configured truststore ignored by tomcat
Hi all, I have a tomcat 6.0.35 that needs to connect to a remote server using https, so it is acting as a https client: it means that tomcat must have the remote server certificate installed. The ideal solution I found is to configure the truststore in the server.xml. Please see the following: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=keystore/keystore.p12 keystoreType=pkcs12 keystorePass=password truststoreFile=keystore/truststore.p12 truststoreType=pkcs12 truststorePass=password clientAuth=optional sslProtocol=TLS / So, I configured the truststore and the server.xml. After restarting tomcat I got an ssl excetpion sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Enabling the property javax.net.debug I could see that tomcat is simply ignoring the truststore I configured. Let me add that I tried also with no luck to change the truststore format to jks. I add also that the remote server cert is inside the truststore since I can see it with keytool. Do you know why? What else could I check? Regards Marco This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender. All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository. If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications.
exploting tomcat vulnerability with example
Hi all, For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other. For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exploting tomcat vulnerability with example
On Wed, Sep 19, 2012 at 10:02 AM, Ragini raginippa...@gmail.com wrote:For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other.For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. Have you tried webgoat? Chris
Re: exploting tomcat vulnerability with example
On 09/19/2012 01:49 PM, chris derham wrote: On Wed, Sep 19, 2012 at 10:02 AM, Ragini raginippa...@gmail.com wrote:For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other.For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. Have you tried webgoat? Chris Yes Chris. I have already gone through webgoat..I am looking for some real world application exploitation. but of course it should be open source and in java... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Accessing CoyoteRequest attributes in a Servlet
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 9/18/12 9:47 AM, André Warnier wrote: Still talking about mod_jk, basically anything you set in Apache httpd using SetEnv for example, gets passed to Tomcat as a request attribute, through the AJP protocol. You need to use JkEnvVar if it's something non-standard (which I suspect Phillip's variables are). You are right, my apologies. I was a bit quick answering the OP's questions. So, with correction applied : if you are using mod_jk as the Apache/Tomcat connector, then any Apache httpd environment variable (that's what Apache httpd doc calls the values set via e.g. SetEnv) /can/ be passed to Tomcat, as a request attribute, by using the JkEnvVar directive in the Apache httpd configuration. See here : http://tomcat.apache.org/connectors-doc/reference/apache.html (and read the whole JkEnvVar paragraph carefully, for some limitations) Since I am not frequently using the mod_proxy_ajp connector, I do not know if a similar capability exists with it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exploting tomcat vulnerability with example
On Sep 19, 2012, at 5:02 AM, Ragini wrote: Hi all, For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other. For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Try looking at Metasploit. Dan Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Latest Tomcat release question...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony, On 9/18/12 7:10 PM, Tony Anecito wrote: Thanks for the heads up about the memory issue. I looked over the release notes before I posted here and did not remember reading that. http://tomcat.apache.org/tomcat-7.0-doc/changelog.html It's bug 53535: http://issues.apache.org/bugzilla/show_bug.cgi?id=53535 I do not use spring either and glad for that but I do use JAX-WS and am working on swithing to JAX-RS and there are quite a few libraries for JAX-RS. This weekend I will look at using 7.0.30. It really comes down to the number of classes that get scanned. Lots od deps = lots of classes (usually). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBZyu8ACgkQ9CaO5/Lv0PC9TwCgw2qRGo/B0HjjQJycPsK1G9hZ v9IAnjKhBC+gZL3iUoHIY5MTR1Ph9v/v =C59w -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Updating Tomcat-Server from Version 6.0.16 to 7.0.30
Hello guys, i would like to install the newest stable version of the Apache Tomcat Server. I already got some stuff running on the old Tomcat v.6.0.16 Server. I want to ask you, if it is safe to do this update and if afterwards my v 6 compatible JSP-Files wont cause any problems. Thank you in advance, Andi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: configured truststore ignored by tomcat
On Sep 19, 2012, at 2:40 AM, marco_strull...@swissre.com wrote: Hi all, I have a tomcat 6.0.35 that needs to connect to a remote server using https, so it is acting as a https client: it means that tomcat must have the remote server certificate installed. The ideal solution I found is to configure the truststore in the server.xml. Please see the following: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=keystore/keystore.p12 keystoreType=pkcs12 keystorePass=password truststoreFile=keystore/truststore.p12 truststoreType=pkcs12 truststorePass=password clientAuth=optional sslProtocol=TLS / So, I configured the truststore and the server.xml. This will configure the keystone / truststore used by the Connector. It does not configure the keystone / truststore used by the JVM for making HTTPS client requests. After restarting tomcat I got an ssl excetpion sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Enabling the property javax.net.debug I could see that tomcat is simply ignoring the truststore I configured. Let me add that I tried also with no luck to change the truststore format to jks. I add also that the remote server cert is inside the truststore since I can see it with keytool. Do you know why? What else could I check? See explanation above. Here is an example. The trick is to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties. http://www.exampledepot.com/egs/javax.net.ssl/client.html or you could disable validation all together. Not something you'd want to do for a production site though. http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html Dan Regards Marco This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender. All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository. If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Connector for Sun ONE Web Server 7.0 and Tomcat 6.0.x
Is there a Tomcat Connector for Sun ONE Web Server 7.0 and Tomcat 6.0.x running on RedHat Linux 5.7 64-bit ? If not, any idea on when will it would be available please ?
Re: Latest Tomcat release question...
Ok does scanning scan the classes inside the library jars the app uses? What would be the point of that? Thanks, -Tony --- On Wed, 9/19/12, Christopher Schultz ch...@christopherschultz.net wrote: From: Christopher Schultz ch...@christopherschultz.net Subject: Re: Latest Tomcat release question... To: Tomcat Users List users@tomcat.apache.org Date: Wednesday, September 19, 2012, 7:38 AM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony, On 9/18/12 7:10 PM, Tony Anecito wrote: Thanks for the heads up about the memory issue. I looked over the release notes before I posted here and did not remember reading that. http://tomcat.apache.org/tomcat-7.0-doc/changelog.html It's bug 53535: http://issues.apache.org/bugzilla/show_bug.cgi?id=53535 I do not use spring either and glad for that but I do use JAX-WS and am working on swithing to JAX-RS and there are quite a few libraries for JAX-RS. This weekend I will look at using 7.0.30. It really comes down to the number of classes that get scanned. Lots od deps = lots of classes (usually). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBZyu8ACgkQ9CaO5/Lv0PC9TwCgw2qRGo/B0HjjQJycPsK1G9hZ v9IAnjKhBC+gZL3iUoHIY5MTR1Ph9v/v =C59w -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Connector for Sun ONE Web Server 7.0 and Tomcat 6.0.x
On Wed, Sep 19, 2012 at 8:02 AM, Jay Rao jay...@gmail.com wrote: Is there a Tomcat Connector for Sun ONE Web Server 7.0 and Tomcat 6.0.x running on RedHat Linux 5.7 64-bit ? If not, any idea on when will it would be available please ? My guess: When dead, dreaming Cthulhu wakes in his house at R'lyeh and schedules a Tupperware party. I could be wrong, though. -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
sessions replication
Hi folks, My sessions are replicating across the cluster as indicated by my session listener debug output. E.g I can see the session created/destroyed messages in each respective log. I have a Service object that is serializable, which contains a String member variable (x) which is not initialized; null. As my load balancer round-robins the requests to each of these servers, each successfully retrieves the service instance from the session. Now, when service.x is set at some point in the workflow, I expect the other members to receive this updated object since it resides in the session. However, I'm finding that it is not, it remains null in all other containers. The tomcat config (http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html) says that ..For each request the entire session is replicated, this allows code that modifies attributes in the session without calling setAttribute or removeAttribute to be replicated. Can someone clarify whether I do in fact need to reset the service object on the session in order for it to replicate? Thanks! Engine name=Catalina defaultHost=localhost jvmRoute=id2 Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=6 Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=231.10.12.6 port=35006 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=8117 selectorTimeout=100 maxThreads=6/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster
Re: mod_jk vs. mod_proxy
Hi Chris, Appreciate your feedback. That is helpful. Thanks you! -Shanti On Tue, Sep 18, 2012 at 3:33 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shanti, On 9/18/12 10:04 AM, Shanti Suresh wrote: All, I wanted your opinion on this topic. I was heavily into using mod_jk a few years back. But I have since started using mod_proxy for the following reasons: (1) mod_proxy is easier to configure (2) I remember reading that mod_jk is deprecated (3) Logging for mod_proxy appears inline with Apache traffic log entries and is easier to debug. I am able to get detailed logging from mod_proxy by adjusting Apache's LogLevel to debug. (4) Could there be any other reasons that I might be missing? I do also like the separate logging that mod_jk gives though. I notice that mod_jk is still being used. I just wanted to know your opinion. I use mod_jk because it gives me greater freedom of configuration and tends to get updated more often. It is definitely harder to configure, though, since a separate configuration file is usually used. As I don't use SSL between httpd and Tomcat this isn't much of an issue for me, but connecting httpd-Tomcat via SSL is trivial with mod_proxy_http (and not with mod_jk) while forwarding SSL info from httpd - Tomcat (while still using an unencrypted channel) is trivial in mod_jk but more difficult with mod_proxy_http. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBYzKUACgkQ9CaO5/Lv0PBx0QCglrPz2MZLBeqeKp8LivAvLMqj CosAnirMA2WNiN03BGvO6FthJ07LfWNK =jDfk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exploting tomcat vulnerability with example
On 19 Sep 2012, at 13:20, Daniel Mikusa dmik...@vmware.com wrote: On Sep 19, 2012, at 5:02 AM, Ragini wrote: Hi all, For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other. For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Try looking at Metasploit. +1 p Dan Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Updating Tomcat-Server from Version 6.0.16 to 7.0.30
On 19 Sep 2012, at 14:45, Andreas Stadelmeier a...@michlaustderaffe.de wrote: Hello guys, i would like to install the newest stable version of the Apache Tomcat Server. I already got some stuff running on the old Tomcat v.6.0.16 Server. I want to ask you, if it is safe to do this update and if afterwards my v 6 compatible JSP-Files wont cause any problems. Try the latest 6.0.x first, then if your app is fine, try 7.0.x. Things changed in 6 that sometimes catch people out. p Thank you in advance, Andi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Latest Tomcat release question...
On 19 Sep 2012, at 16:45, Tony Anecito adanec...@yahoo.com wrote: Ok does scanning scan the classes inside the library jars the app uses? What would be the point of that? How does Tomcat know which is a special library jar and which is not? (Unless you provide it with a list of jars to ignore.) p Thanks, -Tony --- On Wed, 9/19/12, Christopher Schultz ch...@christopherschultz.net wrote: From: Christopher Schultz ch...@christopherschultz.net Subject: Re: Latest Tomcat release question... To: Tomcat Users List users@tomcat.apache.org Date: Wednesday, September 19, 2012, 7:38 AM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony, On 9/18/12 7:10 PM, Tony Anecito wrote: Thanks for the heads up about the memory issue. I looked over the release notes before I posted here and did not remember reading that. http://tomcat.apache.org/tomcat-7.0-doc/changelog.html It's bug 53535: http://issues.apache.org/bugzilla/show_bug.cgi?id=53535 I do not use spring either and glad for that but I do use JAX-WS and am working on swithing to JAX-RS and there are quite a few libraries for JAX-RS. This weekend I will look at using 7.0.30. It really comes down to the number of classes that get scanned. Lots od deps = lots of classes (usually). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBZyu8ACgkQ9CaO5/Lv0PC9TwCgw2qRGo/B0HjjQJycPsK1G9hZ v9IAnjKhBC+gZL3iUoHIY5MTR1Ph9v/v =C59w -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Connector for Sun ONE Web Server 7.0 and Tomcat 6.0.x
On 19 Sep 2012, at 16:59, Hassan Schroeder hassan.schroe...@gmail.com wrote: On Wed, Sep 19, 2012 at 8:02 AM, Jay Rao jay...@gmail.com wrote: Is there a Tomcat Connector for Sun ONE Web Server 7.0 and Tomcat 6.0.x running on RedHat Linux 5.7 64-bit ? If not, any idea on when will it would be available please ? My guess: When dead, dreaming Cthulhu wakes in his house at R'lyeh and schedules a Tupperware party. LMAO I could be wrong, though. Or you could pay someone to create one. Or try the 6.x one that is the top result when you google sun one tomcat connector Or ditch Sun ONE and use something current. p -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: sessions replication
On 19 Sep 2012, at 16:59, Carrillo, Dan dcarri...@idanalytics.com wrote: Hi folks, My sessions are replicating across the cluster as indicated by my session listener debug output. E.g I can see the session created/destroyed messages in each respective log. I have a Service object that is serializable, which contains a String member variable (x) which is not initialized; null. As my load balancer round-robins the requests to each of these servers, each successfully retrieves the service instance from the session. Now, when service.x is set at some point in the workflow, I expect the other members to receive this updated object since it resides in the session. However, I'm finding that it is not, it remains null in all other containers. The tomcat config (http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html) says that ..For each request the entire session is replicated, this allows code that modifies attributes in the session without calling setAttribute or removeAttribute to be replicated. Can someone clarify whether I do in fact need to reset the service object on the session in order for it to replicate? If by this, you are asking whether you can retrieve an object from the session, update it and without adding it back to the session expect these changes to be propagated, then no, you can't. p Thanks! Engine name=Catalina defaultHost=localhost jvmRoute=id2 Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=6 Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=231.10.12.6 port=35006 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=8117 selectorTimeout=100 maxThreads=6/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there a REAL solution to the BEAST attack (CVE-2011-3389) for Tomcat 7.x
Martin, You know what a turtle is? p On 15 Sep 2012, at 13:30, Martin Gainty mgai...@hotmail.com wrote: Good Morning Brian from what Im seeing this is a Redhat Enterprise 4,5,6 bug which effects any of the secure protocols such as sftp, scp and ssl and you would need to implement the RH patch dsiable TLS 1.0 and implement either TLS 1.1 or TLS 1.2 protocols in its place disable applets disable WebSockets disable Cipher Block Chaining (CBC) ciphers make sure 1/(n-1) split is being implemented replace your JSSE with a JSSE that supports jsse.enableCBCProtection this update from tomas tells the story A mitigation for this flaw was implemented in the Network Security Services (NSS) library. It uses 1/(n-1) record splitting as mentioned in comment #19. This mitigation was added in NSS version 3.13 (which is used in Firefox 9 and later) and is enabled by default upstream. Environment variable NSS_SSL_CBC_RANDOM_IV can be used to disable the mitigation when it causes failures to connect to servers that are intolerant to such record splitting (see comment #23). Setting the environment variable value to 0 disables the mitigation. use FF9 as your corporate browser https://bugzilla.redhat.com/show_bug.cgi?id=737506does anyone from Redhat have anything useful to say on this matter? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te deer mandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Fri, 14 Sep 2012 22:12:30 -0500 Subject: Is there a REAL solution to the BEAST attack (CVE-2011-3389) for Tomcat 7.x From: brianbr...@gmail.com To: users@tomcat.apache.org Hi, Is there a REAL solution to the BEAST attack (CVE-2011-3389) for Tomcat 7.x? For more info about this attack: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 My toughts and questions, as far as I have investigated this issue: - Disabling the TLS1.0 protocol would be too restrictive, because there are still browser versions in use that don't support TLS1.1 or TLS1.2. - Should we restrict the ciphers in use? If so, which ones should we offer for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means JSSE instead of OpenSSL)? - Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve this issue? Thanks in advace. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Profiling tomcat 7 on ubuntu with java profiler
On 17 Sep 2012, at 13:55, Ragini raginippa...@gmail.com wrote: Hi experts, I profile tomcat with a java profiler. I expect that a Java Profiler is the best way to do that. The profiler runs java agent and profiles the tomcat server. So you said. That's awesome dude. So I have created setenv.sh and put java options to it. so far it is working fine. I start the server, then I run the web application in the browser and then I stop the server by shutdown.sh. After I execute shutdown.sh, my profiler dumps the output. This output shows all the executed java methods in xml format. It actually shows the sequence in which they were executed. Pl find the attached file to see how the profiler generates the output. This was generated by running just one test.jsp page which contains the method addnum. In the output, I have noticed that the main class which is responsible to execute jsp page is Lorg/apache/jsp. Uhhh, which profiler are you using? That doesn't make sense. But I am not sure if there are also other classes which are responsible for this. ... I am curious to know this. In my profiler I have an option by which I can exclude classes which I dont want to profile. I am basically interested in profiling all user defined methods of jsp pages and of java classes. (I want to profile a web application which has java classes and jsp pages as well). Good plan. I would not like to profile the classes of apache which are dependent on time (like threads are time dependent). Uhh, if the committers come up with some Tomcat code that isn't depend on time I extend an immediate offer of unlimited beer. (Before you start, I'll win this one.) The reason for this is, it gives me different profiles for exactly two same runs. Which I strictly don’t want. Sun spots? so I would like to have your opinions on, 1) Are the methods of org/apache/jsp class and time dependent ? Is there any chance that I get different profiles for exactly two same runs ? Unless your Tomcat server is in a Faraday cage for a start, yes. p (I don’t have any option to include the class which needs to be profiled in my profiler. So if I want to test the above I have to specify all other classes except org/apache/jsp in my exclusion list which is very time consuming. If I am sure that methods of apache/jsp/* classes are not time dependent, I can do that. I need your help regarding this. Thanks. Richa tomcat_output.cct.xml.gz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: how to read files in file system
On 18 Sep 2012, at 07:22, Ge Gestione Elaboratori(IBM Business Partner) case...@gmail.com wrote: Excuse me Dan: attached the screenshot. Zeesh. Stop attaching it, paste some info inline in the message and stop being lazy. p paolo -Messaggio originale- Da: Daniel Mikusa [mailto:dmik...@vmware.com] Inviato: martedì 11 settembre 2012 13.51 A: Tomcat Users List Oggetto: Re: how to read files in file system On Sep 11, 2012, at 3:11 AM, IBM partner Gestione Elaboratori wrote: With jsp i can read files in the file system only if there are located under the directory webapps/application/file. If I read a file ,for example, in c:/filename Tomcats signals an error (se atthachment) Again, there is no attachment. The list is probably removing it. Please try pasting the content into your email. Please also include the error that is given. Without that, we can only guess at what is happening. Dan How to read files located everywere in the file system? paoloc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Latest Tomcat release question...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony, On 9/19/12 11:44 AM, Tony Anecito wrote: Ok does scanning scan the classes inside the library jars the app uses? What would be the point of that? As previously discussed, this is a (somewhat foolish) requirement of the servlet specification. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaHv4ACgkQ9CaO5/Lv0PAbDgCeOoanoPX6mJEtJSiAKMaUux0F 32oAoJxtrevVlx4g0fdUpBL5AgSq1QJn =bziI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: sessions replication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 9/19/12 2:08 PM, Pid * wrote: On 19 Sep 2012, at 16:59, Carrillo, Dan dcarri...@idanalytics.com wrote: Hi folks, My sessions are replicating across the cluster as indicated by my session listener debug output. E.g I can see the session created/destroyed messages in each respective log. I have a Service object that is serializable, which contains a String member variable (x) which is not initialized; null. As my load balancer round-robins the requests to each of these servers, each successfully retrieves the service instance from the session. Now, when service.x is set at some point in the workflow, I expect the other members to receive this updated object since it resides in the session. However, I'm finding that it is not, it remains null in all other containers. The tomcat config (http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html) says that ..For each request the entire session is replicated, this allows code that modifies attributes in the session without calling setAttribute or removeAttribute to be replicated. Can someone clarify whether I do in fact need to reset the service object on the session in order for it to replicate? If by this, you are asking whether you can retrieve an object from the session, update it and without adding it back to the session expect these changes to be propagated, then no, you can't. That note in the official documentation certainly is misleading. I believe that the session is is only marked dirty if one of HttpSession.setAttribute or HttpSession.removeAttribute is invoked. I think the statement in question indicates that, if the HttpSession is to be replicated, it will be replicated in full and not piecemeal. But you still have to call HttpSession.setAttribute in order to trigger the replication in the first place. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaIzIACgkQ9CaO5/Lv0PC+MgCeOymBWWhOx5lDtBBAN79VSbDB UK8An3O5/EBUYM7D1Biy8z0CenAhKzHB =m6N6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Best practices for upgrading Tomcat on Windows?
Is there a set of best practices documented anywhere for upgrading Tomcat on Windows? I run Tomcat as a Windows service on several machines. I can, and have many times, completely removed Tomcat and reinstalled a new version, but there's probably a better way, particular for minor version updates (such as 7.0.x to 7.0.x+n). I've developed a standard way of setting up Tomcat that's used across multiple machines, but it doesn't lend itself well to upgrades. I don't use the Windows installer, but rather make bulk copies of the Tomcat code and use the service installer script, somewhat modified for our peculiarities. For minor version updates, should I be able to stop the Tomcat windows service, copy any customized files such as server.xml and catalina.properties and setenv.bat, copy new code over old code, copy the customized files back, and start the service again? David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
very basic question about apache and tomcat
Hi Everybody, Now I will show my real ignorance about what I know after NOT working with Apache or Tomcat for several years now. I have been working on a project that allows our CGI web pages to authenticate users from their windows desktop against Windows AD and not requiring any kind of unix account. I am slowly getting the information I need to move forward but information is just not out there to get. I am just chipping away at it. My basic question is: do I need to install apache as well as tomcat to have an httpd.conf file? I have tomcat running on several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a simple search to find the httpd.conf file when I realized none of my servers have it installed. When I try to find out which app creates it I get the answer apache (from google searches). So I guess that tomcat is a subset of apache? A virtual java app I suppose? See I told you the questions were basic. Yikes it is hard to understand as a newbie, especially when I can load tomcat and get web pages working in a few minutes. LOL Any help is appreciated in regard to helping me wrap my brain around this. ARGH Regards, Jen Jen L Mead | Sys Admin | ICC Operations | Con-way | Office 503-450-8641 SAFETY| LEADERSHIP | INTEGRITY | COMMITMENT | EXCELLENCE | Driven by Integrity
ajp_ilink_receive error - please advise
hello. we are running an application on tomcat and experiencing intermittent periods where the application is non-responsive and thus non-functional. the general set up is apache and tomcat, with mod_proxy_ajp as the connector (specific details and configs below). during these events, the primary apache error log shows the following: 1. (104)Connection reset by peer: ajp_ilink_receive() can't receive header 2. (70007)The timeout specified has expired: ajp_ilink_receive() can't receive header it looks like error #1 repeats for a while and then error #2 repeats for a while. at the same time in the application specific apache error log (as specified in the vhost set up for app) we see the following errors repeated (though in mixed order from below): 3. [error] ajp_read_header: ajp_ilink_receive failed 4. [error] (120006)APR does not understand this error code: proxy: read response failed from (null) (localhost) 5. [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:8009 (localhost) 6. [error] [client X.X.X.X] proxy: error processing end and occasionally: 7. [error] proxy: read zero bytes, expecting 464 bytes the catalina.out log registers nothing during the time period the application is unresponsive. a couple of other things to note: - these events are coming under light to no load as far as i can tell. - these events last from about 5 to 30 minutes and then everything works again as expected with no manual intervention. - the time of day of for the events is not consistent. - these events initially occured rarely, but over the last month have ramped up to daily. any suggestions on how to fix or further troubleshoot this problem? and thanks in advance for the help. below please find more information on versions and configs... let me know if more info is needed. OS Name:Linux (ubuntu 10.04.4) OS Version: 2.6.32-31-server Architecture: amd64 JVM Version:1.6.0_32-b05 JVM Vendor: Sun Microsystems Inc. Server version: Apache Tomcat/6.0.24 apache: Apache/2.2.14 MPM configs START-- IfModule mpm_prefork_module StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 26 MaxRequestsPerChild 1000 /IfModule END balancer conf START-- Proxy balancer://mysite_balancer* Order deny,allow Allow from all /Proxy ProxyPassMatch ^/(.+.cf[cm])(.*)?$ balancer://mysite_balancer/irised/client stickysession=JSESSIONID|jsessionid ProxyPassReverseCookiePath /irised / Proxy balancer://mysite_balancer BalancerMember ajp://localhost:8009 route=www1 retry=5 /Proxy END connector xml START-- Connector URIEncoding=UTF-8 port=8009 protocol=AJP/1.3 connectionTimeout=2 redirectPort=8443 / END
Re: very basic question about apache and tomcat
On 2012-09-19 17:31, Mead, Jen L wrote: My basic question is: do I need to install apache as well as tomcat to have an httpd.conf file? I have tomcat running on several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a simple search to find the httpd.conf file when I realized none of my servers have it installed. When I try to find out which app creates it I get the answer apache (from google searches). So I guess that tomcat is a subset of apache? A virtual java app I suppose? See I told you the questions were basic. Yikes it is hard to understand as a newbie, especially when I can load tomcat and get web pages working in a few minutes. LOL Tomcat and HTTPD (Apache web server) are two different things, though often used together. Both are projects of the Apache Software Foundation. Tomcat is capable of running standalone. It is not a subset of of the Apache HTTPD. For various reasons many folks run Tomcat behind Apache HTTPD, but that isn't necessary. There's overlap between the functionality of Tomcat and HTTPD. Whether you need just Tomcat, just HTTPD, or both, depends on what you want to do. httpd.conf is the typical name of the primary HTTPD configuration file (although that may be different depending on who built the distribution you're using and on what kind of OS). Tomcat uses server.xml as it's primary configuration file. David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: very basic question about apache and tomcat
That was very insightful. All the documentation that I am looking into specifies apache as the application. Maybe, just maybe the server.xml file will contain what I need to move forward. The lack of documentation for what I am trying to do is frustrating. I am not even sure I can do it without loading apache with or instead of tomcat. Thanks for the info. J -Original Message- From: David A. Rush [mailto:da...@rushtone.com] Sent: Wednesday, September 19, 2012 2:45 PM To: users@tomcat.apache.org Subject: Re: very basic question about apache and tomcat On 2012-09-19 17:31, Mead, Jen L wrote: My basic question is: do I need to install apache as well as tomcat to have an httpd.conf file? I have tomcat running on several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a simple search to find the httpd.conf file when I realized none of my servers have it installed. When I try to find out which app creates it I get the answer apache (from google searches). So I guess that tomcat is a subset of apache? A virtual java app I suppose? See I told you the questions were basic. Yikes it is hard to understand as a newbie, especially when I can load tomcat and get web pages working in a few minutes. LOL Tomcat and HTTPD (Apache web server) are two different things, though often used together. Both are projects of the Apache Software Foundation. Tomcat is capable of running standalone. It is not a subset of of the Apache HTTPD. For various reasons many folks run Tomcat behind Apache HTTPD, but that isn't necessary. There's overlap between the functionality of Tomcat and HTTPD. Whether you need just Tomcat, just HTTPD, or both, depends on what you want to do. httpd.conf is the typical name of the primary HTTPD configuration file (although that may be different depending on who built the distribution you're using and on what kind of OS). Tomcat uses server.xml as it's primary configuration file. David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Best practices for upgrading Tomcat on Windows?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 9/19/12 4:32 PM, David A. Rush wrote: Is there a set of best practices documented anywhere for upgrading Tomcat on Windows? I run Tomcat as a Windows service on several machines. I can, and have many times, completely removed Tomcat and reinstalled a new version, but there's probably a better way, particular for minor version updates (such as 7.0.x to 7.0.x+n). I've developed a standard way of setting up Tomcat that's used across multiple machines, but it doesn't lend itself well to upgrades. I don't use the Windows installer, but rather make bulk copies of the Tomcat code and use the service installer script, somewhat modified for our peculiarities. For minor version updates, should I be able to stop the Tomcat windows service, copy any customized files such as server.xml and catalina.properties and setenv.bat, copy new code over old code, copy the customized files back, and start the service again? There are no hard-and-fast rules for what will and won't change with a Tomcat release, even at the minor-revision level. Tomcat itself doesn't offer any upgrade options -- just separate installs. Honestly, I think that works out quite well, since it encourages you to install multiple versions side-by-side which makes roll-backs quite easy: if the latest version has some bug that scuttles your project, you can just uninstall the upgrade and go back to business as usual. IMO, the best way to upgrade Tomcat is to use a catalina.base which is distinct from catalina.home. Read the README.txt file that comes with Tomcat to see how that's done. Once you are comfortable with that, upgrading to a new version of Tomcat is as simple as doing a diff between your customized server.xml (and catalina.properties, if you end up customizing that for whatever reason) and the new stock server.xml from the latest Tomcat and merging-in whatever is new, switching the catalina.base parameter to your service and restarting Tomcat. Switching back is the opposite procedure. I would recommend this technique to anyone using Tomcat, whether they are running on Microsoft Windows or not. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaTi8ACgkQ9CaO5/Lv0PDpaACeNNxBsU4it2CXaxdpNp/5x5n+ 5KQAnA0l0i07nPgYTUBOkfsa5VF4EWYH =uuLR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ajp_ilink_receive error - please advise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Django, On 9/19/12 5:38 PM, Django Radonich-Camp wrote: apache: Apache/2.2.14 That's 9 revisions out of date. Any chance you can upgrade to 2.2.23 and re-test? Is it reliably reproducible? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaTyUACgkQ9CaO5/Lv0PDGRQCdGr9fhj2dyiH4hxysDlyrGMH/ KN0An3tbQN6JTRPQfJnEt0VRvOYz9wSl =WMXH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very basic question about apache and tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 9/19/12 5:45 PM, David A. Rush wrote: On 2012-09-19 17:31, Mead, Jen L wrote: My basic question is: do I need to install apache as well as tomcat to have an httpd.conf file? I have tomcat running on several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a simple search to find the httpd.conf file when I realized none of my servers have it installed. When I try to find out which app creates it I get the answer apache (from google searches). So I guess that tomcat is a subset of apache? A virtual java app I suppose? See I told you the questions were basic. Yikes it is hard to understand as a newbie, especially when I can load tomcat and get web pages working in a few minutes. LOL Tomcat and HTTPD (Apache web server) are two different things, though often used together. Both are projects of the Apache Software Foundation. Tomcat is capable of running standalone. It is not a subset of of the Apache HTTPD. For various reasons many folks run Tomcat behind Apache HTTPD, but that isn't necessary. There's overlap between the functionality of Tomcat and HTTPD. Whether you need just Tomcat, just HTTPD, or both, depends on what you want to do. httpd.conf is the typical name of the primary HTTPD configuration file (although that may be different depending on who built the distribution you're using and on what kind of OS). Tomcat uses server.xml as it's primary configuration file. +1 David, great reply. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaT4YACgkQ9CaO5/Lv0PD1dACgjOllONmS3IcsSrMHsp9di59X h/IAn0Y0oHdocLVwC6rfgbeIxMiMufj9 =Ppae -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very basic question about apache and tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jen, On 9/19/12 5:52 PM, Mead, Jen L wrote: That was very insightful. All the documentation that I am looking into specifies apache as the application. Maybe, just maybe the server.xml file will contain what I need to move forward. The lack of documentation for what I am trying to do is frustrating. I am not even sure I can do it without loading apache with or instead of tomcat. Thanks for the info. Can you describe what you need to accomplish without specifically referring to Apache httpd or Apache Tomcat? Something like: We have a Java web application that needs to authentication against Microsoft AD server, and there are no other moving parts required unless we need them to support this configuration. The reason that I ask is that Tomcat (with some special support libraries and configuration) can authenticate directly against Microsoft AD and Apache httpd isn't necessary at all. If you /require/ Apache httpd to perform the authentication, then we can tell you how to do that, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ 6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT =javS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very basic question about apache and tomcat
I have a related question since we recently implemented authentication to AD via LDAP in our Tomcat WebApp but it currently prompts the user for every new session, even if they are hitting the site from their windows workstation that is already authenticated to the domain. Is there a way to do it that detects the user's current AD session and eliminates the need to prompt them, preferably browser (Chrome/FF/IE) independent? If so, it would be great! On Wed, Sep 19, 2012 at 5:06 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jen, On 9/19/12 5:52 PM, Mead, Jen L wrote: That was very insightful. All the documentation that I am looking into specifies apache as the application. Maybe, just maybe the server.xml file will contain what I need to move forward. The lack of documentation for what I am trying to do is frustrating. I am not even sure I can do it without loading apache with or instead of tomcat. Thanks for the info. Can you describe what you need to accomplish without specifically referring to Apache httpd or Apache Tomcat? Something like: We have a Java web application that needs to authentication against Microsoft AD server, and there are no other moving parts required unless we need them to support this configuration. The reason that I ask is that Tomcat (with some special support libraries and configuration) can authenticate directly against Microsoft AD and Apache httpd isn't necessary at all. If you /require/ Apache httpd to perform the authentication, then we can tell you how to do that, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ 6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT =javS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Jeff Vincent predato...@gmail.com See my LinkedIn profile at: http://www.linkedin.com/in/rjeffreyvincent I ♥ DropBox http://db.tt/9O6LfBX !!
Proxy Support in tomcat 7
Hi all, I have a scenario where i don't want to contact from my application to a web-service using https. I don't want to change firewall details and want to enable 443 port. Is there any way that can configure a proxy and can handle this scenario. My application is deployed at tomcat 7 Thanks, Vijay G
