorOverride support for AJP is in Apache HTTP Server 2.2.22 when it gets released. You can subscribe to the CC list for the bug to follow it, and possibly even vote on the bug. -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL configuration on apache tomcat 6 - Oracle EL5
From: Oladapo Moshood [mailto:morec...@gmail.com] Subject: Re: SSL configuration on apache tomcat 6 - Oracle EL5 Still waiting to hear from you folks. A bit impatient, are we? Remember, everyone on this list is a _volunteer_, not paid. If you want immediate answers, hire someone. I presume if I did not configure server.xml right, then I should see more errors than this. Why do you presume that? And not posting your server.xml here makes it pretty much impossible for anyone to help you. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL configuration on apache tomcat 6 - Oracle EL5
On Mon, Dec 5, 2011 at 1:50 PM, Oladapo Moshood morec...@gmail.com wrote: Still waiting to hear from you folks. Ah, you'd be wanting our Tier 2 30-minute-response support, then. Would you like to put that on your Visa or MasterCard? -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL configuration on apache tomcat 6 - Oracle EL5
Oh I'm really sorry Chuck, It's good to hear from you.
I wanted to say I presumed my server.xml is well configured that was why I
can only see one error.
Below is what I have in my server.xml:
Listener className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on /
Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true
maxThreads=150 scheme=https secure=true
sslProtocol=TLSv1 enableLookups=false
SSLCertificateFile=${catalina.base}/config/certs/server.crt
SSLCertificateKeyFile=${catalina.base}/config/certs/server.key/
Thank you
On Mon, Dec 5, 2011 at 1:54 PM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:
From: Oladapo Moshood [mailto:morec...@gmail.com]
Subject: Re: SSL configuration on apache tomcat 6 - Oracle EL5
Still waiting to hear from you folks.
A bit impatient, are we? Remember, everyone on this list is a
_volunteer_, not paid. If you want immediate answers, hire someone.
I presume if I did not configure server.xml right, then I should see more
errors than this.
Why do you presume that? And not posting your server.xml here makes it
pretty much impossible for anyone to help you.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail and
its attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL configuration on apache tomcat 6 - Oracle EL5
Like I said to Chuck, I'm sorry to everyone. I didn't mean to be disturbing. Please pardon me and please assist. Thank you Hassan. On Mon, Dec 5, 2011 at 2:03 PM, Hassan Schroeder hassan.schroe...@gmail.com wrote: On Mon, Dec 5, 2011 at 1:50 PM, Oladapo Moshood morec...@gmail.com wrote: Still waiting to hear from you folks. Ah, you'd be wanting our Tier 2 30-minute-response support, then. Would you like to put that on your Visa or MasterCard? -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Character set issue
Marvin Addison wrote: /can/ the servlet (or one of the filters) do anything that would cause the value of name1 to /not/ be a correct Java TÜV string in the servlet ? Yes, absolutely. If this is a posted value and some filter fires that coerces the encoding (e.g. request.getParameter() in the case of POST) of the request, all subsequent filters and the servlet will see the string in the encoding of the first filter. This is why it's important to set the encoding as early in the servlet processing pipeline as possible. Thank you for the answer. For your particular case it's hard to imagine an encoding in practice that would make that string appear incorrectly. Both iso-8859-1 and utf-8 should handle Ü correctly. I don't think that's true. A Ü in iso-8859-1 is a single byte (\xDC). In Unicode/UTF-8 encoding, it is 2 bytes (\xC39C). (The Unicode codepoint of Ü is 00DC (hex), but that's a different matter.) So if the servlet reads a parameter from the post, thinking the post is UTF-8 while it is really iso-8859-1, and this parameter is a Ü, the servlet will read 2 bytes, getting \xDC and whichever byte follows it, and get garbage, because \xDC followed by any other byte is probably not valid UTF-8. On the other hand, if the servlet reads a parameter from the post, thinking the post is iso-8859-1 while it is really UTF-8, and this parameter is a Ü, the servlet will read a single byte (\xC3), which will be converted to the Java Unicode character with codepoint 00C3 (hex), which is a capital A tilde (can't even type that on my German keyboard). In fact, this is what happens in reality : We have a html page, defined as being content-type=text/html; charset=UTF-8. It is saved as UTF-8, by a Unicode-savvy editor. It is received by the browser, and the browser (IE or Firefox) says that the document is UTF-8. The page contains a form tag, which contains an enctype=UTF-8 attribute. The form contains an input text box, in which the user types a Ü and then submits the form. In the normal configuration of the target webapp, there are filter1 filter2 servlet (in that order). servlet reads the post parameters and the servlet gets garbage instead of the Java string Ü. If we remove filter1 and filter2, leaving servlet alone, then servlet reads the proper Ü. In we re-instate filter1 and filter2, and in filter2 (the only piece of which I control the code), I add an early call to request.setCharacterEncoding(UTF-8); then servlet gets the correct string. Who is responsible for setting the request character set ? In my naive understanding, I thought that whenever a method call happens which requires parsing the request body, and if by that time the request encoding has not been set explicitly, it would be Tomcat code which would evaluate the circumstances and set the encoding appropriately. Such as : - default is iso-8859-1 (as per HTTP default) - but if the request somehow says otherwise (*), then whatever the request says. ((*) which for a POST it should always do, no ?) Is that a wrong understanding ? (I read the Servlet Spec v 3.0, section 3.10, but I am still not sure) filter2 contain calls, in that order, to - config.getInitParameter - optionally, for testing : request.setCharacterEncoding(UTF-8) - request.getRequestURL - request.getQueryString - request.getRemoteAddr - request.getHeaderNames - request.getHeader - request.getAttributeNames .. and, finally, a - request.getParameter Is it then the responsibility of filter2 to set the request encoding ? Should the optional request.setCharacterEncoding become mandatory ? Should the request.setCharacterEncoding call be made just before the request.getParameter, or is there another earlier method call in the list above that can trigger the encoding to be already set ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTPD - Tomcat, Passing Errors
Jonathan Rosenberg wrote: Thanks for the additional info. I fell asleep at the wheel re: top posting hit reply (instead of reply to all) by accident. Well, maybe don't do that either (reply to all). Just reply to the list. The people on the list are.. on the list. So any message posted to the list already reaches them. If in addition you send y copy to the original poster, they get a second copy of the same message, which is somewhat annoying. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL configuration on apache tomcat 6 - Oracle EL5
On Mon, 2011-12-05 at 13:20 -0800, Oladapo Moshood wrote: Dear all, I have a very serious problem in making SSL work on apache tomcat 6 on my oracle EL5. I have been able to configure everything. If I access http://localhost:8443 it works but if I change the http to https, it doesn't work. I check my catalina.out log to see with and I saw: 5-Dec-2011 18:05:55 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Failed to initialize the SSLEngine. I see no other error apart from this error. What can I do? I need to replicate this at a client site tomorrow - I have to make it work. I WILL REALLY APPRECIATE ANY ASSISTANCE. Thank you Using the APR connector requires native libraries. 1.) Where did you get the native libraries? distro package or compile from source? 2.) What options were used to compile the libraries (i.e. if compiling from src, please list your ./configure ... command). Dan
Re: Character set issue
2011/12/6 André Warnier a...@ice-sa.com: Marvin Addison wrote: /can/ the servlet (or one of the filters) do anything that would cause the value of name1 to /not/ be a correct Java TÜV string in the servlet ? Yes, absolutely. If this is a posted value and some filter fires that coerces the encoding (e.g. request.getParameter() in the case of POST) of the request, all subsequent filters and the servlet will see the string in the encoding of the first filter. This is why it's important to set the encoding as early in the servlet processing pipeline as possible. Thank you for the answer. For your particular case it's hard to imagine an encoding in practice that would make that string appear incorrectly. Both iso-8859-1 and utf-8 should handle Ü correctly. I don't think that's true. A Ü in iso-8859-1 is a single byte (\xDC). In Unicode/UTF-8 encoding, it is 2 bytes (\xC39C). (The Unicode codepoint of Ü is 00DC (hex), but that's a different matter.) So if the servlet reads a parameter from the post, thinking the post is UTF-8 while it is really iso-8859-1, and this parameter is a Ü, the servlet will read 2 bytes, getting \xDC and whichever byte follows it, and get garbage, because \xDC followed by any other byte is probably not valid UTF-8. On the other hand, if the servlet reads a parameter from the post, thinking the post is iso-8859-1 while it is really UTF-8, and this parameter is a Ü, the servlet will read a single byte (\xC3), which will be converted to the Java Unicode character with codepoint 00C3 (hex), which is a capital A tilde (can't even type that on my German keyboard). In fact, this is what happens in reality : We have a html page, defined as being content-type=text/html; charset=UTF-8. It is saved as UTF-8, by a Unicode-savvy editor. It is received by the browser, and the browser (IE or Firefox) says that the document is UTF-8. The page contains a form tag, which contains an enctype=UTF-8 attribute. The form contains an input text box, in which the user types a Ü and then submits the form. In the normal configuration of the target webapp, there are filter1 filter2 servlet (in that order). servlet reads the post parameters and the servlet gets garbage instead of the Java string Ü. If we remove filter1 and filter2, leaving servlet alone, then servlet reads the proper Ü. In we re-instate filter1 and filter2, and in filter2 (the only piece of which I control the code), I add an early call to request.setCharacterEncoding(UTF-8); then servlet gets the correct string. Who is responsible for setting the request character set ? In my naive understanding, I thought that whenever a method call happens which requires parsing the request body, and if by that time the request encoding has not been set explicitly, it would be Tomcat code which would evaluate the circumstances and set the encoding appropriately. Such as : - default is iso-8859-1 (as per HTTP default) - but if the request somehow says otherwise (*), then whatever the request says. ((*) which for a POST it should always do, no ?) Is that a wrong understanding ? (I read the Servlet Spec v 3.0, section 3.10, but I am still not sure) filter2 contain calls, in that order, to - config.getInitParameter - optionally, for testing : request.setCharacterEncoding(UTF-8) - request.getRequestURL - request.getQueryString - request.getRemoteAddr - request.getHeaderNames - request.getHeader - request.getAttributeNames .. and, finally, a - request.getParameter Is it then the responsibility of filter2 to set the request encoding ? Should the optional request.setCharacterEncoding become mandatory ? Should the request.setCharacterEncoding call be made just before the request.getParameter, or is there another earlier method call in the list above that can trigger the encoding to be already set ? Parameters parsing happens once and is triggered by the first call that requests them. That call is usually request.getParameter(), but there are two other similar methods. At _that_ moment the conversion from bytes to Strings happens and the request encoding must already be set. It is application's responsibility to set the request encoding. It defaults to ISO-8859-1 if not set explicitly. (Maybe it will parse charset value if that is specified in Content-Type header of request, but most browsers do not include charset in their request, so that is irrelevant). Note, that there is standard SetCharacterEncodingFilter in Tomcat 7. (In 7.0 it is in o.a.c.filters package, in 6.0 and 5.5 it is examples webapp). Once again, http://wiki.apache.org/tomcat/FAQ/CharacterEncoding Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to I add JSTL Lib to Tomcat with Netbeans
Hi I have jstl-api-1.2 and jstl-impl-1.2 jars in web/lib folder for my project setting.Is this the right setting to add JSTL jars or I need to add this to tomcats's lib directory ? I am using netbeans 7.01 with tomcat 7.0.11 on windows 7.For some reasons I feel that jstl lib is not used by my app and jstl tags are getting ignored. Can someone point me to right way to add jstl lib with tomcat ? Thanking you Kiran Badi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
Rainer Jung rainer.j...@kippdata.de wrote:
On 05.12.2011 10:42, oh...@cox.net wrote:
André Warniera...@ice-sa.com wrote:
oh...@cox.net wrote:
...
Rainer Jungrainer.j...@kippdata.de wrote:
Although this thread has moved forward towards the role topic, I want to
give some infos about the user forwarding by mod_jk. Some of it was
already present in previous posts.
1) In order to let Tomcat accept the user, you need to set
tomcatAuthentication to false
2) mod_jk will always forward the user as detected by the
following logic:
- the user as authenticated by Apache
- if this doesn't exist it will forward the value of
an Apache environment variable. The default name of the
variable is JK_REMOTE_USER, but it can be changed using
the configuration directive JkRemoteUserIndicator
3) The user ID will *not* be forwarded in the form of a request header
4) The forwarded user id is logged in the JK log file on level debug
as the user field in the line:
Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
auth=%s user=%s laddr=%s raddr=%s uri=%s
5) There is no need to use JkEnvVar
6) When not using a real Apache authentication, you can instead
set the Apache environment variable JK_REMOTE_USER
e.g. via mod_setenvif or the E= syntax of mod_rewrite.
If you change the name of the env var using JkRemoteUserIndicator
use the variable name given there instead.
7) The Apache authenticated user can be logged in the Apache AccessLog
using %u. Any environment variable XXX can be logged using
%{XXX}e.
8) The user can be logged in the Tomcat AccessLog using %u.
9) The user is returned by request.getRemoteUser() on the Tomcat side.
Regards,
Rainer
Hi Rainier,
Thanks for the great info above, esp. re. the JK_REMOTE_USER and
JkRemoteUserIndicator.
I'm kind of well along the way with my valve, but I still have mod_jk for
one proxy section, so I'll give those a try.
Hi Rainer.
Thanks also for the precise information. We've missed you..
Jim, one more question :
At the Apache httpd level, when the user has been authenticated by OAM,
/can/ you get the
authenticated user's user-id ? and how ?
Hi,
On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header
that gets populated by the OAM agent, called OAM_REMOTE_USER.
So if you want mod_jk to use the value of this header as the
authenticated user name and forward it to Tomcat, you either:
a) have to rely on the Oracle module to correctly set the Apache
internal request user field
b) or have to find a way to copy the value of this header into the
environment variable JK_REMOTE_USER
Concerning a): Usually there's %u in the default LogFormat used by
AccessLog. So have a look at the access log to check, whether Apache
outputs the correct user name. In that case mod_jk should automatically
forward it. This in turn can be checked by the mentioned Service debug
log line in the JK log.
If %u in the access log is empty, and the docs of the Oracle module do
not give a solution how to set the real Apache request user, we are up
to b).
First add %{OAM_REMOTE_USER} to the format/pattern configuration of your
Apache and Tomcat access logs, so you can easily check, what both think
about the value of that header. Check, that it is populated for both
with the right user id.
Now we try to copy the value of the header OAM_REMOTE_USER to the Apache
environment variable JK_REMOTE_USER.
As you can see in
http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif
It works like this (assuming you have enabled/loaded mod_setenvif):
SetEnvIf OAM_REMOTE_USER (.*) JK_REMOTE_USER=$1
Unfortunately this will only work, if the Oracle module that populates
the header runs before mod_setenvif.
Check, whether the copying works by adding %{JK_REMOTE_USER}e to the
format of your Apache AccessLog.
Finally look at the Service line in the jk debug log to see, whether
the right user info is now being forwarded. If so, the rest is to be
done in Tomcat land.
Set tomcatAuthentication to false and check via
request.getRemoteUser() whether you received the right user id.
I would do all this first using a basic test webapp in Tomcat, not your
real app.
Finally: this is probably not secure, because
- everyone can send a request which already has a populated
OAM_REMOTE_USER header. You would rely on the implementation detail,
that the Oracle module might always overwrite that header. Not sure if
it does!
- everyone having access to the network port could start talking AJP13
directly to your Tomcat adding whatever remote user id she likes. The
protocol is easy to fake.
Regards,
Rainer
Hi,
I've tried both SetEnvIf approach, and the setting
Re: How to I add JSTL Lib to Tomcat with Netbeans
- Original Message - From: Kiran Badi ki...@poonam.org To: Tomcat Users List users@tomcat.apache.org Cc: Sent: Monday, December 5, 2011 6:34 PM Subject: How to I add JSTL Lib to Tomcat with Netbeans Hi I have jstl-api-1.2 and jstl-impl-1.2 jars in web/lib folder for my project setting.Is this the right setting to add JSTL jars or I need to add this to tomcats's lib directory ? I am using netbeans 7.01 with tomcat 7.0.11 on windows 7.For some reasons I feel that jstl lib is not used by my app and jstl tags are getting ignored. Can someone point me to right way to add jstl lib with tomcat ? Thanking you Kiran Badi In Netbeans, you don't add jar files directly to WEB-INF/lib of your project. Netbeans does this for you when you build the war file. If you're running a regular Netbeans (ant) project, then do the following: 1. Right-mouse click on the Libraries node of your project 2. Select Add libraries 3. Scroll down until you see the JSTL library 4. Select it and add it This will add both the standard tag jar and jstl jar to your project. Netbeans will complete %@ taglib uri=... % for you as well as all the tags once you add the taglib line to your JSP file. If you're running a Maven project, then you need to edit your pom.xml file. The two dependencies go in the dependencies element and will be built into your war file under the target directory. Again, once Netbeans knows the libraries are a part of your project (sometimes you have to refresh the project) code completion will work as expected. In both cases, everything works as expected on the server. This is my normal (occasional) development environment: Platform: Windows/XP Professional SP 3 or Fedora 15 JVM: JRE/JDK 1.6.0_29 Maven: 3.0.3 Servers: Tomcat 5.5.34, Tomcat 6.0.33, Tomcat 7.0.22, Glassfish 3.1 Given my limited use, this works pretty well. just my two cents . . . . /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL configuration on apache tomcat 6 - Oracle EL5
Dear Dan, I have the native libraries in /usr/share/apache-tomcat-7.0.23/bin/tomcat-native-1.1.22-src/jni/native to install tomcat native. I Installed with ./configure --with-apr=/usr/local/apr-httpd/ --with-java-home=/usr/java/jdk1.7.0/ Thank you On Mon, Dec 5, 2011 at 2:23 PM, Daniel Mikusa dmik...@vmware.com wrote: On Mon, 2011-12-05 at 13:20 -0800, Oladapo Moshood wrote: Dear all, I have a very serious problem in making SSL work on apache tomcat 6 on my oracle EL5. I have been able to configure everything. If I access http://localhost:8443 it works but if I change the http to https, it doesn't work. I check my catalina.out log to see with and I saw: 5-Dec-2011 18:05:55 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Failed to initialize the SSLEngine. I see no other error apart from this error. What can I do? I need to replicate this at a client site tomorrow - I have to make it work. I WILL REALLY APPRECIATE ANY ASSISTANCE. Thank you Using the APR connector requires native libraries. 1.) Where did you get the native libraries? distro package or compile from source? 2.) What options were used to compile the libraries (i.e. if compiling from src, please list your ./configure ... command). Dan
Re: SSL configuration on apache tomcat 6 - Oracle EL5
Dan, This is what I actually have in my Oracle EL5. The other information I sent on apache-tomcat-7 was done on my redhat 6 to see if the error i'm getting is a bug in apache-tomcat-6, but got the same error. Here is how i installed it on Oracle EL5: I have the native libraries in /usr/share/apache-tomcat-6.0.20/bin/tomcat-native-1.1.22-src/jni/native to install tomcat native. I Installed with ./configure --with-apr=/usr/local/apr-httpd/ --with-java-home=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/ Thank you On Mon, Dec 5, 2011 at 11:44 PM, Oladapo Moshood morec...@gmail.com wrote: Dear Dan, I have the native libraries in /usr/share/apache-tomcat-7.0.23/bin/tomcat-native-1.1.22-src/jni/native to install tomcat native. I Installed with ./configure --with-apr=/usr/local/apr-httpd/ --with-java-home=/usr/java/jdk1.7.0/ Thank you On Mon, Dec 5, 2011 at 2:23 PM, Daniel Mikusa dmik...@vmware.com wrote: On Mon, 2011-12-05 at 13:20 -0800, Oladapo Moshood wrote: Dear all, I have a very serious problem in making SSL work on apache tomcat 6 on my oracle EL5. I have been able to configure everything. If I access http://localhost:8443 it works but if I change the http to https, it doesn't work. I check my catalina.out log to see with and I saw: 5-Dec-2011 18:05:55 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Failed to initialize the SSLEngine. I see no other error apart from this error. What can I do? I need to replicate this at a client site tomorrow - I have to make it work. I WILL REALLY APPRECIATE ANY ASSISTANCE. Thank you Using the APR connector requires native libraries. 1.) Where did you get the native libraries? distro package or compile from source? 2.) What options were used to compile the libraries (i.e. if compiling from src, please list your ./configure ... command). Dan
