Re: Context Path for a subdirectory

[André Warnier]

Leo Donahue - RDSA IT wrote:



-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Thursday, November 29, 2012 3:40 PM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

Leo Donahue - RDSA IT wrote:

-Original Message-
From: Mark Eggers [mailto:its_toas...@yahoo.com]
Sent: Thursday, November 29, 2012 1:12 PM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:

Reading the docs:
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

"..The web application used to process each HTTP request is selected
by

Catalina based on matching the longest possible prefix of the Request
URI against the context path of each defined Context."

If I have a webapp, with a www directory, and in that www directory
are

other directories, how would I restrict access to one of those
subdirectories to the localhost?

webapps
  webapp1
   -WEB-INF
 -classes
 -lib
   -www
 -directory1
 -directory2

Is the context path of directory1:  /webapp1/directory1

Would I create a context named directory1.xml such as the following?

 

   



Leo

How about:

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

In particular:


http://tomcat.apache.org/tomcat-7.0-
doc/config/filter.html#Remote_Address_Filter


Although as has been discussed previously on the mailing list, the
regular expression is a bit simplistic.

. . . . just my two cents.
/mde/


Thank you Mark.

I realized the first reply I got might be why not try it, my question, which I

did, and of course I had it wrong.

I thought of security-constraint right after I clicked send, but the filter will

also work.

http://planning.maricopa.gov/rest - needed to restrict access to one

directory of that webapp.  It's a third party app, but our data.
Of course you'll still have to map the filter to the correct context for 
directory1
in

webapps
 webapp1
  -WEB-INF
-classes
-lib
  -www
-directory1
-directory2



  Remote Address Filter
  (??)


and (??) is  ?

;-)



Sadly, it's advertised in the help section.

http://planning.maricopa.gov/sdk/rest/gettingstarted.html  scroll to bottom of 
the page.

I could surgery out bullet #7 I suppose, but I'm counting on the filter to work.

Ah well, that is what the user enters, which does not necessarily match the layout of your 
application.
But did I misunderstand, or did you want to have the IP filter apply only to the 
subdirectory in question ?  My "trick question" was about how you would specify the 
url-pattern so that it applies only to (webapps)/webapp1/www/directory1 (and not to 
(webapps)/webapp1/www/directory2 for instance).



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Veritas Clustering for Tomcat

[Sameera, Shaakunthala]

Hi,

Is there a Veritas clustering agent available for Tomcat?

As per the following page, currently there's no agent available.
https://sort.symantec.com/agents

Are there any alternatives?

Thanks in advance.


With thanks and best regards,

Sameera Shaakunthala | Systems Administrator - Management Information Systems
MillenniumIT | A member of the London Stock Exchange Group
No 1, Millennium Drive, Malabe, Sri Lanka
* Mobile: +94 77 737 4799 | +94 71 601 1924 | Work: +94 11 241 6000 ext. 26182
Email: shaakunth...@millenniumit.com| 
Web: www.millenniumit.com



This e-mail transmission (inclusive of any attachments) is strictly 
confidential and intended solely for the ordinary user of the e-mail address to 
which it was addressed. It may contain legally privileged and/or CONFIDENTIAL 
information. The unauthorized use, disclosure, distribution printing and/or 
copying of this e-mail or any information it contains is prohibited and could, 
in certain circumstances, constitute an offence. If you have received this 
e-mail in error or are not an intended recipient please inform the sender of 
the email and MillenniumIT immediately by return e-mail or telephone (+94-11) 
2416000. We advise that in keeping with good computing practice, the recipient 
of this e-mail should ensure that it is virus free. We do not accept 
responsibility for any virus that may be transferred by way of this e-mail. 
E-mail may be susceptible to data corruption, interception and unauthorized 
amendment, and we do not accept liability for any such corruption, interception 
or amendment or any consequences thereof.  www.millenniumit.com 

RE: Logfile noise, mod_jk, Apache 2.2, "Uri * is invalid. Uri must start with /"

[Martin Gainty]

assume this Apache 
URLhttp://systemname:port/server1/example/samples/ExampleServlet then to map 
ALL subdomains and pages under example to SystemWorker1 (To Tomcat) issue this 
JKMount
JkMount /example/* System1worker on ApacheServer be careful to chmod +r+x for 
ALL urls underhttp://systemname:port/server1/example/ 
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzaie/rzaiemod_jk.htm 
Cheers
Martin 
__ 
Please do not alter or disrupt this communication..Thank You
 > Date: Thu, 29 Nov 2012 15:33:59 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: Logfile noise, mod_jk, Apache 2.2, "Uri * is invalid. Uri must 
> start with /"
> 
> Patrick Middleton wrote:
> > Hi folks,
> > 
> > I'm working with recent builds/installations of
> > Apache 2.2.22 with mod_jk 1.2.37 on MacOSX 10.4.11/PPC
> > Apache 2.2.22 with mod_jk 1.2.37 on MacOSX 10.8.2/x86_64
> > connecting to Tomcat 5.5.7 (from binary distribution) running on MacOSX 
> > 10.4.11.
> > 
> > What I am finding is lots of log entries such as this one in 
> > /var/log/apache2/mod_jk.log:
> > [Thu Nov 29 12:17:14.422 2012] [38496:140733193388032] [warn] 
> > map_uri_to_worker_ext::jk_uri_worker_map.c (1057): Uri * is invalid. Uri 
> > must start with /
> > 
> > corresponding to this one in /var/log/apache2/access_log:
> > ::1 - - [29/Nov/2012:12:17:14 +] - - - "OPTIONS * HTTP/1.0" 200 - 
> > "-" "Apache/2.2.22 (Unix) DAV/2 mod_jk/1.2.37 mod_ssl/2.2.22 
> > OpenSSL/0.9.8x (internal dummy connection)"
> > 
> > 
> > My understanding is that this is the Apache master instance running as 
> > root is polling its spare/worker processes to check that they're alive 
> > and I have tracked this down to server/mpm_common.c in the Apache 2.2 
> > sources.
> > 
> > I'm not an Apache internals expert.  I'm not really even that good at 
> > configuring Apache.  I have:
> > 
> > JkWorkersFile /etc/apache2/workers.properties
> > JkShmFile /private/var/run/jk-apache2.shm
> > JkLogFile /private/var/log/apache2/mod_jk.log
> > JkLogLevel info
> > JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
> > JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
> > JkRequestLogFormat "%w %V %T %s %r"
> > JKMount "/TomcatApplications/*" worker1
> > JkMountCopy All
> > 
> > 
> > so I don't see how the heartbeat request is being processed by the 
> > jk_module handler.  Possibly my diligent use of Google to find how to 
> > configure apache 2.2 to stop this has not been diligent enough.  
> > Suggestions for additional Apache configuration directives are welcome.
> > 
> > Would it be reasonable to change the sources for mod_jk to not log a 
> > warning when the URI is * and the method is OPTIONS and the remote 
> > address is localhost?
> > 
> 
> Hi.
> Thanks for the detailed and complete info, it simplifies responses.
> I basically agree with you in not understanding why mod_jk, with the single 
> mapping
>  > JKMount "/TomcatApplications/*" worker1
> would believe that a request "OPTIONS *" applies to it, and would 
> consequently mumble in 
> the logfile.
> 
> I would let the resident mod_jk expert answer that one.
> 
> But to avoid the messages in the meantime, you could try the following :
> 
> 1) comment out the following JkMount and JkMountCopy lines :
>  > 
>  > JkWorkersFile /etc/apache2/workers.properties
>  > JkShmFile /private/var/run/jk-apache2.shm
>  > JkLogFile /private/var/log/apache2/mod_jk.log
>  > JkLogLevel info
>  > JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
>  > JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
>  > JkRequestLogFormat "%w %V %T %s %r"
> # JKMount "/TomcatApplications/*" worker1
> # JkMountCopy All
>  > 
> 
> 2) add a section to your Apache httpd configuration :
> 
>
>  SetHandler jakarta-servlet
>  SetEnv JK_WORKER_NAME worker1
>
> 
> 
> Honestly, I have no idea if a  section would do the trick here. But 
> you can always 
> try it.
> If it works like I expect, the above means :
> - for any request URL which matches ^/TomcatApplications/
> - only if the method is GET or POST
> - set mod_jk as the Apache response handler
> - and set the mod_jk "worker" to worker1
> If the method is not GET or POST, do nothing, meaning let the request be 
> served by the 
> default Apache response handler (which would complain if this was other than 
> OPTIONS, 
> because it would not find the path on disk).
> 
> 
> 
> Reference : http://tomcat.apache.org/connectors-doc/reference/apache.html
> Section : Using SetHandler and Environment Variables
> and
> http://httpd.apache.org/docs/2.2/mod/core.html#limit
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
  

Re: Tomcat 6.0.18 Caching Question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Vasanth,

I'm finally getting around to reading all the messages in this thread.
I have a few questions:

On 11/22/12 10:39 AM, Sekar, Vasanth wrote:
> Sorry, about that. Here is the detailed explanation.  collection="pages" property="pageNumber" styleClass="textbody"/>

So you are using Apache Struts. Good to know. Maybe next time tell us
that's what's happening.

What's in the "pages" collection? From what scope does that get loaded
(page, request, session, or application)?

If you are using , it's going to be related to a "form
bean". Does the form bean know which item should be pre-selected? How?
IIRC, Struts takes the form's "pageNumber" value and if it matches any
item in the "pages" collection, it sets that one to "selected".

> So, during first time access - html view source  class="textbody">0  class="textbody">1  class="textbody">2  class="textbody">3  class="textbody">4  class="textbody">5

> If you notice there is a selected on option value="1" and default 
> option on page load will be selected to option value 1
> 
> [...]
> 
> The selected "selected" is missing upon future requests. This is
> how it will be and since selected is not there it would default to
> first record 0.
> 
> 0  class="textbody">1  class="textbody">2  class="textbody">3  class="textbody">4  class="textbody">5

Sounds like the form bean's "pageNumber" value is probably null.
Perhaps the form bean has been lost? Or reset? Is this a single user
navigating to the page (and getting selected=1) then hitting RELOAD
and getting no pre-selected item?

This question almost certainly has nothing to do with Tomcat, and
everything to do with your own webapp/JSP and Struts.

We still may be able to help, but you are going to need to provide
more information.

As for your your ops team, you should tell them to abandon their 7.0.8
testing and piloting: it's a complete and utter waste of their time.
Tell them to start over with 7.0.33 or just give up on ever approving
another version of Tomcat again because they can't get it done in a
reasonable time.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC36dQACgkQ9CaO5/Lv0PAafACferZTwpDozR1pkPphcNmlbHnA
y6MAoJBZACLjppp467NpO4uuNKMp7cjm
=7JA/
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

[Leo Donahue - RDSA IT]

>-Original Message-
>From: André Warnier [mailto:a...@ice-sa.com]
>Sent: Thursday, November 29, 2012 3:40 PM
>To: Tomcat Users List
>Subject: Re: Context Path for a subdirectory
>
>Leo Donahue - RDSA IT wrote:
>>> -Original Message-
>>> From: Mark Eggers [mailto:its_toas...@yahoo.com]
>>> Sent: Thursday, November 29, 2012 1:12 PM
>>> To: Tomcat Users List
>>> Subject: Re: Context Path for a subdirectory
>>>
>>> On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:
 Reading the docs:
 http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

 "..The web application used to process each HTTP request is selected
 by
>>> Catalina based on matching the longest possible prefix of the Request
>>> URI against the context path of each defined Context."
 If I have a webapp, with a www directory, and in that www directory
 are
>>> other directories, how would I restrict access to one of those
>>> subdirectories to the localhost?
 webapps
   webapp1
-WEB-INF
  -classes
  -lib
-www
  -directory1
  -directory2

 Is the context path of directory1:  /webapp1/directory1

 Would I create a context named directory1.xml such as the following?

  >>> antiResourceLocking="false" privileged="true"
 path="/webapp1/directory1">

>>>   allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
 


 Leo
>>> How about:
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
>>>
>>> In particular:
>>>
>>>
>>> http://tomcat.apache.org/tomcat-7.0-
>>> doc/config/filter.html#Remote_Address_Filter
>>>
>>>
>>> Although as has been discussed previously on the mailing list, the
>>> regular expression is a bit simplistic.
>>>
>>> . . . . just my two cents.
>>> /mde/
>>>
>>
>> Thank you Mark.
>>
>> I realized the first reply I got might be why not try it, my question, which 
>> I
>did, and of course I had it wrong.
>>
>> I thought of security-constraint right after I clicked send, but the filter 
>> will
>also work.
>>
>> http://planning.maricopa.gov/rest - needed to restrict access to one
>directory of that webapp.  It's a third party app, but our data.
>>
>
>Of course you'll still have to map the filter to the correct context for 
>directory1
>in
>
>webapps
>  webapp1
>   -WEB-INF
> -classes
> -lib
>   -www
> -directory1
> -directory2
>
>
>
>   Remote Address Filter
>   (??)
> 
>
>and (??) is  ?
>
>;-)
>

Sadly, it's advertised in the help section.

http://planning.maricopa.gov/sdk/rest/gettingstarted.html  scroll to bottom of 
the page.

I could surgery out bullet #7 I suppose, but I'm counting on the filter to work.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat with multiple domains

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul,

On 11/28/12 6:29 PM, Paul van Hoven wrote:
> Thanks for your quick and detailed answers. Actually I think I did
> all the things you mentioned but it still does not work. So here
> are the changes I made:
> 
> 1. I checked that the following entries are in the engine tag: 
>  ...  name="Catalina"> ...  defaultHost="localhost">  unpackWARs="true" autoDeploy="true">  name="www.my2nddomain.com" 
> appBase="/opt/apache-tomcat-7.0.32/my2nddomain" unpackWARs="true" 
> autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> 
>

This looks correct to me.

> 2. In the host file I altered the entries to 88.84.140.85
> www.my2nddomain.com 88.84.140.85  www.my1rstdomain.com

Is this on the server or the client? Or both?

Go to the machine you are using as an HTTP client (e.g. web browser)
and type this on the command line:

nslookup www.my2nddomain.com

You should get 88.84.140.85 back.

Next, you need to make sure that the client is sending a "Host" header
with the HTTP message. The Host header is required for HTTP/1.1, so if
the client is not specifying the Host, it is non-compliant.

Tomcat can't determine the virtual host to use if the Host header is
absent. If the Host header is absent or the value of Host does not
match anything Tomcat has configured, the default Host for the Engine
will be used. In your case, it's the "localhost" host.

> The current status is that when calling www.my1rstdomain.com:8080 
> points to the webapp installed for www.my2nddomain.com:8080.

That seems very odd, since you don't have any configuration for
www.my1rstdomain.com, so you should get the default. What happens when
you request www.my2nddomain.com?

Can you post an HTTP protocol trace of a request/response?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC35rMACgkQ9CaO5/Lv0PBg7wCfbZ5FAYwfrCQfx0vb1KjB3j/2
QxwAnjFvdrNhV+XhxQ+ttDDpOiaJtp3d
=EUkh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Context Path for a subdirectory

[André Warnier]

Leo Donahue - RDSA IT wrote:

-Original Message-
From: Mark Eggers [mailto:its_toas...@yahoo.com]
Sent: Thursday, November 29, 2012 1:12 PM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:

Reading the docs:
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

"..The web application used to process each HTTP request is selected by

Catalina based on matching the longest possible prefix of the Request URI
against the context path of each defined Context."

If I have a webapp, with a www directory, and in that www directory are

other directories, how would I restrict access to one of those subdirectories to
the localhost?

webapps
  webapp1
   -WEB-INF
 -classes
 -lib
   -www
 -directory1
 -directory2

Is the context path of directory1:  /webapp1/directory1

Would I create a context named directory1.xml such as the following?

 




Leo

How about:

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

In particular:


http://tomcat.apache.org/tomcat-7.0-
doc/config/filter.html#Remote_Address_Filter


Although as has been discussed previously on the mailing list, the
regular expression is a bit simplistic.

. . . . just my two cents.
/mde/



Thank you Mark.

I realized the first reply I got might be why not try it, my question, which I 
did, and of course I had it wrong.

I thought of security-constraint right after I clicked send, but the filter 
will also work.

http://planning.maricopa.gov/rest - needed to restrict access to one directory 
of that webapp.  It's a third party app, but our data.



Of course you'll still have to map the filter to the correct context for 
directory1 in

webapps
 webapp1
  -WEB-INF
-classes
-lib
  -www
-directory1
-directory2



  Remote Address Filter
  (??)


and (??) is  ?

;-)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Context Path for a subdirectory

[Konstantin Kolinko]

2012/11/29 Leo Donahue - RDSA IT :
> Reading the docs:  http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
>
> "..The web application used to process each HTTP request is selected by 
> Catalina based on matching the longest possible prefix of the Request URI 
> against the context path of each defined Context."
>
> (...)
>
> Would I create a context named directory1.xml such as the following?
>
> 
>  path="/webapp1/directory1">

1. The path attribute is invalid here. The file name of the xml file
will be used as the path.

E.g. naming the file "webapp1#www#directory1.xml" and moving those
files into directory named /webapps/webapp1#www#directory1  is a way
to deploy such application.  Isn't it in the FAQ?

Anyway I think it would be easier for you to configure a
RemoteAddrFilter, as others suggested.

2. Unless you know what "privileged" is, do not use it.

> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
> 

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Context Path for a subdirectory

[Mark Eggers]

On 11/29/2012 12:32 PM, Leo Donahue - RDSA IT wrote:

-Original Message- From: Mark Eggers
[mailto:its_toas...@yahoo.com] Sent: Thursday, November 29, 2012
1:12 PM To: Tomcat Users List Subject: Re: Context Path for a
subdirectory

On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:

Reading the docs:
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

"..The web application used to process each HTTP request is
selected by

Catalina based on matching the longest possible prefix of the
Request URI against the context path of each defined Context."


If I have a webapp, with a www directory, and in that www
directory are

other directories, how would I restrict access to one of those
subdirectories to the localhost?


webapps webapp1 -WEB-INF -classes -lib -www -directory1
-directory2

Is the context path of directory1:  /webapp1/directory1

Would I create a context named directory1.xml such as the
following?

 

 


Leo


How about:

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

In particular:


http://tomcat.apache.org/tomcat-7.0-
doc/config/filter.html#Remote_Address_Filter


Although as has been discussed previously on the mailing list, the
regular expression is a bit simplistic.

. . . . just my two cents. /mde/



Thank you Mark.

I realized the first reply I got might be why not try it, my
question, which I did, and of course I had it wrong.

I thought of security-constraint right after I clicked send, but the
filter will also work.

http://planning.maricopa.gov/rest - needed to restrict access to one
directory of that webapp.  It's a third party app, but our data.

Leo


I guess you're referring to an ip-constraint element inside the 
security-constraint element?


Something like:

   
 
   /*
 
 127.0.0.1
 192.168.1.0/24
   

From glancing around on the web, this looks like it's Resin - specific.

I didn't see ip-constraint in the 2.5 xsd or in the 3.0 xsd. If it's not 
standard, I doubt it will make it into Tomcat. I'm sure one of the 
committers (just a happy user here) will correct me if I'm wrong.


. . . . just my two cents
/mde/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

[Leo Donahue - RDSA IT]

>-Original Message-
>From: Mark Eggers [mailto:its_toas...@yahoo.com]
>Sent: Thursday, November 29, 2012 1:12 PM
>To: Tomcat Users List
>Subject: Re: Context Path for a subdirectory
>
>On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:
>> Reading the docs:
>> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
>>
>> "..The web application used to process each HTTP request is selected by
>Catalina based on matching the longest possible prefix of the Request URI
>against the context path of each defined Context."
>>
>> If I have a webapp, with a www directory, and in that www directory are
>other directories, how would I restrict access to one of those subdirectories 
>to
>the localhost?
>>
>> webapps
>>   webapp1
>>-WEB-INF
>>  -classes
>>  -lib
>>-www
>>  -directory1
>>  -directory2
>>
>> Is the context path of directory1:  /webapp1/directory1
>>
>> Would I create a context named directory1.xml such as the following?
>>
>>  > antiResourceLocking="false" privileged="true"
>> path="/webapp1/directory1">
>>
>>>   allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> 
>>
>>
>> Leo
>
>How about:
>
>http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
>
>In particular:
>
>
>http://tomcat.apache.org/tomcat-7.0-
>doc/config/filter.html#Remote_Address_Filter
>
>
>Although as has been discussed previously on the mailing list, the
>regular expression is a bit simplistic.
>
>. . . . just my two cents.
>/mde/
>

Thank you Mark.

I realized the first reply I got might be why not try it, my question, which I 
did, and of course I had it wrong.

I thought of security-constraint right after I clicked send, but the filter 
will also work.

http://planning.maricopa.gov/rest - needed to restrict access to one directory 
of that webapp.  It's a third party app, but our data.

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL Session ID

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Vincent,

On 11/28/12 3:14 AM, Vincent Goelen wrote:
> When the keepAliveTimeout is not set to "0" I can see in the SSL
> debug logs the SSL session get's invalidated after some requests
> with a Broken Pipe exception. Is this because there are too many
> open connections during the keepAliveTimeout?

It's probably because of your pathological keepAliveTimeout. 0ms
seems, er, low. Why did you choose 0ms?

I haven't looked at the code, so I'm not sure if the elapsed timer
starts when the last request is completed (which seems reasonable) or
when the last request started. I suspect the latter. 0ms is awfully
short. Are you sure that your client is capable of accepting the
response to the previous request and turn-around and make another
request across the same channel before 0ms passes?

> It also only happens when processing the requests takes some time
> (fe. storing items in database) or when I put the threat to sleep
> for testing purpose.

So if you have a trivial request (say, HEAD for a static resource),
you can never get a failure?

> When inspecting the traffic I see some tcp-rst packages (problem is
> here?) from previous connections while the current one is being
> processed.

When you say "current one" what do you mean? If you are using a single
connection with HTTP keepalive, then there is only one connection to
talk about: you can't get RSTs from "previous connections". You may be
getting TCP RST as the server closes the connection while the client
is trying to write. Is that what you are experiencing?

> My question is why these SSL Sessions get invalidated after alot of
> quick requests to the server since this gives a problem with my SSL
> Session tracking since the id changes then.

Maybe if you can explain why you want a 0ms keepalive timeout it would
be helpful. If you want to disable keep alives, set
maxKeepAliveRequests="1". If you want to allow an infinite timeout,
try using keepAliveTimeout="-1" as the documentation states.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC3w6YACgkQ9CaO5/Lv0PDX/QCfcPmdRD/FSyDB51QdOqgqwGbI
tLwAmweVvlGCGqU2eAdYtrzezwkEPhZF
=J7dz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

[Caldarale, Charles R]

> From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] 
> Subject: Context Path for a subdirectory

> If I have a webapp, with a www directory, and in that www directory 
> are other directories, how would I restrict access to one of those 
> subdirectories to the localhost?

Probably your best bet is to use a filter for the webapp to which those 
subdirectories belong.

> Is the context path of directory1:  /webapp1/directory1

No, it's /webapp1/www/directory1.

> Would I create a context named directory1.xml such as the following?

Absolutely not.  A webapp can never be nested inside another, so what you're 
trying to do is nonsensical.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Context Path for a subdirectory

[Mark Eggers]

On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:

Reading the docs:  http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

"..The web application used to process each HTTP request is selected by Catalina 
based on matching the longest possible prefix of the Request URI against the context path 
of each defined Context."

If I have a webapp, with a www directory, and in that www directory are other 
directories, how would I restrict access to one of those subdirectories to the 
localhost?

webapps
  webapp1
   -WEB-INF
 -classes
 -lib
   -www
 -directory1
 -directory2

Is the context path of directory1:  /webapp1/directory1

Would I create a context named directory1.xml such as the following?




   



Leo


How about:

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

In particular:


http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address_Filter


Although as has been discussed previously on the mailing list, the 
regular expression is a bit simplistic.


. . . . just my two cents.
/mde/



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Context Path for a subdirectory

[Leo Donahue - RDSA IT]

Reading the docs:  http://tomcat.apache.org/tomcat-7.0-doc/config/context.html 

"..The web application used to process each HTTP request is selected by 
Catalina based on matching the longest possible prefix of the Request URI 
against the context path of each defined Context."

If I have a webapp, with a www directory, and in that www directory are other 
directories, how would I restrict access to one of those subdirectories to the 
localhost?

webapps
 webapp1
  -WEB-INF
-classes
-lib
  -www
-directory1
-directory2

Is the context path of directory1:  /webapp1/directory1

Would I create a context named directory1.xml such as the following?




  



Leo 




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Accidentally remove catalina.out file

[Steffen Heil (Mailinglisten)]

Hi

> > > What should happen when catalina.out is deleted? Please, I need to
> > > resolve this question.
> > So far as I know it's just a logfile and all that happens is that you
> > lost the log output.  The file should be created on the next start of
> > the server.
> Even when the server is running and the file is deleted? Thank you.

If you are running on linux (which I suppose is true, if you are calling
gzip catalina.out), the file was not actually deleted.
The tomcat process opened that file and kept it open.
Gzip read the file, and *unlinked* it, which is actually a delete if and
only if there is no other link.
However, as tomcat still has an active file handle, there is.

So tomcat keeps logging into a file that is not accessible as "catalina.out"
any more.
As long as tomcat is running, you can (at least as root) access that file
anyway: 
1. Find the process id of the process writing the log (tomcat)
2. List /proc//fd to see which file handle it is (usually 1 and 2 for
catalina.out)
3. Copy the log using the file handle.

For example from my server:

root@www:~# rm /isp/logs/tomcat/catalina.out

root@www:~# pgrep java
4690

root@www:~# ls -al /proc/4690/fd | grep catalina.out
l-wx-- 1 root root 64 2012-11-29 19:17 1 ->
/isp/logs/tomcat/catalina.out (deleted)
l-wx-- 1 root root 64 2012-11-29 19:17 2 ->
/isp/logs/tomcat/catalina.out (deleted)

root@www:~# copy /proc/4690/fd/1 /root/logsaved

WARNING: As soon as you restart tomcat, the last reference to the unlinked
file will be gone and linux will remove the file for good.

Regards,
   Steffen



smime.p7s
Description: S/MIME cryptographic signature

Re: Logfile noise, mod_jk, Apache 2.2, "Uri * is invalid. Uri must start with /"

[André Warnier]

Patrick Middleton wrote:

Hi folks,

I'm working with recent builds/installations of
Apache 2.2.22 with mod_jk 1.2.37 on MacOSX 10.4.11/PPC
Apache 2.2.22 with mod_jk 1.2.37 on MacOSX 10.8.2/x86_64
connecting to Tomcat 5.5.7 (from binary distribution) running on MacOSX 
10.4.11.


What I am finding is lots of log entries such as this one in 
/var/log/apache2/mod_jk.log:
[Thu Nov 29 12:17:14.422 2012] [38496:140733193388032] [warn] 
map_uri_to_worker_ext::jk_uri_worker_map.c (1057): Uri * is invalid. Uri 
must start with /


corresponding to this one in /var/log/apache2/access_log:
::1 - - [29/Nov/2012:12:17:14 +] - - - "OPTIONS * HTTP/1.0" 200 - 
"-" "Apache/2.2.22 (Unix) DAV/2 mod_jk/1.2.37 mod_ssl/2.2.22 
OpenSSL/0.9.8x (internal dummy connection)"



My understanding is that this is the Apache master instance running as 
root is polling its spare/worker processes to check that they're alive 
and I have tracked this down to server/mpm_common.c in the Apache 2.2 
sources.


I'm not an Apache internals expert.  I'm not really even that good at 
configuring Apache.  I have:


JkWorkersFile /etc/apache2/workers.properties
JkShmFile /private/var/run/jk-apache2.shm
JkLogFile /private/var/log/apache2/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%w %V %T %s %r"
JKMount "/TomcatApplications/*" worker1
JkMountCopy All


so I don't see how the heartbeat request is being processed by the 
jk_module handler.  Possibly my diligent use of Google to find how to 
configure apache 2.2 to stop this has not been diligent enough.  
Suggestions for additional Apache configuration directives are welcome.


Would it be reasonable to change the sources for mod_jk to not log a 
warning when the URI is * and the method is OPTIONS and the remote 
address is localhost?




Hi.
Thanks for the detailed and complete info, it simplifies responses.
I basically agree with you in not understanding why mod_jk, with the single 
mapping
> JKMount "/TomcatApplications/*" worker1
would believe that a request "OPTIONS *" applies to it, and would consequently mumble in 
the logfile.


I would let the resident mod_jk expert answer that one.

But to avoid the messages in the meantime, you could try the following :

1) comment out the following JkMount and JkMountCopy lines :
> 
> JkWorkersFile /etc/apache2/workers.properties
> JkShmFile /private/var/run/jk-apache2.shm
> JkLogFile /private/var/log/apache2/mod_jk.log
> JkLogLevel info
> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
> JkRequestLogFormat "%w %V %T %s %r"
# JKMount "/TomcatApplications/*" worker1
# JkMountCopy All
> 

2) add a section to your Apache httpd configuration :

  
SetHandler jakarta-servlet
SetEnv JK_WORKER_NAME worker1
  


Honestly, I have no idea if a  section would do the trick here. But you can always 
try it.

If it works like I expect, the above means :
- for any request URL which matches ^/TomcatApplications/
- only if the method is GET or POST
- set mod_jk as the Apache response handler
- and set the mod_jk "worker" to worker1
If the method is not GET or POST, do nothing, meaning let the request be served by the 
default Apache response handler (which would complain if this was other than OPTIONS, 
because it would not find the path on disk).




Reference : http://tomcat.apache.org/connectors-doc/reference/apache.html
Section : Using SetHandler and Environment Variables
and
http://httpd.apache.org/docs/2.2/mod/core.html#limit


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Logfile noise, mod_jk, Apache 2.2, "Uri * is invalid. Uri must start with /"

[Patrick Middleton]

Hi folks,

I'm working with recent builds/installations of
Apache 2.2.22 with mod_jk 1.2.37 on MacOSX 10.4.11/PPC
Apache 2.2.22 with mod_jk 1.2.37 on MacOSX 10.8.2/x86_64
connecting to Tomcat 5.5.7 (from binary distribution) running on  
MacOSX 10.4.11.


What I am finding is lots of log entries such as this one in /var/log/ 
apache2/mod_jk.log:
[Thu Nov 29 12:17:14.422 2012] [38496:140733193388032] [warn]  
map_uri_to_worker_ext::jk_uri_worker_map.c (1057): Uri * is invalid.  
Uri must start with /


corresponding to this one in /var/log/apache2/access_log:
::1 - - [29/Nov/2012:12:17:14 +] - - - "OPTIONS * HTTP/1.0" 200 -  
"-" "Apache/2.2.22 (Unix) DAV/2 mod_jk/1.2.37 mod_ssl/2.2.22 OpenSSL/ 
0.9.8x (internal dummy connection)"



My understanding is that this is the Apache master instance running  
as root is polling its spare/worker processes to check that they're  
alive and I have tracked this down to server/mpm_common.c in the  
Apache 2.2 sources.


I'm not an Apache internals expert.  I'm not really even that good at  
configuring Apache.  I have:


JkWorkersFile /etc/apache2/workers.properties
JkShmFile /private/var/run/jk-apache2.shm
JkLogFile /private/var/log/apache2/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%w %V %T %s %r"
JKMount "/TomcatApplications/*" worker1
JkMountCopy All


so I don't see how the heartbeat request is being processed by the  
jk_module handler.  Possibly my diligent use of Google to find how to  
configure apache 2.2 to stop this has not been diligent enough.   
Suggestions for additional Apache configuration directives are welcome.


Would it be reasonable to change the sources for mod_jk to not log a  
warning when the URI is * and the method is OPTIONS and the remote  
address is localhost?


-- Patrick

This email, including any attachments, is confidential and intended solely
for the person or organisation to whom it is addressed. If you are not the
intended recipient you must not disseminate, distribute or copy any part 
of this email nor take any action in reliance on it.


If you have received this in error please notify the sender immediately by
email or phone +44 (0)1702 426400 and delete this email and any attachments
from your system.

Email transmission cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of email transmission. If verification
is required please request a hard-copy version.

OneStep Solutions LLP is registered in England and Wales under registration
number OC337173 and has its registered office at 44 The Pantiles, Tunbridge
Wells, Kent, TN2 5TN.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat with multiple domains

[André Warnier]

Hi.

Here is a brief tutorial on how the "virtual host thing" works.
(I find that many times, reminding someone of these basic things helps in diagnosing 
things quickly).


1) the browser is given a URL to retrieve, say 
"http://myhost.mycompany.com:8080/home.html";

2) the browser parses this URL in :
protocol : http
hostname : myhost.mycompany.com
port : 8080
URI : /home.html
(note : if the port is not given, it becomes the default for the protocol; for example, 
for http this would be 80, and for https it would be 443)


2) the browser first asks it's local O.S. "resolver", to translate the hostname into an IP 
address.

The resolver is the part of the OS which does these translations, and usually
- it first looks at the local "hosts" file, to find a name-to-address 
translation
(under Unix/Linux, this is /etc/hosts; under Windows, it is usually 
(windows_dir)/system32/drivers/etc/hosts )
- if it is not in the local hosts file, it will contact a "DNS server" host, and ask it to 
tranalate the address.
In a LAN, the DNS host is usually a local DNS server system.  Otherwise, it is a DNS 
server on the Internet.

(Note: DNS stands for "Domain Name System" and is a standard feature on the 
Internet)

3) if the browser could not get a name-to-address translation, it will print an error 
message "host 'myhost.mycompany.com' could not be found".
If the browser received an IP address from the resolver, it "believes" it unconditionally, 
even if it happens to be false, and goes to the next step.


4) the browser establishes a TCP connection to the obtained IP address, and the port 
determined from the URL.
If the browser cannot establish this connection, it will print an error message "host 
'myhost.mycompany.com' is not responding - try again later".


(Note: if you get this far, it means at least that the hostname was translated to an IP 
address in some way. It does not mean that the IP address is correct, but it's a start.)


5) on this established TCP connection, the browser sends a HTTP request, consisting of 
several lines, as a minimum the following 2 lines :

GET /home.html HTTP/1.1
Host: myhost.mycompany.com
..

6) at the receiving end, it is assumed that a webserver has accepted the TCP connection, 
and is reading what the browser sends on it.  It thus reads the request, as a minimum the 
same 2 lines :

GET /home.html HTTP/1.1
Host: myhost.mycompany.com

7) the webserver parses the HTTP request headers, in particular the "Host:" 
header.
This tells it the name of the "virtual host" to which this request is addressed.

8) the webserver looks through it's own list of virtual hosts, to find one of which either 
the "hostname" or an "alias" matches the "Host:" header exactly.


9) If the webserver finds such a virtual host, then it sets itself up so that this request 
is handled according to the configuration of that virtual host.


10) If the webserver does not find such a virtual host (neither hostname nor alias match 
any defined virtual host), then it will direct the request to its "default virtual host".

This varies a bit from webserver to webserver, but
- for Tomcat it is the Host named in the Engine tag
- for Apache httpd, it is the first VirtualHost named in the httpd configuration

Now, I suggest that you go through the above steps, one by one, really thinking about what 
happens and if it happens, and make sure that you eliminate all the possibilities that do 
not apply.
And as Sherlock Holmes would say, once you have eliminated all the unlikely things, what 
remains, even if it is impossible, must be the truth.


In your case, according to your last post, you send a request with a URL of "http:// 
www.my1rstdomain.com:8080", and you say that the webapp which answers is started in the 
Host with hostname "www.my2nddomain.com".

That does /not/ make sense according to the above scenario.
So either you are not showing us your real configuration, or you have not restarted Tomcat 
after making configuration changes, or you are not describing accurately what you are doing.

Check again.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org