Re: VerifyError: ... Illegal constant pool index when jspx invokes a tagx on Tomcat 7.0.16
On 07/12/2011 17:32, Robert Winch wrote: We have a web application that was consistently getting a VerifyError whenever a jsp invoked a custom tagx. The jsp is a SiteMesh decorator that uses a custom tagx to display a Spring Security Authentication object. The issue was resolved by restarting the war using the Tomcat Manager, but I am concerned the issue may happen again. Does anyone know what might have caused this to happen and/or how to prevent it from happening again? I have included a full stacktrace [1] and details about our environment [2] below. Any feedback would be greatly appreciated. Additional Information: 1) Since restarting the war the VerifyError cannot be reproduced. Note that only the war was restarted; the Tomcat instance was NOT restarted. 2) I have tried searching for answers on the forums/Internet. Most of the results I have seen stated that their problem was that the wrong version of Java was used or some sort of byte-code manipulation was being done. a. Since the problem was fixed by cycling the war (and not the JVM) I doubt using the wrong JVM was our problem. b. We are using spring-aop, but only with interface based proxies (not aspjectj compilation). Additionally I do not think this should impact the compiled jsp's byte code validity. c. We use hibernate which is using javasist to create proxies of our domain objects at load time, but again I do not think this should impact the compiled jsp's byte code validity. 3) I have looked for any jars included in the war that might contain the wrong JspTag or PageContext. I tried to do an open type in Eclipse on both classes and found jsp-api and servlet-api both contain these classes. You are saying your servlet-api.jar contains the JSP API classes too? I would be concerned about two versions of a class being in the same classloader - but you say below that they are not packaged in the WAR. Can you upgrade to 7.0.21? There have been a few beneficial changes to the JSP components. You say below that the compiled tags JSP don't appear to have been recompiled - either upgrade, or clear the work directory to ensure that they have been. p However, these jars are provided maven dependencies. I also validated that they were not packaged in the war's WEB-INF/lib/ directory. 4) The code was compiled and is ran using a Sun 1.6 JDK 5) Unfortunately at the time I did not think to save the generated java or class for the JSP page or the tag lib. 6) The last modified date on the jsp and the jsp tag java/class files in Tomcat's work directory both have a time stamp that is much (over two weeks) older than when the war was restarted to resolve the issue. This seems to imply that neither were recompiled. 7) I have included a full stack trace of the error [1], and details about the environment [2] below. [1] java.lang.VerifyError: (class: org/apache/jsp/WEB_002dINF/decorators/main_jsp, method: _jspx_meth_tags_005fusername_005f0 signature: (Ljavax/servlet/jsp/tagext/JspTag;Ljavax/servlet/jsp/PageContext;)Z) Illegal constant pool index at java.lang.Class.getDeclaredConstructors0(Native Method) at java.lang.Class.privateGetDeclaredConstructors(Unknown Source) at java.lang.Class.getConstructor0(Unknown Source) at java.lang.Class.newInstance0(Unknown Source) at java.lang.Class.newInstance(Unknown Source) at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:125) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:162) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:356) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:389) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:59) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530) at com.opensymphony.sitemesh.compatability.OldDecorator2NewDecorator.render(OldDecorator2NewDecorator.java:46) at com.opensymphony.sitemesh.webapp.decorator.BaseWebAppDecorator.render(BaseWebAppDecorator.java:33) at
Re: MVC or Model2 with Tomcat
From: Pid * p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, December 8, 2011 12:25:35 PM Subject: Re: MVC or Model2 with Tomcat On 8 Dec 2011, at 06:08, Blaxton blaxx...@yahoo.com wrote: From: Blaxton blaxx...@yahoo.com To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, December 6, 2011 9:19:00 PM Subject: Re: MVC or Model2 with Tomcat From: Pid * p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, December 6, 2011 8:12:40 PM Subject: Re: MVC or Model2 with Tomcat snip On 6 Dec 2011, at 15:52, Blaxton blaxx...@yahoo.com wrote: I have added the host directive to server.xml and moved appexmp1 contents to ROOT directory and now I can access www.mydomain.com/index.jsp with no problem, however now the servlets are not working. I can access jsp files, but no servlets, I get The requested resource is not available message. as with following direction: http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html#context.xml_-_approach__1 I have created /Catalina_BASE/appexmp1/ROOT/META-INF/context.xml Ok, please remove the comments from your server.xml and post it inline, here. I have placed a HelloWorld.class file in /Catalina_BASE/appname/ROOT/WEB-INF/classes/com/mydomain but can't access the class through mydomain.com/app1/HelloWorld How have you defined the Servlet in ROOT/WEB-INF/web.xml? tried following context file variations but didn't work: Context path=/app1 docBase=. debug=0 reloadable=true crossContext=true /Context Never do the above. Context path=/app1 docBase=ROOT debug=0 reloadable=true crossContext=true /Context Or that. The 'path' attribute is not applicable here - in any case it's wrong. Remove the path and docBase attributes from the ROOT.xml file. p it seems to me , context file is not being read after adding the host directive to server.xml either when it is in /Catalina_BASE/conf/Catalina/local host or now that it is in /Catalina_BASE/appexmp1/ROOT/META-INF/context.xml thanks for help - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org OK, my mistake, I had JkMount /*.jsp and /app1/* rather than JkMount /* in httpd-vhost.com changed it as you mentioned to JkMount /* and servlets works now. Also removed path and docbase from context.xml so we can't have default application in ROOT and path in context file ? haven't tried it , but I think we could achieve the same thing with JkAutoAlias which one is recommended ? JkAutoAlias or adding host directive in server.xml ? Thank you very much for help I achieved what i was looking for. Sorry but there is one more problem. now that I have JkMount /* in vhost1_httpd.conf every thing will be forwarded to tomcat other than *.html because there is a JkUnMount /*.html line in vhost1_httpd.conf but still when I browse mydomain.com/ I get the tomcat error The requested resource() is not available. why is that ? Some mod_jk config voodoo is bubbling up into my memory. I can't see it in the docs, but try: JKMount /|* worker Which version of mod_jk are you using? I have added welcome directive to web.xml as follow: welcome-file-list welcome-fileindex.html/welcome-file /welcome-file-list This tells Tomcat to look for index.html in its own resource location. Is it there or are you expecting HTTPD to do that for you? I think you probably want to put index.jsp instead. and following is DirectoryIndex in vhost1_httpd.conf file: DirectoryIndex index.jsp index.html index.php I can access mydomain.com/index.html but getting error when accessing mydomain.com/ Check the access logs to see which server is sending the file. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Ok, thanks I have added JkUnMount / appexmp1worker and with following directive: DirectoryIndex index.html I can access mydomain.com/ and the default index.html will be displayed. however, with DirectoryIndex index.jsp because of JkMount /* all requests , including .jsp files would be forwarded to tomcat and I should place index.jsp file where we defined the appbase. Thanks again
Tomcat JMX/RMI: How server interface is choosen?
I enable JMX server and JMX Registry in tomcat using Listener className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener rmiRegistryPortPlatform=10001 rmiServerPortPlatform=10002 / Client connects to 10001 and tomcat returns its address and port 10002, right? But if I have several addresses on the interface tomcat returns the first one. Is it tomcat or RMI issue? How can I set interface and/or ip address to be returned to the client? Is it possible to use JMX directly over the one TCP port with out of all that RMI stuff? Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to forward all kind of request from ROOT to another subdirectory?
Hello, I need to forward all kind of request from the ROOT, i.e http://localhost:8080/ to http://localhost:8080/myRoot Is it possible, do I need to create a redirect servlet? However, I think tomcat can be configured to behave that way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to forward all kind of request from ROOT to another subdirectory?
Simplest would be to set up an index.html in the root path that redirects to whatever you wish. You can find 500 hits on google about how to do an HTML redirect. -Original Message- From: Xybrek [mailto:xyb...@gmail.com] Sent: Thursday, December 08, 2011 3:07 AM To: users@tomcat.apache.org Subject: How to forward all kind of request from ROOT to another subdirectory? Hello, I need to forward all kind of request from the ROOT, i.e http://localhost:8080/ to http://localhost:8080/myRoot Is it possible, do I need to create a redirect servlet? However, I think tomcat can be configured to behave that way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Enable https for all application hosted in tomcat
Hi I wonder if anyone have configured HTTPS on all their application in the /webapps. Please share if you have any information pertaining to HTTPS in tomcat Thanks Michael - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to forward all kind of request from ROOT to another subdirectory?
On 12/8/2011 8:52 PM, Thom Hehl wrote: Simplest would be to set up an index.html in the root path that redirects to whatever you wish. You can find 500 hits on google about how to do an HTML redirect. -Original Message- From: Xybrek [mailto:xyb...@gmail.com] Sent: Thursday, December 08, 2011 3:07 AM To: users@tomcat.apache.org Subject: How to forward all kind of request from ROOT to another subdirectory? Hello, I need to forward all kind of request from the ROOT, i.e http://localhost:8080/ to http://localhost:8080/myRoot Is it possible, do I need to create a redirect servlet? However, I think tomcat can be configured to behave that way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hi, I am using UrlRedirectFilter. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to forward all kind of request from ROOT to another subdirectory?
On 12/8/2011 9:19 PM, Xybrek wrote: On 12/8/2011 8:52 PM, Thom Hehl wrote: Simplest would be to set up an index.html in the root path that redirects to whatever you wish. You can find 500 hits on google about how to do an HTML redirect. -Original Message- From: Xybrek [mailto:xyb...@gmail.com] Sent: Thursday, December 08, 2011 3:07 AM To: users@tomcat.apache.org Subject: How to forward all kind of request from ROOT to another subdirectory? Hello, I need to forward all kind of request from the ROOT, i.e http://localhost:8080/ to http://localhost:8080/myRoot Is it possible, do I need to create a redirect servlet? However, I think tomcat can be configured to behave that way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hi, I am using UrlRedirectFilter. Also, I am able to redirect with UrlRedirectFilter from http://localhost:8080 to http://localhost:8080/myRoot However my problem now is that I want to keep the URL in the browser relative to the original ROOT, i.e. right now when I request for http://localhost:8080/index.html it will show http://localhost:8080/myRoot/index.html but I want to keep it like http://localhost:8080/index.html and for all other request. Maybe I need to do something with the rules in the urlrewrite.xml Any ideas? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to forward all kind of request from ROOT to another subdirectory?
Xybrek wrote: On 12/8/2011 9:19 PM, Xybrek wrote: On 12/8/2011 8:52 PM, Thom Hehl wrote: Simplest would be to set up an index.html in the root path that redirects to whatever you wish. You can find 500 hits on google about how to do an HTML redirect. -Original Message- From: Xybrek [mailto:xyb...@gmail.com] Sent: Thursday, December 08, 2011 3:07 AM To: users@tomcat.apache.org Subject: How to forward all kind of request from ROOT to another subdirectory? Hello, I need to forward all kind of request from the ROOT, i.e http://localhost:8080/ to http://localhost:8080/myRoot Is it possible, do I need to create a redirect servlet? However, I think tomcat can be configured to behave that way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hi, I am using UrlRedirectFilter. Also, I am able to redirect with UrlRedirectFilter from http://localhost:8080 to http://localhost:8080/myRoot However my problem now is that I want to keep the URL in the browser relative to the original ROOT, i.e. right now when I request for http://localhost:8080/index.html it will show http://localhost:8080/myRoot/index.html but I want to keep it like http://localhost:8080/index.html and for all other request. Maybe I need to do something with the rules in the urlrewrite.xml Any ideas? Why do you not just rename myRoot to ROOT, making this the default application ? http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: VerifyError: ... Illegal constant pool index when jspx invokes a tagx on Tomcat 7.0.16
On Thu, Dec 8, 2011 at 4:29 AM, Pid p...@pidster.com wrote: On 07/12/2011 17:32, Robert Winch wrote: 3) I have looked for any jars included in the war that might contain the wrong JspTag or PageContext. I tried to do an open type in Eclipse on both classes and found jsp-api and servlet-api both contain these classes. You are saying your servlet-api.jar contains the JSP API classes too? I would be concerned about two versions of a class being in the same classloader - but you say below that they are not packaged in the WAR. Despite the jars not being included in the war I thought this was a point worth investigating. I need to apologise for providing a bit of misinformation. The servlet-api-2.3, which had the duplicate classes, was actually part of another project within my Eclipse workspace. Looking more closely these classes are not duplicated in the project that had the VerifyError since it had a different servlet-api jar on its classpath. I also reconfirmed that neither jars are not packaged in the war's WEB-INF/lib directory. Can you upgrade to 7.0.21? There have been a few beneficial changes to the JSP components. That is good information to know. We plan on updating to 7.0.23 within the next few weeks. You say below that the compiled tags JSP don't appear to have been recompiled - either upgrade, or clear the work directory to ensure that they have been. I'm not sure I understand. Is there a reason we would want them to be recompiled? The reason I had mentioned this was not because I thought it was a problem but because I thought it helped rule out a problem with how the jsp's were compiled. I'm not certain if my logic is sound, but I thought since it was not working, later did work, and the time stamp had not been updated there was likely something other than the compilation of the jsp's at fault. p Thanks for your response, Rob
Re: VerifyError: ... Illegal constant pool index when jspx invokes a tagx on Tomcat 7.0.16
On 08/12/2011 14:19, Robert Winch wrote: On Thu, Dec 8, 2011 at 4:29 AM, Pid p...@pidster.com wrote: You say below that the compiled tags JSP don't appear to have been recompiled - either upgrade, or clear the work directory to ensure that they have been. I'm not sure I understand. Is there a reason we would want them to be recompiled? The reason I had mentioned this was not because I thought it was a problem but because I thought it helped rule out a problem with how the jsp's were compiled. I'm not certain if my logic is sound, but I thought since it was not working, later did work, and the time stamp had not been updated there was likely something other than the compilation of the jsp's at fault. Very occasionally between minor versions we make changes to the code that converts JSPs to Java and correct operation *requires* that the JSPs are recompiled. We don't do it very often but it does happen. We try and do things in such a way that Tomcat handles this automatically e.g. look in the changelog for bug 33453. That said, I *always* clean out the work directory when doing any Tomcat upgrade. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.23 won't start
Add a Realm definition or wait until 7.0.24. There's a bug in 7.0.23. I am waiting for 7.0.24. I'm wincing as I ask: is there a particular reason that you're defining the Context in server.xml - it's been strongly recommended to not do that for quite a while. Okay, I will byte. Practical: This was my sandbox config file. I switch between 6 different applications. I do this by switching server.xml files when I switch projects. This keeps things minimal (not starting up 6 connection pools), its easier to switch one file, and it makes restarts faster. Opinion: I hate over decomposition and I preferred the days when tomcat was only configured with server.xml. Tomcat's configuration is not that complicated, do we really need a bunch of configuration files. Its bad when one thing becomes two, and hence good when two things become one. I bet your also in the micro kernel camp. I know lots of people clamored for being able to configure the connection pool in there war file. I don't know why anyone would do this, our WAR file runs in any environment where the jndi name is present. They have to build separate WAR files for each environment. Basicly I think the context.xml is stupid. If it matters so much change the document definition. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enable https for all application hosted in tomcat
Greetings, On Thu, Dec 8, 2011 at 8:05 AM, RenuKumar r...@dbxpert.com.my wrote: I wonder if anyone have configured HTTPS on all their application in the /webapps. Please share if you have any information pertaining to HTTPS in tomcat http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html -Jesse -- There are 10 types of people in this world, those that can read binary and those that can not. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL configuration on apache tomcat 6 - Oracle EL5
After the re-installation of the whole Apache Tomcat Native Library, I still get: Dec 8, 2011 12:25:28 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. Dec 8, 2011 12:25:28 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Dec 8, 2011 12:25:28 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Failed to initialize the SSLEngine. Dec 8, 2011 12:25:28 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Dec 8, 2011 12:25:28 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Dec 8, 2011 12:25:28 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Dec 8, 2011 12:25:28 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 534 ms Dec 8, 2011 12:25:28 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Dec 8, 2011 12:25:28 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.20 Dec 8, 2011 12:25:29 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive swt-web.war Dec 8, 2011 12:25:30 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Dec 8, 2011 12:25:30 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Dec 8, 2011 12:25:30 PM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Dec 8, 2011 12:25:30 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1411 ms Do I need to do the rest of configuration using http server virtual host: 443 ? When I implemented SSL last on Redhat 4, all i did was to configure ssl.conf and use proxy reverse to instruct http server to service any service from my web application. Please assist to remind me on what to do. Regards, Moshood On Tue, Dec 6, 2011 at 6:38 AM, Daniel Mikusa dmik...@vmware.com wrote: On Tue, 2011-12-06 at 01:10 -0800, Oladapo Moshood wrote: I think yes because I specified the library path. Or how can I confirm your question on my server. see below what I have in the path [root@opt01 apr-httpd]# ll total 16 drwxr-xr-x 2 root root 4096 Dec 2 12:27 bin drwxr-xr-x 2 root root 4096 Dec 2 12:27 build-1 drwxr-xr-x 3 root root 4096 Dec 2 12:27 include drwxr-xr-x 3 root root 4096 Dec 5 04:02 lib [root@opt01 apr-httpd]# cd lib [root@opt01 lib]# ll total 2932 -rw-r--r-- 1 root root 8351 Dec 2 12:27 apr.exp -rw-r--r-- 1 root root 873264 Dec 2 12:27 libapr-1.a -rwxr-xr-x 1 root root831 Dec 2 12:27 libapr-1.la lrwxrwxrwx 1 root root 17 Dec 2 12:27 libapr-1.so - libapr-1.so.0.4.5 lrwxrwxrwx 1 root root 17 Dec 2 12:27 libapr-1.so.0 - libapr-1.so.0.4.5 -rwxr-xr-x 1 root root 594639 Dec 2 12:27 libapr-1.so.0.4.5 -rw-r--r-- 1 root root 879016 Dec 5 04:02 libtcnative-1.a -rwxr-xr-x 1 root root899 Dec 5 04:02 libtcnative-1.la lrwxrwxrwx 1 root root 23 Dec 5 04:02 libtcnative-1.so - libtcnative-1.so.0.1.16 lrwxrwxrwx 1 root root 23 Dec 5 04:02 libtcnative-1.so.0 - libtcnative-1.so.0.1.16 -rwxr-xr-x 1 root root 604439 Dec 5 04:02 libtcnative-1.so.0.1.16 drwxr-xr-x 2 root root 4096 Dec 5 04:02 pkgconfig I also have the native library in /usr/lib: [root@opt01 lib]# pwd /usr/lib [root@opt01 lib]# ls -l libtc* -rwxr-xr-x 1 root root 785200 Jan 10 2007 libtcl8.4.so lrwxrwxrwx 1 root root 23 Dec 5 04:07 libtcnative-1.so - libtcnative-1.so.0.1.16 -rwxr-xr-x 1 root root 604439 Dec 5 04:06 libtcnative-1.so.0.1.16 [root@opt01 lib]# My tomcat startup variables are: Using CATALINA_BASE: /home/oracle/apache-tomcat-6.0.20 Using CATALINA_HOME: /home/oracle/apache-tomcat-6.0.20 Using CATALINA_TMPDIR: /home/oracle/apache-tomcat-6.0.20/temp Using JRE_HOME: /usr/java/jre1.6.0_17 THa On Tue, Dec 6, 2011 at 12:12 AM, Pid * p...@pidster.com wrote: On 6 Dec 2011, at 07:51, Oladapo Moshood morec...@gmail.com wrote: Dan, This is what I actually have in my Oracle EL5. The other information I sent on apache-tomcat-7 was done on my redhat 6 to see if the error i'm getting is a bug in apache-tomcat-6, but got the same error. Here is how i installed it on Oracle EL5: I have the native libraries in /usr/share/apache-tomcat-6.0.20/bin/tomcat-native-1.1.22-src/jni/native to install tomcat native. I Installed with ./configure --with-apr=/usr/local/apr-httpd/ And is that location in the library path that Tomcat is looking in? This is an important question, what do you have set for java.library.path? If you don't know, run Tomcat and execute jinfo tomcat-pid | grep java.library.path
Re: SSL configuration on apache tomcat 6 - Oracle EL5
On Thu, 2011-12-08 at 08:22 -0800, Oladapo Moshood wrote: After the re-installation of the whole Apache Tomcat Native Library, I still get: Ok, take a step back for a second... 1.) What were the results of ./configure ...? If you could paste them in here, that would be helpful. 2.) After you run make and it completes successfully, what do you see if you run ldd .libs/libtcnative-1.so? Dan PS. You're top posting and it is making it very difficult to follow this post. Dec 8, 2011 12:25:28 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. Dec 8, 2011 12:25:28 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Dec 8, 2011 12:25:28 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Failed to initialize the SSLEngine. Dec 8, 2011 12:25:28 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Dec 8, 2011 12:25:28 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Dec 8, 2011 12:25:28 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Dec 8, 2011 12:25:28 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 534 ms Dec 8, 2011 12:25:28 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Dec 8, 2011 12:25:28 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.20 Dec 8, 2011 12:25:29 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive swt-web.war Dec 8, 2011 12:25:30 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Dec 8, 2011 12:25:30 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Dec 8, 2011 12:25:30 PM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Dec 8, 2011 12:25:30 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1411 ms Do I need to do the rest of configuration using http server virtual host: 443 ? When I implemented SSL last on Redhat 4, all i did was to configure ssl.conf and use proxy reverse to instruct http server to service any service from my web application. Please assist to remind me on what to do. Regards, Moshood On Tue, Dec 6, 2011 at 6:38 AM, Daniel Mikusa dmik...@vmware.com wrote: On Tue, 2011-12-06 at 01:10 -0800, Oladapo Moshood wrote: I think yes because I specified the library path. Or how can I confirm your question on my server. see below what I have in the path [root@opt01 apr-httpd]# ll total 16 drwxr-xr-x 2 root root 4096 Dec 2 12:27 bin drwxr-xr-x 2 root root 4096 Dec 2 12:27 build-1 drwxr-xr-x 3 root root 4096 Dec 2 12:27 include drwxr-xr-x 3 root root 4096 Dec 5 04:02 lib [root@opt01 apr-httpd]# cd lib [root@opt01 lib]# ll total 2932 -rw-r--r-- 1 root root 8351 Dec 2 12:27 apr.exp -rw-r--r-- 1 root root 873264 Dec 2 12:27 libapr-1.a -rwxr-xr-x 1 root root831 Dec 2 12:27 libapr-1.la lrwxrwxrwx 1 root root 17 Dec 2 12:27 libapr-1.so - libapr-1.so.0.4.5 lrwxrwxrwx 1 root root 17 Dec 2 12:27 libapr-1.so.0 - libapr-1.so.0.4.5 -rwxr-xr-x 1 root root 594639 Dec 2 12:27 libapr-1.so.0.4.5 -rw-r--r-- 1 root root 879016 Dec 5 04:02 libtcnative-1.a -rwxr-xr-x 1 root root899 Dec 5 04:02 libtcnative-1.la lrwxrwxrwx 1 root root 23 Dec 5 04:02 libtcnative-1.so - libtcnative-1.so.0.1.16 lrwxrwxrwx 1 root root 23 Dec 5 04:02 libtcnative-1.so.0 - libtcnative-1.so.0.1.16 -rwxr-xr-x 1 root root 604439 Dec 5 04:02 libtcnative-1.so.0.1.16 drwxr-xr-x 2 root root 4096 Dec 5 04:02 pkgconfig I also have the native library in /usr/lib: [root@opt01 lib]# pwd /usr/lib [root@opt01 lib]# ls -l libtc* -rwxr-xr-x 1 root root 785200 Jan 10 2007 libtcl8.4.so lrwxrwxrwx 1 root root 23 Dec 5 04:07 libtcnative-1.so - libtcnative-1.so.0.1.16 -rwxr-xr-x 1 root root 604439 Dec 5 04:06 libtcnative-1.so.0.1.16 [root@opt01 lib]# My tomcat startup variables are: Using CATALINA_BASE: /home/oracle/apache-tomcat-6.0.20 Using CATALINA_HOME: /home/oracle/apache-tomcat-6.0.20 Using CATALINA_TMPDIR: /home/oracle/apache-tomcat-6.0.20/temp Using JRE_HOME: /usr/java/jre1.6.0_17 THa On Tue, Dec 6, 2011 at 12:12 AM, Pid * p...@pidster.com wrote: On 6 Dec 2011, at 07:51, Oladapo Moshood morec...@gmail.com wrote: Dan, This is what I actually have in my Oracle EL5. The other information I sent on apache-tomcat-7 was done on my redhat 6 to see if the error i'm getting is a bug in apache-tomcat-6, but got the same
Securing only a single web application on Tomcat
Hi, I have multiple applications hosted on my tomcat server which includes web services, web applications etc. To secure the web services, we made changes to server.xml -connector element and defined roles in tomcat-users.xml. In the web services, we made changes in the web.xml to add the security-constraint, security-role etc. However, the problem we are facing is that all the web application hosted on the Tomcat are prompting for certificate while accessing them. Is there any way to restrict the security only to a single web component on the Tomcat server rather than the entire server or all applications on the server. Thanks, Savitha
Re: How to forward all kind of request from ROOT to another subdirectory?
On Thursday, 08 December, 2011 09:37 PM, André Warnier wrote: Xybrek wrote: On 12/8/2011 9:19 PM, Xybrek wrote: On 12/8/2011 8:52 PM, Thom Hehl wrote: Simplest would be to set up an index.html in the root path that redirects to whatever you wish. You can find 500 hits on google about how to do an HTML redirect. -Original Message- From: Xybrek [mailto:xyb...@gmail.com] Sent: Thursday, December 08, 2011 3:07 AM To: users@tomcat.apache.org Subject: How to forward all kind of request from ROOT to another subdirectory? Hello, I need to forward all kind of request from the ROOT, i.e http://localhost:8080/ to http://localhost:8080/myRoot Is it possible, do I need to create a redirect servlet? However, I think tomcat can be configured to behave that way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hi, I am using UrlRedirectFilter. Also, I am able to redirect with UrlRedirectFilter from http://localhost:8080 to http://localhost:8080/myRoot However my problem now is that I want to keep the URL in the browser relative to the original ROOT, i.e. right now when I request for http://localhost:8080/index.html it will show http://localhost:8080/myRoot/index.html but I want to keep it like http://localhost:8080/index.html and for all other request. Maybe I need to do something with the rules in the urlrewrite.xml Any ideas? Why do you not just rename myRoot to ROOT, making this the default application ? http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F Hi Andre, Thanks. I know about placing the web app (like myRoot) under the ROOT and it will work. However, there is another issue I that comes when I do this, an issue with my GWT (http://code.google.com/webtoolkit/) web app, where the the client-side code cannot access the services (servlets). My gwt application works just fine in the myRoot folder of the tomcat webapps folder. So my idea, is just forward every access to the ROOT to myRoot. But then again, if there's a better solution I am may want to try it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: VerifyError: ... Illegal constant pool index when jspx invokes a tagx on Tomcat 7.0.16
On Thu, Dec 8, 2011 at 9:02 AM, Mark Thomas ma...@apache.org wrote: On 08/12/2011 14:19, Robert Winch wrote: On Thu, Dec 8, 2011 at 4:29 AM, Pid p...@pidster.com wrote: You say below that the compiled tags JSP don't appear to have been recompiled - either upgrade, or clear the work directory to ensure that they have been. I'm not sure I understand. Is there a reason we would want them to be recompiled? The reason I had mentioned this was not because I thought it was a problem but because I thought it helped rule out a problem with how the jsp's were compiled. I'm not certain if my logic is sound, but I thought since it was not working, later did work, and the time stamp had not been updated there was likely something other than the compilation of the jsp's at fault. Very occasionally between minor versions we make changes to the code that converts JSPs to Java and correct operation *requires* that the JSPs are recompiled. We don't do it very often but it does happen. We try and do things in such a way that Tomcat handles this automatically e.g. look in the changelog for bug 33453. That said, I *always* clean out the work directory when doing any Tomcat upgrade. Mark Thanks for clarifying. I wasn't sure if this was related to my issue or if it was advice for when we update Tomcat. Since we have not made any updates to Tomcat I do not think this is related to this issue. However, this is definitely good information to have for when we do the upgrade. Thanks again. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to forward all kind of request from ROOT to another subdirectory?
Xybrek wrote: On Thursday, 08 December, 2011 09:37 PM, André Warnier wrote: Xybrek wrote: On 12/8/2011 9:19 PM, Xybrek wrote: On 12/8/2011 8:52 PM, Thom Hehl wrote: Simplest would be to set up an index.html in the root path that redirects to whatever you wish. You can find 500 hits on google about how to do an HTML redirect. -Original Message- From: Xybrek [mailto:xyb...@gmail.com] Sent: Thursday, December 08, 2011 3:07 AM To: users@tomcat.apache.org Subject: How to forward all kind of request from ROOT to another subdirectory? Hello, I need to forward all kind of request from the ROOT, i.e http://localhost:8080/ to http://localhost:8080/myRoot Is it possible, do I need to create a redirect servlet? However, I think tomcat can be configured to behave that way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hi, I am using UrlRedirectFilter. Also, I am able to redirect with UrlRedirectFilter from http://localhost:8080 to http://localhost:8080/myRoot However my problem now is that I want to keep the URL in the browser relative to the original ROOT, i.e. right now when I request for http://localhost:8080/index.html it will show http://localhost:8080/myRoot/index.html but I want to keep it like http://localhost:8080/index.html and for all other request. Maybe I need to do something with the rules in the urlrewrite.xml Any ideas? Why do you not just rename myRoot to ROOT, making this the default application ? http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F Hi Andre, Thanks. I know about placing the web app (like myRoot) under the ROOT and it will work. However, there is another issue I that comes when I do this, an issue with my GWT (http://code.google.com/webtoolkit/) web app, where the the client-side code cannot access the services (servlets). My gwt application works just fine in the myRoot folder of the tomcat webapps folder. So my idea, is just forward every access to the ROOT to myRoot. But then again, if there's a better solution I am may want to try it. I don't think that I really understand the problem. Let me re-phrase it, and you tell us if that is what you want : I want that when a browser accesses the URLs : http://myhost:8080; or http://myhost:8080/; (and only for those 2 specific URLs), it is redirected to http://myhost:8080/myapp/;. And I want that for all URLs which start with : http://myhost:8080/myapp they stay where they are (in /myapp) And I want that if they ask for http://myhost:8080/something-else they really get /something-else from within the webapps/ROOT/something-else directory. Is that what you want ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to forward all kind of request from ROOT to another subdirectory?
On Friday, 09 December, 2011 01:18 AM, André Warnier wrote: Xybrek wrote: On Thursday, 08 December, 2011 09:37 PM, André Warnier wrote: Xybrek wrote: On 12/8/2011 9:19 PM, Xybrek wrote: On 12/8/2011 8:52 PM, Thom Hehl wrote: Simplest would be to set up an index.html in the root path that redirects to whatever you wish. You can find 500 hits on google about how to do an HTML redirect. -Original Message- From: Xybrek [mailto:xyb...@gmail.com] Sent: Thursday, December 08, 2011 3:07 AM To: users@tomcat.apache.org Subject: How to forward all kind of request from ROOT to another subdirectory? Hello, I need to forward all kind of request from the ROOT, i.e http://localhost:8080/ to http://localhost:8080/myRoot Is it possible, do I need to create a redirect servlet? However, I think tomcat can be configured to behave that way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hi, I am using UrlRedirectFilter. Also, I am able to redirect with UrlRedirectFilter from http://localhost:8080 to http://localhost:8080/myRoot However my problem now is that I want to keep the URL in the browser relative to the original ROOT, i.e. right now when I request for http://localhost:8080/index.html it will show http://localhost:8080/myRoot/index.html but I want to keep it like http://localhost:8080/index.html and for all other request. Maybe I need to do something with the rules in the urlrewrite.xml Any ideas? Why do you not just rename myRoot to ROOT, making this the default application ? http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F Hi Andre, Thanks. I know about placing the web app (like myRoot) under the ROOT and it will work. However, there is another issue I that comes when I do this, an issue with my GWT (http://code.google.com/webtoolkit/) web app, where the the client-side code cannot access the services (servlets). My gwt application works just fine in the myRoot folder of the tomcat webapps folder. So my idea, is just forward every access to the ROOT to myRoot. But then again, if there's a better solution I am may want to try it. I don't think that I really understand the problem. Let me re-phrase it, and you tell us if that is what you want : I want that when a browser accesses the URLs : http://myhost:8080; or http://myhost:8080/; (and only for those 2 specific URLs), it is redirected to http://myhost:8080/myapp/;. And I want that for all URLs which start with : http://myhost:8080/myapp they stay where they are (in /myapp) And I want that if they ask for http://myhost:8080/something-else they really get /something-else from within the webapps/ROOT/something-else directory. Is that what you want ? Hi Andre, For /somethingelse yah that's what I mean. Every access to http://myhost:8080; will be forwarded to http://myhost:8080/myapp Like if request is: http://myhost:8080/something.html, it will forward it to http://myhost:8080/myapp/something.html Or request like: http://myhost:8080/?q=test will be forwarded to http://myhost:8080/myapp/?q=test Is it possible? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing only a single web application on Tomcat
On Thu, 2011-12-08 at 08:49 -0800, Savitha Akella wrote: Hi, I have multiple applications hosted on my tomcat server which includes web services, web applications etc. To secure the web services, we made changes to server.xml -connector What specifically did you change in server.xml? Please also list your connector configuration and what version of Tomcat you are using. Dan element and defined roles in tomcat-users.xml. In the web services, we made changes in the web.xml to add the security-constraint, security-role etc. However, the problem we are facing is that all the web application hosted on the Tomcat are prompting for certificate while accessing them. Is there any way to restrict the security only to a single web component on the Tomcat server rather than the entire server or all applications on the server. Thanks, Savitha
Re: AJP connection timeout setting/Tomcat 6 vs. 7 questions
On Dec 6, 2011, at 2:25 PM, André Warnier wrote: Kari Scott wrote: We are running Tomcat 6. 0.32 with jdk1.6.0_26 on Solaris 10, mod_ajp 1.3 and Apache 2.2.21 on all but one production server which is the same except for it's running Tomcat 7.0.21. I have some questions regarding connection timeout settings. Occasionally, when the site is busier we see jumps in the number of connections to 8009 and then that number stays high for about 30 minutes before settling back down into our average range. A thread dump shows that these connections correspond to these socket threads: TP-Processor222 daemon prio=3 tid=0x00c76400 nid=0x5669 runnable [0x8cf7f000] java.lang.Thread.State: RUNNABLE at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read1(BufferedInputStream.java:258) at java.io.BufferedInputStream.read(BufferedInputStream.java:317) - locked 0xcb2a0eb0 (a java.io.BufferedInputStream) at org.apache.jk.common.ChannelSocket.read(ChannelSocket.java:628) at org.apache.jk.common.ChannelSocket.receive(ChannelSocket.java:566) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:693) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:662) The problem isn't so much that they stick around, but when these first start increasing, there is a noticeable hit in performance and evidence that threads are waiting for resources. Oddly, the one trial Tomcat 7 server with the same connector, load and code never experiences this problem. We currently don't have a connectionTimeout specified for our connector so my plan is to try the following: Connector port=8009 protocol=AJP/1.3 connectionTimeout=2 redirectPort=8443 / Here are my questions: *Do I also need to set the connection_pool_timeout in the worker? Or is that the one I should be changing instead of connectionTimeout? *Is there a different time out setting I should be looking at? *Is there an easy explanation as to why Tomcat 7 never experiences this issue? I'm just wondering (o.k. hoping) that there is some magic Tomcat 7 default setting some place that we can add to our Tomcat 6 environments that can help us out until we've upgraded everything. Just a question, to add to your excellent summary above : in your front-end server configuration, what are the settings related to keep-alive ? All the servers have the following Apache settings: KeepAlive On MaxKeepAliveRequests 200 KeepAliveTimeout 15 And maybe, can you provide an example of the server.xml (comments and sensitive info removed) for both a server which experiences the issue, and for the 7.0 server which doesn't ? (paste them inside the message, the list strips most attachments). I sure can. I also removed some of the entries that were exactly the same so it's easier to see the differences: * Tomcat 7 server.xml: Server port=8005 shutdown=SHUTDOWN Service name=Catalina Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Host name=localhost appBase=webapps unpackWARs=false autoDeploy=false Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b resolveHosts=false/ /Host /Engine /Service /Server Tomcat 6 server.xml: Server port=8005 shutdown=SHUTDOWN Service name=Catalina Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Valve className=com.jamonapi.http.JAMonTomcatValve/ Host name=localhost appBase=webapps unpackWARs=false autoDeploy=false xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server * So the big difference is the presence of the JaMON Valve we're using on Tomcat 6 and but accidentally forgot to put on Tomcat 7. Maybe this was a fortuitous mistake. I'll try removing it from one of our Tomcat 6 servers to see if that's the culprit. We don't need that access logging valve enabled on Tomcat 7 either, so this was a really good exercise to go through. Thanks! -kari _ Kari Scott Senior Programmer kari.sc...@cdw.com CDW 5520 Research Park Drive Madison, WI 53711 Office: 608 298 1223 Fax: 608 288 3007
Re: Securing only a single web application on Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Savitha, On 12/8/11 11:49 AM, Savitha Akella wrote: I have multiple applications hosted on my tomcat server which includes web services, web applications etc. To secure the web services, we made changes to server.xml -connector element and defined roles in tomcat-users.xml. The only change you can make to your connector to secure it would be to make it into HTTPS. That doesn't really secure anything other than the data that gets exchanged during the HTTP conversation. In the web services, we made changes in the web.xml to add the security-constraint, security-role etc. However, the problem we are facing is that all the web application hosted on the Tomcat are prompting for certificate while accessing them. Which web.xml did you change? The one for your webapp in WEB-INF/web.xml or the site-wide Tomcat default one in conf/web.xml? Is there any way to restrict the security only to a single web component on the Tomcat server rather than the entire server or all applications on the server. Use WEB-INF/web.xml for your security-constraints, where they belong. It appears you have modified the site-wide constraints which is why they are applying to all webapps. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hALMACgkQ9CaO5/Lv0PBAHQCgjNPTJ46bkCyMFULiYtsVcmar RVYAoKq/i/0HZZu+/PWyEKsOx4DlCmsm =Xph9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: VerifyError: ... Illegal constant pool index when jspx invokes a tagx on Tomcat 7.0.16
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert, On 12/8/11 9:19 AM, Robert Winch wrote: That is good information to know. We plan on updating to 7.0.23 within the next few weeks. Be aware that there is a bug in 7.0.23 that causes a hang-on-startup if a webapp does not have a Realm defined. You can either define a dummy Realm or use 7.0.22 instead. - -charis -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hAW0ACgkQ9CaO5/Lv0PBGEACfTAqq2b907vq4Su1LucH/jeUA zskAn1tI5UsXIO0ZnJxynnllvAVg11lg =AEwZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.23 won't start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jacob, On 12/8/11 10:04 AM, Jacob Champlin wrote: Practical: This was my sandbox config file. I switch between 6 different applications. I do this by switching server.xml files when I switch projects. This keeps things minimal (not starting up 6 connection pools), its easier to switch one file, and it makes restarts faster. You could do this in other ways. One way I like to do this is with different CATALINA_BASE structures. This makes upgrading easier (for me), too. Another way is to move deployment descriptors in-to or out-of the conf/Catalina/localhost directory. Likewise, you could choose to include (or not) foo.war in the webapps/ auto-deployment directory. Opinion: I hate over-decomposition and I preferred the days when tomcat was only configured with server.xml. Fair enough. Tomcat's configuration is not that complicated, do we really need a bunch of configuration [files?] Modifying server.xml requires a Tomcat restart to re-read the config file. The other methods offer greater flexibility and are, IMHO, easier to do, anyway. Also, it's tougher to disable a Tomcat instance with a broken META-INF/context.xml than it is to disable one with a broken server.xml. Its bad when one thing becomes two, and hence good when two things become one. I'd argue a negative premise on that one. Dying is bad, but un-dying is *way* worse. ... brains . bet your also in the micro kernel camp. Flame bait ignored. I know lots of people clamored for being able to configure the connection pool in there war file. I'm not sure that would have been a good idea, as it's generally a service offered by the system and not configured by the webapp. Maybe you meant the TC deployment descriptor (context.xml) which can be totally controlled by the sys admin and need not be in the WAR file itself. I don't know why anyone would do this, our WAR file runs in any environment where the jndi name is present. Yes, that's the point. You're using Recommended Technique(TM). They have to build separate WAR files for each environment. Just because it's Recommended Technique doesn't mean that it's best and/or appropriate for your (or anyone's) environment. There are always some good (and usually lots of bad) reasons to deviate from that. Basically I think the context.xml is stupid. If it matters so much change the document definition. Sounds like your webapp doesn't need a context.xml. How's that for simplicity and ease of configuration? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hBRoACgkQ9CaO5/Lv0PDc9QCgjzbhMoRZU9o1LpeVpz08ZWh7 l78AoJbprumlDEBNGcDOT2Mhx9t1hXrQ =q49c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to forward all kind of request from ROOT to another subdirectory?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Xybrek, On 12/8/11 11:58 AM, Xybrek wrote: Thanks. I know about placing the web app (like myRoot) under the ROOT and it will work. However, there is another issue I that comes when I do this, an issue with my GWT (http://code.google.com/webtoolkit/) web app, where the the client-side code cannot access the services (servlets). That sounds like a problem either with GWT (unlikely) or with your webapp. Have you perchance been hard-coding your context paths? Maybe we can help you fix your webapp so that you can re-home it without these ugly hacks like semi-conditional redirection. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hBiUACgkQ9CaO5/Lv0PDilgCdHIy/DWrAirNLKDw6L2zZZL8/ C+EAnAvxN1Y7ePPn0EVLfOXe+vQjZGQi =letZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing only a single web application on Tomcat
Hi, We are using tomcat version 7.0.11 Here are the changes we made in server.xml: Connector SSLEnabled=true clientAuth=true keyAlias=tomcat keyPass=xyz keystoreFile=C:/Users/keystorepath/key.keystore maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true sslProtocol=TLS trustMaxCertLength=10 truststoreFile=C:/Users/trustorepath/truststore.keystore truststorePass=abc/ here is my tomcat-users.xml tomcat-users role rolename=manager/ role rolename=admin/ role rolename=developer/ role rolename=manager-gui/ role rolename=webservice/ user username=admin password=folsom!1 roles=admin,manager,manager-gui / user username=developer password=folsom roles=manager,manager-gui / user username=EMAILADDRESS=a...@xyz.com, CN=certauth, OU=OU1, O=XYZ, L=ABC, ST=CA, C=US password= roles=webservice,admin,manager,manager-gui/ /tomcat-users I have changed the web.xml of my web services to refer to the role configured in the tomcat-users.xml. Here is the web.xml: security-constraint display-nameClientCertificateRequired/display-name web-resource-collection web-resource-nameMyWebService/web-resource-name description/description url-pattern/*/url-pattern /web-resource-collection auth-constraint description/description role-namewebservice/role-name /auth-constraint user-data-constraint description/description transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nametomcat-users/realm-name /login-config security-role description/description role-namewebservice/role-name /security-role In other web applications, I didnt make any changes in the web.xml of those apps. Regards, Savitha On Thu, Dec 8, 2011 at 9:43 AM, Daniel Mikusa dmik...@vmware.com wrote: On Thu, 2011-12-08 at 08:49 -0800, Savitha Akella wrote: Hi, I have multiple applications hosted on my tomcat server which includes web services, web applications etc. To secure the web services, we made changes to server.xml -connector What specifically did you change in server.xml? Please also list your connector configuration and what version of Tomcat you are using. Dan element and defined roles in tomcat-users.xml. In the web services, we made changes in the web.xml to add the security-constraint, security-role etc. However, the problem we are facing is that all the web application hosted on the Tomcat are prompting for certificate while accessing them. Is there any way to restrict the security only to a single web component on the Tomcat server rather than the entire server or all applications on the server. Thanks, Savitha
RemoteIpFilter not working
Hi, I have set up the RemoteIpFilter (Tomcat 7.0.8) in the webapps web.xml like this: filter filter-nameRemoteIpFilter/filter-name filter-classorg.apache.catalina.filters.RemoteIpFilter/filter-class /filter filter-mapping filter-nameRemoteIpFilter/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher /filter-mapping The mapping is the first in the filter chain. But when I call request.getRemoteAddr() in a plain jsp in the root of the webapp I get the IP from the proxy not from the client. The proxy sends x-forwared-for correctly. What can be the problem? Thank you - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RemoteIpFilter not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 12/8/11 3:52 PM, spr...@gmx.eu wrote: I have set up the RemoteIpFilter (Tomcat 7.0.8) It's time to upgrade: 7.0.23 is available and includes significant improvements including security-related bug fixes. in the webapps web.xml like this: filter filter-nameRemoteIpFilter/filter-name filter-classorg.apache.catalina.filters.RemoteIpFilter/filter-class /filter filter-mapping filter-nameRemoteIpFilter/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher /filter-mapping The mapping is the first in the filter chain. But when I call request.getRemoteAddr() in a plain jsp in the root of the webapp I get the IP from the proxy not from the client. The proxy sends x-forwared-for correctly. What can be the problem? Can you send a dump of the HTTP headers received by the webapp and the return value of the various request.getXXX methods? That would be very helpful, here. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hJg4ACgkQ9CaO5/Lv0PAs9ACfUqBt4W0+tTMPbDEZkL1G0p8K rnYAoLkczJErlaf0uoUZ6oHAai48m61K =MLUe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Re: Tomcat 7.0.23 won't start
Chris, Flame bait ignored. Your a better man than me :) I couldn't ignore the attack on my server.xml when I was working a bug. Jacob - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing only a single web application on Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Savitha, On 12/8/11 3:01 PM, Savitha Akella wrote: We are using tomcat version 7.0.11 You should upgrade if you have the chance. 7.0.23 is available and there have been many improvements including fixes for security-related bugs. Here are the changes we made in server.xml: Connector SSLEnabled=true clientAuth=true keyAlias=tomcat keyPass=xyz keystoreFile=C:/Users/keystorepath/key.keystore maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true sslProtocol=TLS trustMaxCertLength=10 truststoreFile=C:/Users/trustorepath/truststore.keystore truststorePass=abc/ This is what you have now. I have no idea what you had before. If the above connector is the only one you have, then everyone must connect using HTTPS. Is that what you wanted? Also, all clients must present a certificate because you have clientAuth=true which requires a certificate to connect. If you want other webapps to allow non-HTTPS traffic, you'll need a separate, non-secure HTTP connector. If you want one webapp to be able to receive a Client SSL certificates but the others not demand them, then you need to set clientAuth=want instead of clientAuth=true.. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hJxAACgkQ9CaO5/Lv0PATwACguhTb7rOatNr3Nlgkm8+OSyvG 3TUAn3zxOB69eDMmgycDMrvNCp4+kTVq =cs9i -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session replication fails with Member send is failing
On 12/7/2011 9:04 AM, Jürgen Link wrote: Caused by: org.apache.catalina.tribes.RemoteProcessException: Received a failedack:org.apache.catalina.tribes.transport.Constants.FAIL_ACK_DATA sure thing, this is actually telling the sender that an exception happened on the receiver end. Take a look at the logs for tcp://{10, 1, 3, 181}:5000 and it should contain the information in there Filip - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing only a single web application on Tomcat
On 8 Dec 2011, at 16:50, Savitha Amelia savitha.saraswa...@gmail.com wrote: Hi, I have multiple applications hosted on my tomcat server which includes web services, web applications etc. To secure the web services, we made changes to server.xml -connector element and defined roles in tomcat-users.xml. In the web services, we made changes in the web.xml to add the security-constraint, security-role etc. However, the problem we are facing is that all the web application hosted on the Tomcat are prompting for certificate while accessing them. Is there any way to restrict the security only to a single web component on the Tomcat server rather than the entire server or all applications on the server. Yes. Depends on what your requirement is and what you've done so far. Maybe you could tell exactly? p Thanks, Savitha - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing only a single web application on Tomcat
On 8 Dec 2011, at 23:41, Pid * p...@pidster.com wrote: On 8 Dec 2011, at 16:50, Savitha Amelia savitha.saraswa...@gmail.com wrote: Hi, I have multiple applications hosted on my tomcat server which includes web services, web applications etc. To secure the web services, we made changes to server.xml -connector element and defined roles in tomcat-users.xml. In the web services, we made changes in the web.xml to add the security-constraint, security-role etc. However, the problem we are facing is that all the web application hosted on the Tomcat are prompting for certificate while accessing them. Is there any way to restrict the security only to a single web component on the Tomcat server rather than the entire server or all applications on the server. Yes. Depends on what your requirement is and what you've done so far. Maybe you could tell exactly? Ah, the perils of replying before all mail has downloaded... p p Thanks, Savitha - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
Thanks to all for the explanation. I have a new question regarding the admin role. With default setup, if I login as admin, I can start,stop, undeploy and deploy the application. Now, because the admin password has been shared by team, and I can't not share it with team. So I plan to disable undeploy and deploy function from the web admin URL for the admin account. If anyone need deploy new version, they have to login the Unix box to do it manually. With that I can trace and have records easily. So I edit the file webapps/manager/WEB-INF/web.xml, and remove all the xml sessions for remove, install, undeploy, deploy and save. But after I restart the tomcat server, *I still can deploy and undeploy*. Something I missed? part of tomcat-users.xml role rolename=manager/ role rolename=tomcat/ role rolename=admin/ role rolename=role1/ role rolename=monitoring/ user username=admin password=XXX roles=admin,manager/ user username=monitoring password=XXX roles=monitoring/ Below are the lines I remove from the web.xml file. servlet-mapping servlet-nameManager/servlet-name url-pattern/install/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/remove/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/deploy/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/undeploy/url-pattern /servlet-mapping url-pattern/remove/url-pattern url-pattern/deploy/url-pattern url-pattern/undeploy/url-pattern url-pattern/reload/url-pattern I don't find the admin part in web.xml. Regards, Bill On Wed, Nov 30, 2011 at 5:25 AM, Mark Thomas ma...@apache.org wrote: On 29/11/2011 17:05, Christopher Schultz wrote: Mark, On 11/29/11 11:15 AM, ma...@apache.org wrote: Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 11/28/11 7:08 PM, Bill Wang wrote: Here I have the last question, what's the reload option, is it same as stop/start? According to markt (who is known to be occasionally trustworthy): reload = stop + start I'm pretty sure I didn't say that. Sorry, you said: On 11/25/11 12:47 PM, Mark Thomas wrote: There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern I drew my own (perhaps incorrect) conclusion from that. In short: reload != restart Fuller explanation below. There is a subtle but important difference. Mark Reload keeps the same Context object (and doesn't reread the Context config) but does re-read web.xml and allows Jars to be updated. Stop/start creates a new Context object (as well as re-reading web.xml) and is therefore is a full restart of the context. Reload is sort of half a restart. There is no single command equivalent to stop/start. Gotcha. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Custom realm.authenticate() that would work with any realm - possible?
Hi, This is a followup to an earlier thread, Do any of the Tomcat LDAP-type realms support no password authentication?. As I mentioned in that earlier thread, I'm still new to Tomcat, and still trying to find my way around, and understand (somewhat) its security design, so apologies in advance if my terminology is incorrect. Ok. I've been experimenting with writing what I think is called a custom realm, that would have a no password authenticate() method. What I think that I've been able to do is to implement a new realm where all I do in my code is override the uthenticate(Context, string, string) method. For my initial attempt, I'm just extending the JNDIRealm, and just overriding that one method, and I think that this works. However, ideally, I really want to be able to do this (override the authenticate() method with any of the default realms that come with Tomcat, whereas with the approach that I'm currently working (extending the JNDIRealm), in order to do this for all the different realm types, I'd have to implement something similar, with a custom realm corresponding to each of the out-of-box Tomcat realm types. That might be ok, but I was wondering if there might, perhaps, be another way to do what I'm trying to do (basically have an realm.authenticate() method that doesn't require a password, but that would work with any realm? Thanks, Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Custom realm.authenticate() that would work with any realm - possible?
From: oh...@cox.net [mailto:oh...@cox.net] Subject: Custom realm.authenticate() that would work with any realm - possible? I was wondering if there might, perhaps, be another way to do what I'm trying to do (basically have an realm.authenticate() method that doesn't require a password, but that would work with any realm? Look at the CombinedRealm; you might be able to use your no-password realm in conjunction with one of the others, since the doc says Authentication against any Realm will be sufficient to authenticate the user. I don't know if that will get you the necessary roles established. http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#CombinedRealm - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
upgrading from 6.0.20 to 6.0.35
hi, how easy is to upgrade? can i use the server.xml in 6.0.20 without changes in 6.0.35? thanks, angelo -- View this message in context: http://old.nabble.com/upgrading-from-6.0.20-to-6.0.35-tp32938729p32938729.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: upgrading from 6.0.20 to 6.0.35
On 9 Dec 2011, at 06:28, AngeloChen angelochen...@gmail.com wrote: hi, how easy is to upgrade? can i use the server.xml in 6.0.20 without changes in 6.0.35? thanks, Yes, but we still usually recommend starting afresh each time. It should relatively simple, just make a backup copy of each file you edit, first. NB it's often easier to remove all of the XML comments once you're in production, so you can see the doc content more clearly. p angelo -- View this message in context: http://old.nabble.com/upgrading-from-6.0.20-to-6.0.35-tp32938729p32938729.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org