Re: Using Tomcat7 JDBC Connection Pool
On 09/02/2012 17:24, Amit wrote: Comment below On 09-Feb-2012, at 10:18 PM, Pid p...@pidster.com wrote: On 09/02/2012 16:21, Amit wrote: Any thoughts on the first point about executing multiple SQL queries on physical connection creation? I have no idea if it'll work, but I'd try: SELECT 1; SELECT 1; If you are controlling the pool (and you are) by passing in username/password parameters each time, then you could do it as an extra transaction thereafter. Executing the queries after retrieving the connection would not be the right option since they would execute every time the connection is borrowed instead of executing it only on physical connection creation. I was assuming that, as you controlled the pool, you'd be able to figure out when you run the extra commands. Can the jdbc interceptor architecture be extended to provide a method which is called when the physical connection is created? ( similar to disconnect()) Interceptors can do a bunch of things. What have you tried/looked at so far? p p On 09-Feb-2012, at 7:05 PM, Pid p...@pidster.com wrote: On 09/02/2012 12:56, amit shah wrote: One more comment below about oracle UCP. snip The pool returns members at random, so how would you know which cached credentials you were getting? The credentials which are passed to the getConnection(String username, String password) method. When we configure the same pool to be used for multiple schema's the pool will *not *be configured with default username password. OK, so you create a bunch of connections with various credentials, you want to cache those connections and only return them if the creds match for the new request? So you're basically creating an uncontrolled pool per cred pair, inside the outer pool which is controlled? Yes right. So why not create multiple controlled pools not run into availability problems? snip What overhead? The application server and database server resources (memory, cpu etc) for keeping the connections open? That's a total connection count dependent metric. So the overhead is virtually the same regardless of whether you have 5 pools or 1, if you have the same total number of connections. For e.g. If we have 5 tenants with 5 pools configured with 10 min pool size, we would have min 50 connections always open to the database server. This count would be for each application server. If we had the same pool for all 5 tenants, there would be just 10 connections open per application server. There's a flaw in your logic. In your example there may be zero connections open for a given tenant because they use a shared pool. So you might has well have separate pools with the minimum set to 2 and still have more connections guaranteed per tenant, and the 10 you were aiming for. Worse, if you hit your max with other tenants, a remaining tenant might not be able to get a connection at all, thus failing to address one of the key requirements in a multi-tenant system - guaranteed availability. Probably true when all the tenants are actively used. As I said, there is always a flexibility in the configuration to use a separate pool for a particular tenant. That should be the default IMO. You're asking for trouble otherwise. Also the application can always provide a configuration flexibility to allow a tenant to use a separate pool instead of sharing it with other tenants (like I said above). This flexibility is provided by the Oracle Universal Connection Poolhttp://docs.oracle.com/cd/E11882_01/java.112/e12265/toc.htm So if that's a better fit for your requirement, why not use it? It provides the feature I mentioned about by has lock contention issues. Tomcat 7 jdbc pool seems to be better and hence I was trying it out. ! snip If you are programmatically registering the pool, can you not just register it with the MBean server yourself? Ok I will try this and provide an update. Cool. p -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: clarification on Correct error in fix for 49683
On 09/02/2012 23:42, Janne Jalkanen wrote: Just to confirm - 7.0.25 seems to solve the problem for the most part. Most part? So there is still a leak? p /Janne On 24 Jan 2012, at 10:53, Janne Jalkanen wrote: Been running 7.0.25 in production now for a day and the fd leak seems at least mitigated somewhat. lsof still lists a few open sockets left by Tomcat, but this is less than what 7.0.23/.22 was doing. I will continue to run this a bit further and report back in a day or two whether the situation is getting worse. java 4086 ubuntu 10u sock0,6 0t0 73725644 can't identify protocol java 4086 ubuntu 59u sock0,6 0t0 77721715 can't identify protocol java 4086 ubuntu 96u sock0,6 0t0 77721057 can't identify protocol java 4086 ubuntu 108u sock0,6 0t0 77723538 can't identify protocol java 4086 ubuntu 119u sock0,6 0t0 77722327 can't identify protocol java 4086 ubuntu 132u sock0,6 0t0 77724248 can't identify protocol java 4086 ubuntu 134u sock0,6 0t0 77723129 can't identify protocol /Janne On 21 Jan 2012, at 23:19, Mike Wertheim wrote: The change log for Tomcat 7.0.25 contains this entry: Correct error in fix for 49683. (markt) Is this bug fix expected to fix the file descriptor leak that was reported in Tomcat 7.0.23? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Fw: Problems with LDAP authentication
Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: Enabling JMX Remote Ports to connect Tomcat server remotelly with jconsole tool
Hi, today I'm very happy because now it's working fine. Finally, server.xml has these new lines Listener className=org.apache.catalina.mbeans.JMXAdaptorLifecycleListener namingPort=48657 port=8999 host=server-ip / and catalina startup script has these new lines set CATALINA_OPTS=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=%CATALINA_HOME%/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=%CATALINA_HOME%/conf/jmxremote.access and now i'm connected with jconsole running this connection chain, with credentials defined in jmxremote.passord and jmxremote.access service:jmx:rmi://server-ip:8999/jndi/rmi://server-ip:48657/server Again, thank you very much for your help Regards, Andres 2012/2/9 Pid * p...@pidster.com: On 9 Feb 2012, at 17:10, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Pid [mailto:p...@pidster.com] Subject: Re: Enabling JMX Remote Ports to connect Tomcat server remotelly with jconsole tool warning: [path] bad path element C:\apache-tomcat-5.5.27\server\lib\catalina.jar:C:\apache-tomcat-5.5.27\bin\commons-logging-api-1.1.1.jar: no such file or directory The colon character is a path separator. You have it in the C: part of each path. Actually, the colon is _not_ a path separator here, it's a drive delimiter. It's the attempted use of the colon elsewhere that causes the problem; it should be a semi-colon on Windows: C:\apache-tomcat-5.5.27\server\lib\catalina.jar;C:\apache-tomcat-5.5.27\bin\commons-logging-api-1.1.1.jar Erk. FAIL. p - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
Am 10.02.2012 11:43, schrieb Lev A KARATUN: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) Regards Felix I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
On 10/02/2012 10:43, Lev A KARATUN wrote: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I think we raised that particular issue too. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true That variable should be ${catalina.base}. p Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
Pid, sorry, my english is not very good. What do you mean by raised that particular issue too? That variable should be ${catalina.base}. Actually, there is no variable in the config file, and it works pretty fine.. I just did not want to insert the full path from / to the logs folder into my letter and so I wrote just $CATALINA_BASE. Best Regards, Karatun Lev, Pid p...@pidster.com 10.02.2012 15:33 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication On 10/02/2012 10:43, Lev A KARATUN wrote: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I think we raised that particular issue too. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true That variable should be ${catalina.base}. p Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- -- [key:62590808] [attachment signature.asc deleted by Lev A KARATUN/MSK/RBA-MOSCOW/RU] --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: Fw: Problems with LDAP authentication
Please see my answers below. Best Regards, Karatun Lev, Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Am 10.02.2012 11:43, schrieb Lev A KARATUN: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. But the 389th port is only mentioned in myapp's config file and nowhere else. So I assume that Tomcat tries to use myapp.xml, but fails for some reason.. The other apps' context files are default - like this: ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true / and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) bash-3.00$ telnet localhost 389 Trying... telnet: connect: A remote host refused an attempted connect operation. ...but WHY is Tomcat trying to connect to localhost? It's clearly written in the realm - connectionURL=ldap://raiffeisen.ru:389; =( Regards Felix I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information
Not able to get threadcount and thread busy metrices in Tocat 7.0
Hi , I am facing a problem. We used to monitor tomcat JVM and used to monitor current ThreadCount and current Threadbusy Recently we upgraded from tomcat 6.0 to tomcat 7.0.16 and we are not able to get these metrices . On digging in we found that in tomcat6.0 the thread pool metrices were retrieved by class org.apache.tomcat.util.threads.ThreadPool But in tomcat 7.0 there is no such class instead it is replace by org.apache.tomcat.util.threads.ThreadPoolExecutor which does not give the above parameters. So my question is tomcat 7.0 how can we get the above metrices P.S- Am new to tomcat so please bear if it is a silly question Regards Shashank
Re: Not able to get threadcount and thread busy metrices in Tocat 7.0
On 10/02/2012 13:03, Mendiratta, Shashank wrote: Hi , I am facing a problem. We used to monitor tomcat JVM and used to monitor current ThreadCount and current Threadbusy Recently we upgraded from tomcat 6.0 to tomcat 7.0.16 and we are not able to get these metrices . On digging in we found that in tomcat6.0 the thread pool metrices were retrieved by class org.apache.tomcat.util.threads.ThreadPool But in tomcat 7.0 there is no such class instead it is replace by org.apache.tomcat.util.threads.ThreadPoolExecutor which does not give the above parameters. So my question is tomcat 7.0 how can we get the above metrices P.S- Am new to tomcat so please bear if it is a silly question Please start a new thread, rather than replying to an existing one* and editing the reply/body - which is called thread-hijacking and puts your new message in the middle of an existing thread, for those of us using a threaded conversation view. p * Using Tomcat7 JDBC Connection Pool 09/02/2012 16:21 -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
On 10/02/2012 11:53, Lev A KARATUN wrote: Pid, sorry, my english is not very good. What do you mean by raised that particular issue too? We mentioned that allowing uncontrolled access to the logs was a bad idea. Your boss appears to agree. That variable should be ${catalina.base}. Actually, there is no variable in the config file, and it works pretty fine.. I just did not want to insert the full path from / to the logs folder into my letter and so I wrote just $CATALINA_BASE. OK. p Best Regards, Karatun Lev, Pid p...@pidster.com 10.02.2012 15:33 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication On 10/02/2012 10:43, Lev A KARATUN wrote: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I think we raised that particular issue too. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true That variable should be ${catalina.base}. p Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
On 10/02/2012 12:54, Lev A KARATUN wrote: Please see my answers below. Best Regards, Karatun Lev, Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Am 10.02.2012 11:43, schrieb Lev A KARATUN: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. But the 389th port is only mentioned in myapp's config file and nowhere else. So I assume that Tomcat tries to use myapp.xml, but fails for some reason.. The other apps' context files are default - like this: ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true / and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) bash-3.00$ telnet localhost 389 Trying... telnet: connect: A remote host refused an attempted connect operation. ...but WHY is Tomcat trying to connect to localhost? It's clearly written in the realm - connectionURL=ldap://raiffeisen.ru:389; =( That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
Pid p...@pidster.com 10.02.2012 17:35 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication On 10/02/2012 12:54, Lev A KARATUN wrote: Please see my answers below. Best Regards, Karatun Lev, Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Am 10.02.2012 11:43, schrieb Lev A KARATUN: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. But the 389th port is only mentioned in myapp's config file and nowhere else. So I assume that Tomcat tries to use myapp.xml, but fails for some reason.. The other apps' context files are default - like this: ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true / and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) bash-3.00$ telnet localhost 389 Trying... telnet: connect: A remote host refused an attempted connect operation. ...but WHY is Tomcat trying to connect to localhost? It's clearly written in the realm - connectionURL=ldap://raiffeisen.ru:389; =( That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? It is logs.xml p -- [key:62590808] [attachment signature.asc
Not able to get threadcount and thread busy metrices in Tomcat 7.0
Hi , I am facing a problem. We used to monitor tomcat JVM and used to monitor current ThreadCount and current Threadbusy Recently we upgraded from tomcat 6.0 to tomcat 7.0.16 and we are not able to get these metrices . On digging in we found that in tomcat6.0 the thread pool metrices were retrieved by class org.apache.tomcat.util.threads.ThreadPool But in tomcat 7.0 there is no such class instead it is replace by org.apache.tomcat.util.threads.ThreadPoolExecutor which does not give the above parameters. So my question is tomcat 7.0 how can we get the above metrices P.S- Am new to tomcat so please bear if it is a silly question Regards Shashank
Re: Fw: Problems with LDAP authentication
Lev A KARATUN wrote: ... I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true ... That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? It is logs.xml Huh ? Is it just me, or does something not fit ? (or was this another edit before posting ?) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
programmatically determining connector startup failures
Hi everyone, I'm using tomcat 6.0.32 on Windows 7. I have an application where I programmatically start and stop a separate web application from within an already running tomcat application. I do this by creating a new StandardService, setting the server as service.setServer(ServerFactory.getServer()) and creating/loading the connectors, engine, etc... all before calling service.start() to fire everything up. Everything is working great, but I'm running into a small snag. Should a connector of the service run into issues such as binding to a port, the StandardService.start() seems to swallow the exception. It gets logged, but my caller to service.start() has no way handling that failure. StandardService.java (~line 539) try { ((Lifecycle) connectors[i]).start(); } catch (Exception e) { log.error(sm.getString( standardService.connector.startFailed, connectors[i]), e); } I've also looked into registering a LifecycleListener on the connector, but that doesn't won't tell me whether or not the start had completed. Are there any other options, other than extending and for the most part duplicating the StandardService class, that might give me the ability to detect a failed connector startup? Regards, E R I C K L I C H T A S Linoma Software Senior Software Engineer p. 402.944.4242 x714 f. 402.944.4243 www.LinomaSoftware.comhttp://www.linomasoftware.com/ www.GoAnywhereMFT.comhttp://www.goanywheremft.com/
Re: Path parameters and getRequestURI
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 2/8/12 4:34 PM, Mark Thomas wrote: On 08/02/2012 21:25, Christopher Schultz wrote: Unfortunately, the servlet spec is far from clear on how path parameters should be handled. I hope to get clarity in 3.1 with [1] In fact, it might actually contradict itself. Section 3.5 of spec version 3.0 has this to say about request URI, servlet context, and servlet path: It is important to note that, except for URL encoding differences between the request URI and the path parts, the following equation is always true: requestURI = contextPath + servletPath + pathInfo I'm fairly sure that encoding differences do not include missing (or present) path parameters -- I assume they mean URL encoding. In Appendix 8, one of the changes since 2.3 was Clarification of handling of path parameters for the mapping (11.1). That section now seems to be 12.1 in the 3.0 spec (as you have referred in your previous post). 12.1 says that the path matched against url-patterns in web.xml comes from the request URL minus the context path and path parameters, so that's pretty clear. Nothing else is really clear other than that invariant equation which is at least suspicious. Tomcat no longer follows the invariant equation shown above. I hope the expert group weighs-in on this sooner rather than later. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk81O7cACgkQ9CaO5/Lv0PDI1ACdHU6pGVHrEI/dbUV0PeNNawTT TloAoKGiPK9NbmzUQTn5JBgmLziSxPNY =Nw5J -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk and URL rewriting/proxying?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Casper, On 2/10/12 2:20 AM, Casper Wandahl Schmidt wrote: Well at least I don't have to restart tomcat for the changes to take effect :) Maybe I would take some time to look at how tomcat reads from server.xml and how the host-manager works and perhaps find a way to persist the changes :) Any clues as to where to look for that part of the code? The host manager webapp is in the main part of the TC code, but it's all contained in a single package: org/apache/catalina/manager/host. It's 3 classes, one of which looks like it's nothing but constants. It should be fairly clear how the host manager is doing its work, but re-writing XML is a risky business because most people don't like to lose the comments and spacing, etc. that they have explicitly put into their configuration files. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk81PJEACgkQ9CaO5/Lv0PD07gCfYsVGZfu+YqUiRrnFXx4eZBzs IOAAoJxFIoUnjuY8gTAx/brXxZkpaIEq =xMt0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Not able to get threadcount and thread busy metrices in Tomcat 7.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shashank, On 2/10/12 8:42 AM, Mendiratta, Shashank wrote: I am facing a problem. We used to monitor tomcat JVM and used to monitor current ThreadCount and current Threadbusy Recently we upgraded from tomcat 6.0 to tomcat 7.0.16 and we are not able to get these metrices . On digging in we found that in tomcat6.0 the thread pool metrices were retrieved by class org.apache.tomcat.util.threads.ThreadPool But in tomcat 7.0 there is no such class instead it is replace by org.apache.tomcat.util.threads.ThreadPoolExecutor which does not give the above parameters. What about these methods in the ThreadPoolExecutor's superclass: getCorePoolSize getActiveCount Those appear to be exactly what you're looking for. You could also use JMX if you were so inclined. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk81PXMACgkQ9CaO5/Lv0PBH4wCfahdW1zxzYczG9B/CsSHAk95c 7q0AoMK71FGkaDUUVSFBvpumg+qQsc+S =CE3k -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: programmatically determining connector startup failures
On 10/02/2012 15:38, Erick Lichtas wrote: Hi everyone, I'm using tomcat 6.0.32 on Windows 7. I have an application where I programmatically start and stop a separate web application from within an already running tomcat application. I do this by creating a new StandardService, setting the server as service.setServer(ServerFactory.getServer()) and creating/loading the connectors, engine, etc... all before calling service.start() to fire everything up. Everything is working great, but I'm running into a small snag. Should a connector of the service run into issues such as binding to a port, the StandardService.start() seems to swallow the exception. It gets logged, but my caller to service.start() has no way handling that failure. StandardService.java (~line 539) try { ((Lifecycle) connectors[i]).start(); } catch (Exception e) { log.error(sm.getString( standardService.connector.startFailed, connectors[i]), e); } I've also looked into registering a LifecycleListener on the connector, but that doesn't won't tell me whether or not the start had completed. connector.isAvailable() ? Are there any other options, other than extending and for the most part duplicating the StandardService class, that might give me the ability to detect a failed connector startup? Upgrade to 7.0.x where all this was completely re-written? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: programmatically determining connector startup failures
Mark, Thanks for the reply! I am aware that there are changes to this in Tomcat 7 and will definitely get there, but will wait until we move to JSF 2.x (which is hopefully sooner than later). Unfortunately the start flag in the Connector will be true if connector.start() is called, regardless of the success of the operation, so isAvailable() will always return true in my case. Regards E R I C K L I C H T A S Linoma Software Senior Software Engineer p. 402.944.4242 x714 f. 402.944.4243 www.LinomaSoftware.com www.GoAnywhereMFT.com -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, February 10, 2012 9:55 AM To: Tomcat Users List Subject: Re: programmatically determining connector startup failures On 10/02/2012 15:38, Erick Lichtas wrote: Hi everyone, I'm using tomcat 6.0.32 on Windows 7. I have an application where I programmatically start and stop a separate web application from within an already running tomcat application. I do this by creating a new StandardService, setting the server as service.setServer(ServerFactory.getServer()) and creating/loading the connectors, engine, etc... all before calling service.start() to fire everything up. Everything is working great, but I'm running into a small snag. Should a connector of the service run into issues such as binding to a port, the StandardService.start() seems to swallow the exception. It gets logged, but my caller to service.start() has no way handling that failure. StandardService.java (~line 539) try { ((Lifecycle) connectors[i]).start(); } catch (Exception e) { log.error(sm.getString( standardService.connector.startFailed, connectors[i]), e); } I've also looked into registering a LifecycleListener on the connector, but that doesn't won't tell me whether or not the start had completed. connector.isAvailable() ? Are there any other options, other than extending and for the most part duplicating the StandardService class, that might give me the ability to detect a failed connector startup? Upgrade to 7.0.x where all this was completely re-written? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 5.5.35 as Windows Service Java Opts
Hi, I am trying to configure some additional parameters for a tomcat installation Tomcat5.5.35 Windows Server 2003 Due to the nature of the WebService to be hosted on this tomcat installation I would like to increase the Eden heap size. With my previous Linux Implementations adding -XX:NewSize=1234m to my java opts worked, however if i try to add this to the service in Windows, the value appears to be ignored. [image: image.png] It appears in the VM arguments, but the value is not propogated to the Heap Configurations. [image: image.png] [image: image.png] *Max: 838,912 kbytes* * * I appreciate any assistance in this matter. Regards -- *Mitchell Smith* The information contained in this email (and any attachments) is confidential and may be privileged. If you are not the intended recipient and have received this email in error, please notify the sender immediately by reply email and delete the message and any attachments. If you are not the named addressee, you must not copy, disclose, forward or otherwise use the information contained in this email. Cable Wireless Communications Plc and its affiliates reserve the right to monitor all email communications through their networks to ensure regulatory compliance. Cable Wireless Communications Plc is a company registered in England Wales with number: 07130199 and offices located at 3rd Floor, 26 Red Lion Square, London WC1R 4HQ
Re: mod_jk and URL rewriting/proxying?
On 10 Feb 2012, at 07:21, Casper Wandahl Schmidt kalle.pri...@gmail.com wrote: Den 09-02-2012 22:02, Christopher Schultz skrev: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Casper, On 2/9/12 1:43 PM, Casper Wandahl Schmidt wrote: Den 09-02-2012 19:36, Caldarale, Charles R skrev: From: Casper Wandahl Schmidt [mailto:kalle.pri...@gmail.com] Subject: mod_jk and URL rewriting/proxying? I don't want the app to become ROOT since I have another app that should be running as ROOT. And how is that one accessed? From what you described it sounds like you want the same URL to hit different webapps based on the mindset of the user. Ha my bad. I use separate subdomains. Right now the localhost-host uses the default ROOT (the one shipped with Tomcat) but I plan to use another webapp later. I dont like the fact that I need to restart tomcat each time I need to add a new host Restart not required; use the host-manager webapp to add them on the fly. Nice, that will be the thing to do then :) Thanks for the tip! IIRC, the host-manager won't save the server.xml back to disk, so you'll have to remember to update your server.xml whenever you want to hot-deploy a new domain name, anyway. Well at least I don't have to restart tomcat for the changes to take effect :) Maybe I would take some time to look at how tomcat reads from server.xml and how the host-manager works and perhaps find a way to persist the changes :) Any clues as to where to look for that part of the code? Look for the digester package to see how Tomcat reads from server.xml. p Casper - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk80NH0ACgkQ9CaO5/Lv0PAOYACeOE6TRto+xkg05iMtKiOUcyvP FSUAnROQ2VOQT+GxkHMV1nYwaIdjOD+d =3Kim -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: controlling Server Authentication only vs Mutual authentication
Found a solution to this. In case anyone is interested in, I gave my server two IP addresses and used two connectors with the two IP address in the address= field of the connectors. I set one of them to clientAuth=true and the other clientAuth=false. I do have to do a redirect from one to the other when I would've preferred to forward, but otherwise this solution works. -Original Message- From: Sanjeev Sharma [mailto:sanjeev.sha...@buchanan-edwards.com] Sent: Thursday, February 09, 2012 11:18 AM To: Tomcat Users List Subject: controlling Server Authentication only vs Mutual authentication Hi, I work on an java web-app running on Tomcat 7. The entire application is required be doing SSL on port 443 (everything is accessed via https://). Two different login options are given to the user : username/password or client certificate authentication. We employ application-managed security as opposed to contain-manage (i.e. we don't use realms). I have the following connector in my server.xml : Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=d:\certs\server_cert.jks keystorePass=changeit truststoreFile=d:\certs\truststore.jks truststorePass=changeit clientAuth=true sslProtocol=TLS / This forces mutual authentication on anything I try to access using https. How can I configure tomcat so that only specific links (a specific struts action for example) would require mutual authentication or how can I exclude from the mutual authentication. Thanks, Sanjeev.
Re: Tomcat 5.5.35 as Windows Service Java Opts
Smith, Mitchell wrote: Hi, I am trying to configure some additional parameters for a tomcat installation Tomcat5.5.35 Windows Server 2003 32-bit ? JVM 32-bit ? Due to the nature of the WebService to be hosted on this tomcat installation I would like to increase the Eden heap size. With my previous Linux Implementations adding -XX:NewSize=1234m to my java opts worked, however if i try to add this to the service in Windows, the value appears to be ignored. [image: image.png] The image appears to have been stripped by the mail server. It appears in the VM arguments, but the value is not propogated to the Heap Configurations. If the system and JVM are 32-bit, you only have about 2 GB of addressable space per process (even if the system has a lot more RAM in total). I believe that the JVM may ignore the argument if it is too large. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
Am Freitag, den 10.02.2012, 16:54 +0400 schrieb Lev A KARATUN: Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection No wonder, since your error message below tells us, that tomcat is talking to localhost instead of raiffeisen.ru :) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ Again, no wonder. / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I think, that is not needed since java 1.4.x, even if it is mentioned in the howto :( I have never used that ldap.jar and wouldn't even know where to get it. But my jndi-Realms work. I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. But the 389th port is only mentioned in myapp's config file and nowhere else. So I assume that Tomcat tries to use myapp.xml, but fails for some reason.. Don't look for 389 explicitly, since that is the default port as is localhost the default host. Search for another context configuration, which could be used. The other apps' context files are default - like this: ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true / I somehow doubt that privileged=true is default and that you need it, but it is certainly irrelevant to your problems. and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) bash-3.00$ telnet localhost 389 Trying... telnet: connect: A remote host refused an attempted connect operation. ...but WHY is Tomcat trying to connect to localhost? It's clearly written in the realm - connectionURL=ldap://raiffeisen.ru:389; =( Either ldap.jar confuses it, or it uses another context file, or you have a typo in your context file, which is not present in the config you have shown us. Regards Felix Regards Felix I
Configuring Tomcat 6 to only start the default manager webapp
Hi, I was wondering if anyone knew how to configure Tomcat (6.0.26) to only start the default app when the Tomcat service starts. I have many webapps deployed so that they are accessible when I need them and I don't have to re-deploy/configure them later, but I don't like that they all start up when the service starts. I've tried searching around for this, but haven't had any luck so far. I found one entry in the mail list archives, but it was talking about disabling the auto deploy which I don't think will help me here. Thanks in advance, Matt Marleau - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org