Re: Running tomcat6 under jsvc
2012/12/4 Lyallex lyal...@gmail.com: Hi I was wondering if this was the right place to ask a question about running Tomcat 6.0.36 under jsvc on Debian Linux Yes, this can be asked here Generic jsvc questions will be more appropriate for the users@ list of commons.apache.org, but you may get a faster answer here, especially for a Tomcat-specific one. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to use the usehttponly feature in application level
2012/12/4 Zhi Xie daxie...@gmail.com: Sorry, I don't find any doc to introduce this. There are a lot of docs to show how to implement the feature in conf/context.xml. Context useHttpOnly=true ... /Context Who can tell me how to implement the feature in application level? The application-level file is named META-INF/context.xml http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to use the usehttponly feature in application level
2012/12/4 techienote@gmail.com: Hi Zhi, You can set following parameters in web.xml of application. session-config cookie-config http-onlytrue/http-only securetrue/secure /cookie-config /session-config +1. This is the best way. Note, that your web application should be using Servlet 3.0 specification (as declared at the top of your web.xml file) to use this feature. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reuse JNDI Properties
2012/12/3 Christopher Schultz ch...@christopherschultz.net: On 12/3/12 8:03 AM, Martin Gamper wrote: Hey everybody! I am looking for a solution to reuse a JNDI Property which is set in the context.xml : in my ${catalina.home}/conf/context.xml following Environment name=nodeName type=java.lang.String value=superFantasticNode override=false / I use this value for several different purposes. Now I want to define (for my J2EE application) another value for special Log- Files. And therefore I use another JNDI property ... and in this Property I'd like to reuse the previously set nodeName-variable. In my Fantasy it would work like this: Environment name=loggingPath value=${catalina.home}/logs/${nodeName}.log type=java.lang.String override=false / But it does not. Tomcat has a very limited set of cases where ${...} will do replacements for system properties. I think it's definitely worth filing an enhancement request for this kind of thing: it's a *very* useful feature to have. The ${...} handling can be extended by defining a class that implements PropertySource interface, http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html BTW, in your case where you are specifying a global setting, you can define nodeName property in conf/catalina.properties file. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Session ID
Hey, thanks for the help! To be clear, I do not want a 0ms timeout... I'm doing research about how usable the SSL session tracking option is for session management... With the standard settings it seems very unstable to me, when sending alot of parallel requests I get a broken socket error invalidating the ssl session and making the session with this id disappear. In this case it would seem to me that it's easy to create Denial of Service attacks by just sending alot of requests so the user loses his session. By playing with the timeouts I found out this problem doesn't occur when I set the timeout to 0, just by playing with the settings. Perhaps because this disables the possibility of too many parallel connections? I can't find the reason of this in the Tomcat or SSL specs... I've added a screenshot of a capture where things go wrong without setting a keepAlive.. So I send alot of requests to the server, the first clientHello (pck 38943) and the following packets everything goes ok, when the application data is being send I get a tcp rst from port 54195 (this is the connection that was used for the transactions before the current one) ... At this moment my session gets invalidates making the next SSL handshake a full one with new ID (pckt 40361, ...) 2012/11/29 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vincent, On 11/28/12 3:14 AM, Vincent Goelen wrote: When the keepAliveTimeout is not set to 0 I can see in the SSL debug logs the SSL session get's invalidated after some requests with a Broken Pipe exception. Is this because there are too many open connections during the keepAliveTimeout? It's probably because of your pathological keepAliveTimeout. 0ms seems, er, low. Why did you choose 0ms? I haven't looked at the code, so I'm not sure if the elapsed timer starts when the last request is completed (which seems reasonable) or when the last request started. I suspect the latter. 0ms is awfully short. Are you sure that your client is capable of accepting the response to the previous request and turn-around and make another request across the same channel before 0ms passes? It also only happens when processing the requests takes some time (fe. storing items in database) or when I put the threat to sleep for testing purpose. So if you have a trivial request (say, HEAD for a static resource), you can never get a failure? When inspecting the traffic I see some tcp-rst packages (problem is here?) from previous connections while the current one is being processed. When you say current one what do you mean? If you are using a single connection with HTTP keepalive, then there is only one connection to talk about: you can't get RSTs from previous connections. You may be getting TCP RST as the server closes the connection while the client is trying to write. Is that what you are experiencing? My question is why these SSL Sessions get invalidated after alot of quick requests to the server since this gives a problem with my SSL Session tracking since the id changes then. Maybe if you can explain why you want a 0ms keepalive timeout it would be helpful. If you want to disable keep alives, set maxKeepAliveRequests=1. If you want to allow an infinite timeout, try using keepAliveTimeout=-1 as the documentation states. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC3w6YACgkQ9CaO5/Lv0PDX/QCfcPmdRD/FSyDB51QdOqgqwGbI tLwAmweVvlGCGqU2eAdYtrzezwkEPhZF =J7dz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_jk - loadbalancer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Orhan, On 12/4/12 2:12 AM, Orhan Karasakal wrote: lb1 and lb2 are two loadbalancer, are not they ? But I want to have only one loadbalancer. That depends on your definition of load balancer. If you mean a single IP that routes requests to back-end servers, then this is a *single* load-balancer. You just have rules that make it act different based upon what URL you are accessing. This design cannot be possible, only I want to know You're right, you can't set up a *single* logical load-balancing mod_jk worker that has different rules for different URLs. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEUEARECAAYFAlC+H6YACgkQ9CaO5/Lv0PAt5gCgv/gJBi4zUuG6ejbC2LTC8H+J vQUAmMMix5C58VBW6+PHnV47Gr593qo= =AkGF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Session ID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vincent, On 12/4/12 9:15 AM, Vincent Goelen wrote: To be clear, I do not want a 0ms timeout... I'm doing research about how usable the SSL session tracking option is for session management... With the standard settings it seems very unstable to me, when sending alot of parallel requests I get a broken socket error invalidating the ssl session and making the session with this id disappear. In this case it would seem to me that it's easy to create Denial of Service attacks by just sending alot of requests so the user loses his session. Forgive me, but it sounded like you set timeout=0 and then started getting weird behavior. I would have totally expected weird behavior with timeout=0 so that's why I was asking. You are going to need to provide a lot more detail about the session-invalidation (you're talking about *SSL session* invalidation, not HttpSession invalidation, right?) you are observing if you want to get any help. Lots of technical details, logs, explicit configuration (even if it is the default), specific version numbers (Tomcat 7 isn't good enough), etc. You should also try it on a couple of different platforms. What happens on Linux? Windows? Solaris? Whatever you've got laying around. I've added a screenshot of a capture where things go wrong without setting a keepAlive. Attachments get stripped from this list: please post the file somewhere else and provide a link. So I send alot of requests to the server, How many is a lot? Serial or parallel? How many parallel threads? Be specific. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC+IQEACgkQ9CaO5/Lv0PBqwACgrkEoqbtzM/jlPiy2SFKhqlIB PzkAoIMGBHJickA7JynoX81B0GarvYzd =SAlr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Session ID
Thanks again for the fast response, sorry for being unclear about some parts.. First time using the mailing list I'm using Apache Tomcat Version 7.0.32 on a mac os x 10.7.5, I've tested it on linux Virtual machine too, got same problems. I'm using JDK 1.6 (don't think it has any importance here) Alot is kind of variable, depends on how long the processing of the request takes, for example when I put a sleep of 1 sec in my jsp code the problem occurs after about 6 requests, in another test example where I just write some things to a database it takes more requests, sometimes about 100, sometimes less it's not really a fixed number I can put on it. To be clear, it's indeed the SSL session that gets invalidated, not the httpsession... But by the invalidation, the httpsession's identifier (which is the SSL session id) is gone so the httpsession becomes useless as well.. http://users.telenet.be/goelenv/Archief.zip In this zip file you can find 3 files: - a log which is the ssl debug log from tomcat, there you can find an example of the invalidation at line 2592 (log mislopen.log) - a wireshark capture file where things go wrong are captured (Capture_TomcatSSLFout) = here things go wrong at packet 40361 you can best filter on tcp.port == 8443 to filter traffic between server and client - a screenshot of where things go wrong in case you can't open the wireshark capture (Schermafbeelding 2012-12-04 om 15.09.56) Again many thanks! Vincent 2012/12/4 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vincent, On 12/4/12 9:15 AM, Vincent Goelen wrote: To be clear, I do not want a 0ms timeout... I'm doing research about how usable the SSL session tracking option is for session management... With the standard settings it seems very unstable to me, when sending alot of parallel requests I get a broken socket error invalidating the ssl session and making the session with this id disappear. In this case it would seem to me that it's easy to create Denial of Service attacks by just sending alot of requests so the user loses his session. Forgive me, but it sounded like you set timeout=0 and then started getting weird behavior. I would have totally expected weird behavior with timeout=0 so that's why I was asking. You are going to need to provide a lot more detail about the session-invalidation (you're talking about *SSL session* invalidation, not HttpSession invalidation, right?) you are observing if you want to get any help. Lots of technical details, logs, explicit configuration (even if it is the default), specific version numbers (Tomcat 7 isn't good enough), etc. You should also try it on a couple of different platforms. What happens on Linux? Windows? Solaris? Whatever you've got laying around. I've added a screenshot of a capture where things go wrong without setting a keepAlive. Attachments get stripped from this list: please post the file somewhere else and provide a link. So I send alot of requests to the server, How many is a lot? Serial or parallel? How many parallel threads? Be specific. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC+IQEACgkQ9CaO5/Lv0PBqwACgrkEoqbtzM/jlPiy2SFKhqlIB PzkAoIMGBHJickA7JynoX81B0GarvYzd =SAlr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Recognizing certificate removal (SmartCard)
First off, thanks to all for the assistance getting my other tomcat CRL issues working. Converted to APR and tcnative and things seem to be loading, running well now. Now, the question has come up - what happens when a user authenticates with their Smart Card, but then pulls their card and walks away. Is there a way for Tomcat to detect such an event on the client and terminate/timeout the session? In the googling I've done, I've seen suggestions about writing a little java app that runs within our application and periodically pulls something from the SmartCard - when the app fails to get that piece of info, it terminates the app. Is that the way to go? (and if so, is there sample code - I know this isn't a java forum, but if someone's invented this wheel before, that would be great). --Will - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Context Path for a subdirectory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 12/3/12 6:50 PM, André Warnier wrote: P.S. If you decide to use UrlRewriteFilter, you should be looking at the documentation (http://urlrewritefilter.googlecode.com/svn/trunk/src/doc/manual/4.0/index.html), Cool, there's a 4.0 version. And it supports mod_rewrite syntax? Very cool. and at a rule using this in the from part : remote-addr : The IP address of the host making the request, e.g. 123.123.123.12 i.e. request.getRemoteAddr() (you probably want to negate this, and check for not (127.0.0.1 or ::1)) and probably this in the to part : forward (default) : Requests matching the conditions for this rule, and the URL in the from element will be internally forwarded to the URL specified in the to element. Note: In this case the to URL must be in the same context as UrlRewriteFilter. This is the same as doing: RequestDispatcher rq = request.getRequestDispatcher([to value]); rq.forward(request, response); (to forward the miscreants to a no-no page of your choice.) If you haven't used url-rewrite before, it may seem a bit daunting. Here's an example to get you started: rule condition type=remote-addr operator=notequal127.0.0.1/condition set type=status403/set to last=true/forbidden.html/to /rule Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC+MfcACgkQ9CaO5/Lv0PAMpQCcDD7oMUAzuTe1xKeuMpm665SR FjIAn0jE67iGpGMDH9HqjqXFBoa4JFdp =FdT5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue with missing files while migrating to Tomcat 7.0.32
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 George, On 11/22/12 12:26 AM, George Chacko Manchimala wrote: Sorry, I could not locate any tweakings at our end (as you had mentioned) which. Could you / anyone provide your views? I don't believe any version of Tomcat simply tolerates missing JSP files. If you try to include something and it's not there, you should get an error. Perhaps you should read the JSP spec to see if there have been any changes between JSP 2.0 and JSP 2.1 that may be affecting you. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC+MoEACgkQ9CaO5/Lv0PB9RQCdHFJdfPRzkTgfanvU6IlLmr/z ofUAn0UG0ZfjoHNDNVPOBlXzGjQtq4jY =EpBo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Recognizing certificate removal (SmartCard)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 12/4/12 12:08 PM, Will Nordmeyer wrote: First off, thanks to all for the assistance getting my other tomcat CRL issues working. Converted to APR and tcnative and things seem to be loading, running well now. Now, the question has come up - what happens when a user authenticates with their Smart Card, but then pulls their card and walks away. Is there a way for Tomcat to detect such an event on the client and terminate/timeout the session? In the googling I've done, I've seen suggestions about writing a little java app that runs within our application and periodically pulls something from the SmartCard - when the app fails to get that piece of info, it terminates the app. Is that the way to go? (and if so, is there sample code - I know this isn't a java forum, but if someone's invented this wheel before, that would be great). I'm certainly no SSL expert (especially with SmartCards involved), but if the SmartCard is required in order to set up an SSL session, you could set the SSL session timeout to some small-ish value (say, 10 minutes -- the default is 24 hours) and then require a new SSL session to be established every 10 minutes. That would require the SmartCard to be present for that renegotiation (this is my assumption). That way, you don't have to write any new software and maintain it on the client. Check out the sessionTimeout attribute on the HTTP/SSL connector. Hmm... I just re-checked and that option is currently only available for the pure-Java connectors -- and you just switched to APR to get your huge CRLs working. :( OpenSSL does have an SSL_CTX_set_timeout method, but it doesn't have any support through tcnative. If this is something that would help you, please let me know and I'll take a stab at implementing a tcnative method for this and then expose it through the Connector configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC+NugACgkQ9CaO5/Lv0PCoawCeLe2nvXK5kbzYx5c+eKt4ruhm e20AoLWE+CFWc9oDcwlmmWcjv+JuhF76 =u0KH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Recognizing certificate removal (SmartCard)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 12/4/12 12:46 PM, Christopher Schultz wrote: On 12/4/12 12:08 PM, Will Nordmeyer wrote: First off, thanks to all for the assistance getting my other tomcat CRL issues working. Converted to APR and tcnative and things seem to be loading, running well now. Now, the question has come up - what happens when a user authenticates with their Smart Card, but then pulls their card and walks away. Is there a way for Tomcat to detect such an event on the client and terminate/timeout the session? In the googling I've done, I've seen suggestions about writing a little java app that runs within our application and periodically pulls something from the SmartCard - when the app fails to get that piece of info, it terminates the app. Is that the way to go? (and if so, is there sample code - I know this isn't a java forum, but if someone's invented this wheel before, that would be great). I'm certainly no SSL expert (especially with SmartCards involved), but if the SmartCard is required in order to set up an SSL session, you could set the SSL session timeout to some small-ish value (say, 10 minutes -- the default is 24 hours) and then require a new SSL session to be established every 10 minutes. That would require the SmartCard to be present for that renegotiation (this is my assumption). That way, you don't have to write any new software and maintain it on the client. Check out the sessionTimeout attribute on the HTTP/SSL connector. Hmm... I just re-checked and that option is currently only available for the pure-Java connectors -- and you just switched to APR to get your huge CRLs working. :( OpenSSL does have an SSL_CTX_set_timeout method, but it doesn't have any support through tcnative. If this is something that would help you, please let me know and I'll take a stab at implementing a tcnative method for this and then expose it through the Connector configuration. Answering my own question somewhat: the default SSL session timeout for OpenSSL is actually 300 seconds (5 minutes) so that might work for you. Of course, I might be wrong about the session timeout requiring the SmartCard to be present for renegotiation. Let me know what you find out. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC+N3QACgkQ9CaO5/Lv0PCOEQCgjv/OEhRGix5DMYJNsJam389C NW4Ani2k+j+D3AfJ+q8i+UqssCCPAKLT =Xz5U -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Running Tomcat under jsvc - logging problems
Hi apache-tomcat-6.0.36 CentOS uname -m = i686 uname -r = 2.6.18-028stab070.14-ent uname -s = Linux :-) jdk1.6.0_07 I have recently upgraded my production server from apache-tomcat-6.0.18 to 6.0.36 so that my live and dev env's are as similar as possible 6.0.18 runs fine and logs as expected, this version was already installed when I started renting the server from the hosting company, it runs as user tomcat under jsvc. I compiled jsvc from the source included in the 6.0.36 distro following the instructions in the tomcat docs and copied /etc/init.d/tomcat6 (the old start/stop script) to /etc/init.d/tomcat. I modified the file to point to the new version and started the server /etc/init.d/tomcat has been pasted at http://pastebin.com/ihGDJb1C for your perusal should you wish. Actually Tomcat runs fine, it serves my site and carries a good load (200+ sessions concurrently with no apparent degradation) there is no Apache front end, Tomcat runs standalone. The problem is with the logging /etc/init.d/tomcat has the following two lines -outfile $CATALINA_HOME/logs/catalina.out \ -errfile $CATALINA_HOME/logs/catalina.err \ And here's the problem. Most of the logging output ends up in catalina.err even though there are no errors in the logs occasionally a few lines from my application loggers end up in catalina.out. I also have logging.properties in WEB-INF/classes. This has been around ever since I deployed the first version of my app a couple of years ago and has always produced the expected output. Now I get nothing. The hosting companies preferred solution is to recompile tomcat 'for a one off fee' (I kid you not). I'm pretty sure that Tomcat doesn't need rebuilding to run under jsvc and if it does I'm quite capable of building it myself, so no help there then ... logging.properties reproduced below just FYI if you want it. Any advice on how I can get the logging working will be much appreciated Lyallex handlers = org.apache.juli.FileHandler, java.util.logging.ConsoleHandler # Handler specific properties. # Describes specific configuration info for Handlers. org.apache.juli.FileHandler.level = ALL org.apache.juli.FileHandler.directory = ${catalina.base}/logs org.apache.juli.FileHandler.prefix = MyApp. java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
Re: Running Tomcat under jsvc - logging problems
2012/12/4 Lyallex lyal...@gmail.com: Hi apache-tomcat-6.0.36 CentOS uname -m = i686 uname -r = 2.6.18-028stab070.14-ent uname -s = Linux :-) jdk1.6.0_07 I have recently upgraded my production server from apache-tomcat-6.0.18 to 6.0.36 so that my live and dev env's are as similar as possible 6.0.18 runs fine and logs as expected, this version was already installed when I started renting the server from the hosting company, it runs as user tomcat under jsvc. I compiled jsvc from the source included in the 6.0.36 distro following the instructions in the tomcat docs and copied /etc/init.d/tomcat6 (the old start/stop script) to /etc/init.d/tomcat. I modified the file to point to the new version and started the server /etc/init.d/tomcat has been pasted at http://pastebin.com/ihGDJb1C for your perusal should you wish. Actually Tomcat runs fine, it serves my site and carries a good load (200+ sessions concurrently with no apparent degradation) there is no Apache front end, Tomcat runs standalone. The problem is with the logging /etc/init.d/tomcat has the following two lines -outfile $CATALINA_HOME/logs/catalina.out \ -errfile $CATALINA_HOME/logs/catalina.err \ And here's the problem. Most of the logging output ends up in catalina.err even though there are no errors in the logs occasionally a few lines from my application loggers end up in catalina.out. I also have logging.properties in WEB-INF/classes. This has been around ever since I deployed the first version of my app a couple of years ago and has always produced the expected output. Now I get nothing. The hosting companies preferred solution is to recompile tomcat 'for a one off fee' (I kid you not). I'm pretty sure that Tomcat doesn't need rebuilding to run under jsvc and if it does I'm quite capable of building it myself, so no help there then ... logging.properties reproduced below just FYI if you want it. Any advice on how I can get the logging working will be much appreciated Lyallex handlers = org.apache.juli.FileHandler, java.util.logging.ConsoleHandler # Handler specific properties. # Describes specific configuration info for Handlers. org.apache.juli.FileHandler.level = ALL org.apache.juli.FileHandler.directory = ${catalina.base}/logs org.apache.juli.FileHandler.prefix = MyApp. java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter 1. java.util.logging.ConsoleHandler prints to System.err. Some other console logging implementations log to System.out. Do you need a ConsoleHandler at all? (You are effectively printing the same log messages into two places a) ConsoleHandler, b) FileHandler ). 2. To initialize logging properly you need to configure system properties java.util.logging.config.file and java.util.logging.manager the same way as they are set by catalina.sh file. Have you specified the java.util.logging.manager property in your arguments to jsvc? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running Tomcat under jsvc - logging problems
On 4 December 2012 18:50, Konstantin Kolinko knst.koli...@gmail.com wrote: [snip] Any advice on how I can get the logging working will be much appreciated Lyallex handlers = org.apache.juli.FileHandler, java.util.logging.ConsoleHandler # Handler specific properties. # Describes specific configuration info for Handlers. org.apache.juli.FileHandler.level = ALL org.apache.juli.FileHandler.directory = ${catalina.base}/logs org.apache.juli.FileHandler.prefix = MyApp. java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter 1. java.util.logging.ConsoleHandler prints to System.err. Some other console logging implementations log to System.out. Do you need a ConsoleHandler at all? (You are effectively printing the same log messages into two places a) ConsoleHandler, b) FileHandler ). Well possibly not but it's irrelevant as logging.properties is being ignored so I don't get the output anyway, particularly I get no log file named MyApp ... 2. To initialize logging properly you need to configure system properties java.util.logging.config.file and java.util.logging.manager the same way as they are set by catalina.sh file. Have you specified the java.util.logging.manager property in your arguments to jsvc? Well no but then I never had it with 6.0.18 and that logged perfectly, also catalina.sh is not executed when running under jsvc but I think you may just be using that as an example ... I hope sigh I'll look into it Thanks Lyallex Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running Tomcat under jsvc - logging problems
2012/12/4 Lyallex lyal...@gmail.com: On 4 December 2012 18:50, Konstantin Kolinko knst.koli...@gmail.com wrote: 1. java.util.logging.ConsoleHandler prints to System.err. Some other console logging implementations log to System.out. Do you need a ConsoleHandler at all? (You are effectively printing the same log messages into two places a) ConsoleHandler, b) FileHandler ). Well possibly not but it's irrelevant as logging.properties is being ignored so I don't get the output anyway, particularly I get no log file named MyApp ... 2. To initialize logging properly you need to configure system properties java.util.logging.config.file and java.util.logging.manager the same way as they are set by catalina.sh file. Have you specified the java.util.logging.manager property in your arguments to jsvc? Well no but then I never had it with 6.0.18 and that logged perfectly, also catalina.sh is not executed when running under jsvc but I think you may just be using that as an example ... I hope Yes, as an example. I'd also recommend to use daemon.sh that is included with Tomcat 7. I do not know why it worked in 6.0.18. Have you checked with what arguments it runs (e.g. via /proc/) ? You say that it wasn't you who installed 6.0.18. There is usually a wrapper script, like that daemon.sh. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CVE-2012-4534 Apache Tomcat denial of service
CVE-2012-4534 Apache Tomcat denial of service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.27 - Tomcat 6.0.0 to 6.0.35 Description: When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service. This was originally reported as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.28 or later - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: The security implications of this bug were identified by Arun Neelicattu of the Red Hat Security Response Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CVE-2012-3546 Apache Tomcat Bypass of security constraints
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3546 Apache Tomcat Bypass of security constraints Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 Earlier unsupported versions may also be affected Description: When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate(). Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQvlNnAAoJEBDAHFovYFnnsJoP/i6/NEKy6+tAcMZ0vKV5CGci 2Epf7NbfWHZhyYZlI445kHoCGQAvMaD0pXlLBUTlzVd2N9Jugk1j2WNPzvOlsaZ0 jx3qeuvNhVZzAa2LIDVSj8ENVNYMiA/S4reZu2u9lHqw5tTP5fapJXDNphSnr0kR A662JdkQlirQtFylkvqFdMoZ3N/vEPwzD8Cs80fafEhEqcoOtrO6yOyaR/kwEFeI 5cxbm/om4+T9cVkRduGqhzLRBWnDiCeBguXiUJXDQorOWmzHq438cNd4ylfFRa1W RBsin8aVY6LMIUqdWWqUnG8SPI7qp7odMRzhI1yLw+y4ykrV5coKeTvalIsh+3ZE FWP7kYmrOYS8NToq56Fxn8bYAuAsJiOsVZ4ox0ozR9HQCEqLEpXTa31hEowUBtig LO0HRgQIeh4rdgxxR2V46JiRw8URNfGevKrhez5B8UAb8hj02SM/3hyg3S3pL2Jn fl0vLnf1+DACd0mUuGmSQNLx5VznW6fkYHZWgmV3SigaroKL4+BbqCO7WvuNs9aA Y8dYt08IgF0O/Kt1vQdks31KEDIqHJOtrZBCySdvVLGz1x+MxluWssZGQELCcj0v ByfH80yh/uIU2Zk9QTaJlEkuODyWTYxmYRk34R3/zZ57za+NQLlpe0cfBRy33wjt VCfhXK6n3npDlmhpeBDw =pOlX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Recognizing certificate removal (SmartCard)
On Tue, Dec 4, 2012 at 12:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 12/4/12 12:46 PM, Christopher Schultz wrote: On 12/4/12 12:08 PM, Will Nordmeyer wrote: First off, thanks to all for the assistance getting my other tomcat CRL issues working. Converted to APR and tcnative and things seem to be loading, running well now. Now, the question has come up - what happens when a user authenticates with their Smart Card, but then pulls their card and walks away. Is there a way for Tomcat to detect such an event on the client and terminate/timeout the session? In the googling I've done, I've seen suggestions about writing a little java app that runs within our application and periodically pulls something from the SmartCard - when the app fails to get that piece of info, it terminates the app. Is that the way to go? (and if so, is there sample code - I know this isn't a java forum, but if someone's invented this wheel before, that would be great). I'm certainly no SSL expert (especially with SmartCards involved), but if the SmartCard is required in order to set up an SSL session, you could set the SSL session timeout to some small-ish value (say, 10 minutes -- the default is 24 hours) and then require a new SSL session to be established every 10 minutes. That would require the SmartCard to be present for that renegotiation (this is my assumption). That way, you don't have to write any new software and maintain it on the client. Check out the sessionTimeout attribute on the HTTP/SSL connector. Hmm... I just re-checked and that option is currently only available for the pure-Java connectors -- and you just switched to APR to get your huge CRLs working. :( OpenSSL does have an SSL_CTX_set_timeout method, but it doesn't have any support through tcnative. If this is something that would help you, please let me know and I'll take a stab at implementing a tcnative method for this and then expose it through the Connector configuration. Answering my own question somewhat: the default SSL session timeout for OpenSSL is actually 300 seconds (5 minutes) so that might work for you. Of course, I might be wrong about the session timeout requiring the SmartCard to be present for renegotiation. Let me know what you find out. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC+N3QACgkQ9CaO5/Lv0PCOEQCgjv/OEhRGix5DMYJNsJam389C NW4Ani2k+j+D3AfJ+q8i+UqssCCPAKLT =Xz5U -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Chris, Thanks for the quick response and the thoughts. a 5 minute timeout wouldn't be acceptable in our environment - theory being, if user A pulls his smart card out (but didn't log out of the app), and user B goes up to the machine within 5 minutes, he may have access to someone else's account in the application. So I was really hoping there was some way to trigger the session to expire. I'll keep looking, or suggest to my dev team that they write a little app that queries the card regularly and as soon as the card can't be found, logs out. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.31 - - Tomcat 6.0.0 to 6.0.35 Description: The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.32 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQvlNvAAoJEBDAHFovYFnnY80QAMvP1gIpG00vfIdiFabpJX55 UEmkPuTSefxZ6NMvAL8GkuUe8CoC6KinCgOx+s8eGlEiHtWFoYvM/Ckg8E3a8SY6 MfD8GLo2av/LdULGSCBrbaL2wFbgixPTBpgR9YS4bdpTK5nVqBZyZOjOzptqRDnE BQXDLLKa65/z7cF57l+XcLs1+JW3KJGRiGJzBNUrJK1x/AzfgRgk4jgvYdyDWdpI zuXKgwBbunblPL4sZhZA2mhoswBIMIJIaHXOAD28Ddt9IIae0UFptY6LmExOkSsa PtshA4EBlO8JTPPcfwtqA/bkHAWCzB1QshkYD57rLF3t1ouDQWI6j8l+q3AYIxzv a0Ix4qzE2hekcjGSCUMZUqNgcaGSjsggaOEo5zauM01osPQxbfpH41eH5fIWlMKi vrxRjYJwLyLdkj3bZFuP7Uq1GL4BLjeKDfqsL4aqcfdBPZea6C9rToEkB8EjD4vf DVdrX4Ivg3ImMMnL+gkX4+5aLp+jpw23G9gZbX1DJn+648iv3yFoK5ysOWy1GAAO x1Iq3pa49NigJ0ipjZvxc07THIoiK/t49/3fWzMR1Xm819oJC2/Qf512l/FpEltK kQ0y8BC4+7ypUZyhtwE3jzLW1x2j4ZBK8l1nX0X92WepJ6piro/7o80qiyDMfqPC hbmBu213eSXnV9kRHveI =jich -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Recognizing certificate removal (SmartCard)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will, On 12/4/12 2:47 PM, Will Nordmeyer wrote: Thanks for the quick response and the thoughts. a 5 minute timeout wouldn't be acceptable in our environment - theory being, if user A pulls his smart card out (but didn't log out of the app), and user B goes up to the machine within 5 minutes, he may have access to someone else's account in the application. So I was really hoping there was some way to trigger the session to expire. The only thing I can think of would be to have the web browser complicit in the deal: if the browser can be configured to expire the SSL session when the card is removed, then that is really the only solution that will be truly secure. I'll keep looking, or suggest to my dev team that they write a little app that queries the card regularly and as soon as the card can't be found, logs out. Is it a valid use case to have the computer itself logged-in when the card is removed? For instance, if you configured the machine to auto-lock when the card was removed, then you might be able to do other things, too (like kill the browser, which should kill the SSL session). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC+WBUACgkQ9CaO5/Lv0PBmeACeN5Y/m0G73Mplzufsys70uZPZ EsoAn0Lh/cuM4vtC6Y5B8QekaDXff7eE =mSK7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Data sources definitions are lost in memory
2012/11/28 Robert Anderson ranom...@gmail.com: Hi, We've some data sources defined in server.xml as following: ... GlobalNamingResources ... Resource name=jdbc/proddb1 auth=Container type=javax.sql.DataSource removeAbandoned=true removeAbandonedTimeout=300 maxActive=400 maxIdle=30 maxWait=1 validationQuery=select 1 from dual testOnBorrow=true username= password= driverClassName=com.intersys.jdbc.CacheDriver url=jdbc:Cache://server:1972/DB/ ... /GlobalNamingResources ... conf/context.xml Context ... ResourceLink name=jdbc/proddb1 global=jdbc/proddb1/ ... /Context Everything has worked normal during many months...until now. At least once a day, since 11/21, webapplications throw NullPointerException because they cannot find jndi data sources. The Data sources tab in psi-probe (http://code.google.com/p/psi-probe/) says that there aren't jndi data sources in server. We are thinking that some application may have added some jar or class in classpath that is causing the problem. After restart, without changes in conf files, everything backs to normal. Any idea? Environment: java version 1.6.0_35 Java(TM) SE Runtime Environment (build 1.6.0_35-b10) Java HotSpot(TM) 64-Bit Server VM (build 20.10-b01, mixed mode) Server version: Apache Tomcat/6.0.32 Server built: February 2 2011 2003 Server number: 6.0.32.0 OS Name:Linux OS Version: 2.6.18-194.17.1.el5 Architecture: amd64 JVM Version:1.6.0_35-b10 JVM Vendor: Sun Microsystems Inc. 1. This NullPointerException happens when an application starts up? (Do the apps perform the lookup once and cache the result, or they perform multiple lookups?) 2. What is seen in JNDI context depends on the current classloader (Thread.getContextClassLoader()). Does the issue happen in a request processing thread, or somewhere else? 3. Does it affect specific web applications, or it is more random? 4. Anything interesting in the logs and in catalina.out? E.g. OutOfMemoryError. 5. What connector implementations are you using? Bio, Nio, APR? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running Tomcat under jsvc - logging problems
On 4 December 2012 19:41, Konstantin Kolinko knst.koli...@gmail.com wrote: 2012/12/4 Lyallex lyal...@gmail.com: On 4 December 2012 18:50, Konstantin Kolinko knst.koli...@gmail.com wrote: [snip] I do not know why it worked in 6.0.18. No, nor do I but I've (apparently) reproduced the 0.18 config for the 0.36 instance and the logging works in the former and not in the latter I just need to get something straight, maybe you can help me. I say that Tomcat 6.0.36 binary distribution should run under jsvc without needing a recompile. Is this correct (I hope it is because it's running fine right now out of the box except for the logging) Thanks for taking the time to reply Lyallex Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running Tomcat under jsvc - logging problems
2012/12/5 Lyallex lyal...@gmail.com: On 4 December 2012 19:41, Konstantin Kolinko knst.koli...@gmail.com wrote: 2012/12/4 Lyallex lyal...@gmail.com: On 4 December 2012 18:50, Konstantin Kolinko knst.koli...@gmail.com wrote: [snip] I do not know why it worked in 6.0.18. No, nor do I but I've (apparently) reproduced the 0.18 config for the 0.36 instance and the logging works in the former and not in the latter I just need to get something straight, maybe you can help me. I say that Tomcat 6.0.36 binary distribution should run under jsvc without needing a recompile. Yes. You do not need to recompile Tomcat itself to run it on Linux (with or without jsvc). It is a java application and its binaries (jars) are platform-independent. Moreover, I think it should run just fine with an older jsvc. Is this correct (I hope it is because it's running fine right now out of the box except for the logging) Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Suggestion for improving Tomcat startup performance...
2012/12/5 Tony Anecito adanec...@yahoo.com: Hi Tomcat Developers, I am using Tomcat 7.0.33 and notice on Tomcat startup my web services startup in series rather than parallel. If you do not have it you might want to have an option to startup apps in parallel or assign number of threads that can startup in parallel. ;) Jump to http://tomcat.apache.org/oldnews.html and look for 7.0.23 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Suggestion for improving Tomcat startup performance...
From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Suggestion for improving Tomcat startup performance... I am using Tomcat 7.0.33 and notice on Tomcat startup my web services startup in series rather than parallel. If you do not have it you might want to have an option to startup apps in parallel or assign number of threads that can startup in parallel. Do you mean the startStopThreads attribute documented for Engine and Host? http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html http://tomcat.apache.org/tomcat-7.0-doc/config/host.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Suggestion for improving Tomcat startup performance...
Thanks. I can not find any examples or reference to what config file this goes into. I looked at server.xml and web.xml and did not find it in there. I did find something called the Engine Container but again no examples or where it can be found if already existing. I will keep looking. -Tony --- On Tue, 12/4/12, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Re: Suggestion for improving Tomcat startup performance... To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, December 4, 2012, 3:41 PM 2012/12/5 Tony Anecito adanec...@yahoo.com: Hi Tomcat Developers, I am using Tomcat 7.0.33 and notice on Tomcat startup my web services startup in series rather than parallel. If you do not have it you might want to have an option to startup apps in parallel or assign number of threads that can startup in parallel. ;) Jump to http://tomcat.apache.org/oldnews.html and look for 7.0.23 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Suggestion for improving Tomcat startup performance...
Hi Chuck, According to someone else that is the attribute to use. But as in my last message I could not find where it is or if not by default in some config file which config file to use. Thanks, -Tony --- On Tue, 12/4/12, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: Suggestion for improving Tomcat startup performance... To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, December 4, 2012, 3:45 PM From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Suggestion for improving Tomcat startup performance... I am using Tomcat 7.0.33 and notice on Tomcat startup my web services startup in series rather than parallel. If you do not have it you might want to have an option to startup apps in parallel or assign number of threads that can startup in parallel. Do you mean the startStopThreads attribute documented for Engine and Host? http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html http://tomcat.apache.org/tomcat-7.0-doc/config/host.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 SSL Session ID
Broken pipes don't invalidate the SSL session. They just break the TCP connection. The SSL session persists, across multiple TCP connections, until it is specifically invalidated by someone: for example, timed out by the SSLSessionContext. EJP _ From: Vincent Goelen [mailto:goel...@gmail.com] Sent: Wednesday, 5 December 2012 1:15 AM To: Tomcat Users List Subject: Re: Tomcat 7 SSL Session ID Hey, thanks for the help! To be clear, I do not want a 0ms timeout... I'm doing research about how usable the SSL session tracking option is for session management... With the standard settings it seems very unstable to me, when sending alot of parallel requests I get a broken socket error invalidating the ssl session and making the session with this id disappear. In this case it would seem to me that it's easy to create Denial of Service attacks by just sending alot of requests so the user loses his session. By playing with the timeouts I found out this problem doesn't occur when I set the timeout to 0, just by playing with the settings. Perhaps because this disables the possibility of too many parallel connections? I can't find the reason of this in the Tomcat or SSL specs... I've added a screenshot of a capture where things go wrong without setting a keepAlive.. So I send alot of requests to the server, the first clientHello (pck 38943) and the following packets everything goes ok, when the application data is being send I get a tcp rst from port 54195 (this is the connection that was used for the transactions before the current one) ... At this moment my session gets invalidates making the next SSL handshake a full one with new ID (pckt 40361, ...) 2012/11/29 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vincent, On 11/28/12 3:14 AM, Vincent Goelen wrote: When the keepAliveTimeout is not set to 0 I can see in the SSL debug logs the SSL session get's invalidated after some requests with a Broken Pipe exception. Is this because there are too many open connections during the keepAliveTimeout? It's probably because of your pathological keepAliveTimeout. 0ms seems, er, low. Why did you choose 0ms? I haven't looked at the code, so I'm not sure if the elapsed timer starts when the last request is completed (which seems reasonable) or when the last request started. I suspect the latter. 0ms is awfully short. Are you sure that your client is capable of accepting the response to the previous request and turn-around and make another request across the same channel before 0ms passes? It also only happens when processing the requests takes some time (fe. storing items in database) or when I put the threat to sleep for testing purpose. So if you have a trivial request (say, HEAD for a static resource), you can never get a failure? When inspecting the traffic I see some tcp-rst packages (problem is here?) from previous connections while the current one is being processed. When you say current one what do you mean? If you are using a single connection with HTTP keepalive, then there is only one connection to talk about: you can't get RSTs from previous connections. You may be getting TCP RST as the server closes the connection while the client is trying to write. Is that what you are experiencing? My question is why these SSL Sessions get invalidated after alot of quick requests to the server since this gives a problem with my SSL Session tracking since the id changes then. Maybe if you can explain why you want a 0ms keepalive timeout it would be helpful. If you want to disable keep alives, set maxKeepAliveRequests=1. If you want to allow an infinite timeout, try using keepAliveTimeout=-1 as the documentation states. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC3w6YACgkQ9CaO5/Lv0PDX/QCfcPmdRD/FSyDB51QdOqgqwGbI tLwAmweVvlGCGqU2eAdYtrzezwkEPhZF =J7dz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Suggestion for improving Tomcat startup performance...
2012/12/5 Tony Anecito adanec...@yahoo.com: Thanks. I can not find any examples or reference to what config file this goes into. I looked at server.xml and web.xml and did not find it in there. I did find something called the Engine Container but again no examples or where it can be found if already existing. http://tomcat.apache.org/tomcat-7.0-doc/config/index.html The first sentence. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Suggestion for improving Tomcat startup performance...
Ok I found a Engine reference in the server.xml for the catalina service. I am guessing that the attribute should go in there somewhere. I will look at the engine documentation to see how to add it. Thanks, -Tony --- On Tue, 12/4/12, Tony Anecito adanec...@yahoo.com wrote: From: Tony Anecito adanec...@yahoo.com Subject: RE: Suggestion for improving Tomcat startup performance... To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, December 4, 2012, 3:55 PM Hi Chuck, According to someone else that is the attribute to use. But as in my last message I could not find where it is or if not by default in some config file which config file to use. Thanks, -Tony --- On Tue, 12/4/12, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: Suggestion for improving Tomcat startup performance... To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, December 4, 2012, 3:45 PM From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Suggestion for improving Tomcat startup performance... I am using Tomcat 7.0.33 and notice on Tomcat startup my web services startup in series rather than parallel. If you do not have it you might want to have an option to startup apps in parallel or assign number of threads that can startup in parallel. Do you mean the startStopThreads attribute documented for Engine and Host? http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html http://tomcat.apache.org/tomcat-7.0-doc/config/host.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Suggestion for improving Tomcat startup performance...
From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: RE: Suggestion for improving Tomcat startup performance... Don't top-post. Ok I found a Engine reference in the server.xml for the catalina service. I am guessing that the attribute should go in there somewhere. I will look at the engine documentation to see how to add it. I gave you the direct links to the documentation... And it's unlikely you want the Engine one, unless you have multiple Host elements. Even then, if you have multiple webapps for a Host, you want to set it there. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Suggestion for improving Tomcat startup performance...
From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: RE: Suggestion for improving Tomcat startup performance... Reply to the list, not to individuals. Not sure what you mean by Top Post. http://ck.wikia.com/wiki/TopPosting http://mailformat.dan.info/quoting/top-posting.html I only have one host. So someone pointed me to that sorry if I mentioned it. You only mentioned Engine, not Host, previously. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Page not redirected after waitFor() call on Process object.
2012/11/23 Christopher Schultz ch...@christopherschultz.net: On 11/21/12 4:42 AM, Andrei Petru Mura wrote: TheProcessing.logoutSubscriberByMac(mac) has that code on it: public static void logoutSubscriberByMac(String mac) { try { Process proc = Runtime.getRuntime().exec(logout subscriber command); proc.waitFor(); //here is the problem You almost certainly have a problem with stream management: if you don't drain both the output stream and error stream of the process, then your code can hang. Likewise, if you don't close the standard input stream to the process, the child process may block waiting for input. It sounds silly, even if you use little or no standard input or output from your child process, but failure to manage these streams can and will hang up your Java code. You can either write multi-threaded code to handle all these streams, or you can use one of the several high-quality utility libraries out there that can wrap Runtime.exec for you and take care of this kind of stuff. +1. There was also such thread in June as Issue with keep-alive connections, when using APR Connector on Windows and starting Processes from Servlets where some JRE bugs were mentioned. http://markmail.org/thread/hsime5ayjdrg4fwm I do not know much about your configuration to tell whether this is affecting you or not. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 SSL Session ID
yes but he needs to achieve a reliable connection between himself and the SSLServer (at least until key negotiation has completed) broken pipe(s) are a bear to debug but you have a few tools available to you: netstat SSLServerIP -- if you see ANY intervening nodes hanging more than 4 sec drop from arp cache generally by arp -d ServerIP assuming your ServerIP is is 157.55.85.212 and the physical address of the network you want to connect to is 00-aa-00-62-c6-09 (check with net-admin for the physical-address or eth-addr to use) arp -s 157.55.85.212 00-aa-00-62-c6-09 Adds a static entry. arp -a Displays the arp table. route print will display the routes between you and the SSLServer if you dont see a route referencing the server you may want to add in your own route with route add DESTINATION MASK Mask METRIC NoOfHops Interface InterfaceNumbercheck with net-admin DESTINATION is generally the dotted.quad.of.SSLServercheck with net-admin generally Mask =255.255.255.0 will docheck with net admin about which Interface to use..avoid 127.0.0.1 (unless testing locally)check with net admin on NoOfHops param ..generally the lower the better use curl (command line url) to check the validity of the certificate, keys and passwordscurl -1 --cacert [file] --key PrivateKey.jks --pass PrivateKeyPass --key-type PEM --pubkey PublicKey.jks-1 says use TLSv1check the type of key most keys start out as PEM PEM key ends with .PEM extension ...DER key with .DER... ENG key ends with .ENGhttp://curl.haxx.se/docs/sslcerts.html once you've been able to achieve a Key Exchange you will have a valid SSL Connection..remember binaries have lower CPU so test with a reliable binary first then start debugging your code (i assume you added your CA cert into your local truststore) enough pollution? Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: esmond.p...@bigpond.com To: goel...@gmail.com; users@tomcat.apache.org Subject: RE: Tomcat 7 SSL Session ID Date: Wed, 5 Dec 2012 09:57:38 +1100 Broken pipes don't invalidate the SSL session. They just break the TCP connection. The SSL session persists, across multiple TCP connections, until it is specifically invalidated by someone: for example, timed out by the SSLSessionContext. EJP _ From: Vincent Goelen [mailto:goel...@gmail.com] Sent: Wednesday, 5 December 2012 1:15 AM To: Tomcat Users List Subject: Re: Tomcat 7 SSL Session ID Hey, thanks for the help! To be clear, I do not want a 0ms timeout... I'm doing research about how usable the SSL session tracking option is for session management... With the standard settings it seems very unstable to me, when sending alot of parallel requests I get a broken socket error invalidating the ssl session and making the session with this id disappear. In this case it would seem to me that it's easy to create Denial of Service attacks by just sending alot of requests so the user loses his session. By playing with the timeouts I found out this problem doesn't occur when I set the timeout to 0, just by playing with the settings. Perhaps because this disables the possibility of too many parallel connections? I can't find the reason of this in the Tomcat or SSL specs... I've added a screenshot of a capture where things go wrong without setting a keepAlive.. So I send alot of requests to the server, the first clientHello (pck 38943) and the following packets everything goes ok, when the application data is being send I get a tcp rst from port 54195 (this is the connection that was used for the transactions before the current one) ... At this moment my session gets invalidates making the next SSL handshake a full one with new ID (pckt 40361, ...) 2012/11/29 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vincent, On 11/28/12 3:14 AM, Vincent Goelen wrote: When the keepAliveTimeout is not set to 0 I can see in the SSL debug logs the SSL session get's invalidated after some requests with a Broken Pipe exception. Is this because there are too many open connections during the keepAliveTimeout? It's probably because of your pathological keepAliveTimeout. 0ms seems, er, low. Why did you choose 0ms? I haven't looked at the code, so I'm not sure if the elapsed timer starts when the last request is completed (which seems reasonable) or when the last request started. I suspect
RE: Suggestion for improving Tomcat startup performance...
Ok it is working startup time went from 18 seconds down to a little over 8 seconds. Also, if there is some other email group I should be using for technical questions about use of Tomcat please let me know. Regards, -Tony --- On Tue, 12/4/12, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: Suggestion for improving Tomcat startup performance... To: Tomcat Users List (users@tomcat.apache.org) users@tomcat.apache.org Date: Tuesday, December 4, 2012, 4:32 PM From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: RE: Suggestion for improving Tomcat startup performance... Reply to the list, not to individuals. Not sure what you mean by Top Post. http://ck.wikia.com/wiki/TopPosting http://mailformat.dan.info/quoting/top-posting.html I only have one host. So someone pointed me to that sorry if I mentioned it. You only mentioned Engine, not Host, previously. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CVE-2012-4534 Apache Tomcat denial of service
Jim, Check your Tomcat version. http://localhost:8080/ Stephen On Dec 4, 2012, at 2:47 PM, Mark Thomas ma...@apache.org wrote: CVE-2012-4534 Apache Tomcat denial of service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.27 - Tomcat 6.0.0 to 6.0.35 Description: When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service. This was originally reported as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.28 or later - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: The security implications of this bug were identified by Arun Neelicattu of the Red Hat Security Response Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to use the usehttponly feature in application level
Got it. Thanks, guys. 2012/12/4 Konstantin Kolinko knst.koli...@gmail.com 2012/12/4 techienote@gmail.com: Hi Zhi, You can set following parameters in web.xml of application. session-config cookie-config http-onlytrue/http-only securetrue/secure /cookie-config /session-config +1. This is the best way. Note, that your web application should be using Servlet 3.0 specification (as declared at the top of your web.xml file) to use this feature. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Best Regards Gary
Re: Tomcat7.0-Setting property 'threadPriority' did not find a matching property
2012/12/3 Caldarale, Charles R chuck.caldar...@unisys.com: From: Weixiang [mailto:kurt.weixi...@huawei.com] Subject: Tomcat7.0-Setting property 'threadPriority' did not find a matching property I config in my server.xml for a HTTP Connector named MGMT: threadPriority=java.lang.Thread#Thread.MAX_PRIORITY The documentation may give the impression that you can set the value of the threadPriority attribute to a string referring to some static field, but that is not actually the case. You must supply a numeric value here, which will normally be 10 for the maximum. You can write a simple Java program to display the values of Thread.MIN_PRIORITY and Thread.MAX_PRIORITY, and choose a number within that range. class ThreadPriority { static public void main(String args[]) throws Exception { System.out.format(thread priorities: MIN %d, NORM %d, MAX %d%n, Thread.MIN_PRIORITY, Thread.MIN_PRIORITY, Thread.MAX_PRIORITY); } } The JDK 7 Javadoc includes a description for the priority values, but it doesn't appear to be completely accurate: http://docs.oracle.com/javase/7/docs/api/constant-values.html#java.lang.Thread.MAX_PRIORITY The MIN/NORM/MAX_PRIORITY constants in the Thread class are final static and thus they are evaluated and inlined at compile time and cannot differ between systems. I'll clarify the docs. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 is not working on windows 7....
I am Getting Errors while Starting Tomcat And I dont Know What to DO. I am Sending Error Logs which is as Follwos. Dec 05, 2012 11:09:42 AM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Java\jre7\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:/Program Files/Java/jre7/bin/client;C:/Program Files/Java/jre7/bin;C:/Program Files/Java/jre7/lib/i386;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Calibre2\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;D:\Eclipse\JEE;;. Dec 05, 2012 11:09:43 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8012] Dec 05, 2012 11:09:43 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Dec 05, 2012 11:09:43 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1079 ms Dec 05, 2012 11:09:43 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Dec 05, 2012 11:09:43 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.33 Dec 05, 2012 11:09:43 AM org.apache.catalina.valves.AccessLogValve open SEVERE: Failed to open access log file [C:\Program Files\Apache Software Foundation\Tomcat 7.0\logs\localhost_access_log.2012-12-05.txt] java.io.FileNotFoundException: C:\Program Files\Apache Software Foundation\Tomcat 7.0\logs\localhost_access_log.2012-12-05.txt (Access is denied) at java.io.FileOutputStream.open(Native Method) at java.io.FileOutputStream.init(Unknown Source) at org.apache.catalina.valves.AccessLogValve.open(AccessLogValve.java:1119) at org.apache.catalina.valves.AccessLogValve.startInternal(AccessLogValve.java:1223) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardPipeline.startInternal(StandardPipeline.java:185) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1137) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:800) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Dec 05, 2012 11:09:43 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\docs Dec 05, 2012 11:09:44 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\manager Dec 05, 2012 11:09:44 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\ROOT Dec 05, 2012 11:09:44 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8012] Dec 05, 2012 11:09:44 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-bio-8009] Dec 05, 2012 11:09:44 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 814 ms Please Help Me Regarding This Thanks... Jugal On Mon, Dec 3, 2012 at 9:21 PM, Mark Eggers its_toas...@yahoo.com wrote: On 12/3/2012 2:28 AM, Konstantin Kolinko wrote: 2012/12/3 Mark Thomas ma...@apache.org: On 03/12/2012 09:15, Jugal Thakkar wrote: Hello Sir, I am Java Developer. i develop web application using servlet and JSP. My problem is that i am not able to get server started in eclipse Juno.using Tomcat 7 with windows 7. Please Guide me for the same Installation Process of tomcat 7 on windows 7 I was previously using Windows XP and everything was fine But with Windows 7 i am Having the problem Please guide me regarding this Two options: 1. Read this: http://www.catb.org/esr/faqs/**smart-questions.htmlhttp://www.catb.org/esr/faqs/smart-questions.html and follow the excellent advice it offers. +1 +1 2. Apply the following logic: - It worked on Windows XP - It doesn't work on Windows 7 - Therefore a bug in Windows 7 is the root cause - Either: a) Report the problem to Microsoft and get them to fix it b) Uninstall Windows 7 and re-install Windows
Re: Tomcat 7 is not working on windows 7....
See below, and please do not top post. On 12/4/2012 10:17 PM, Jugal Thakkar wrote: I am Getting Errors while Starting Tomcat And I dont Know What to DO. I am Sending Error Logs which is as Follwos. Dec 05, 2012 11:09:42 AM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Java\jre7\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:/Program Files/Java/jre7/bin/client;C:/Program Files/Java/jre7/bin;C:/Program Files/Java/jre7/lib/i386;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Calibre2\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;D:\Eclipse\JEE;;. Dec 05, 2012 11:09:43 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8012] Dec 05, 2012 11:09:43 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Dec 05, 2012 11:09:43 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1079 ms Dec 05, 2012 11:09:43 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Dec 05, 2012 11:09:43 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.33 Dec 05, 2012 11:09:43 AM org.apache.catalina.valves.AccessLogValve open SEVERE: Failed to open access log file [C:\Program Files\Apache Software Foundation\Tomcat 7.0\logs\localhost_access_log.2012-12-05.txt] java.io.FileNotFoundException: C:\Program Files\Apache Software Foundation\Tomcat 7.0\logs\localhost_access_log.2012-12-05.txt (Access is denied) at java.io.FileOutputStream.open(Native Method) at java.io.FileOutputStream.init(Unknown Source) at org.apache.catalina.valves.AccessLogValve.open(AccessLogValve.java:1119) at org.apache.catalina.valves.AccessLogValve.startInternal(AccessLogValve.java:1223) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardPipeline.startInternal(StandardPipeline.java:185) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1137) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:800) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Dec 05, 2012 11:09:43 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\docs Dec 05, 2012 11:09:44 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\manager Dec 05, 2012 11:09:44 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\ROOT Dec 05, 2012 11:09:44 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8012] Dec 05, 2012 11:09:44 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-bio-8009] Dec 05, 2012 11:09:44 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 814 ms Please Help Me Regarding This Thanks... Jugal On Mon, Dec 3, 2012 at 9:21 PM, Mark Eggers its_toas...@yahoo.com wrote: On 12/3/2012 2:28 AM, Konstantin Kolinko wrote: 2012/12/3 Mark Thomas ma...@apache.org: On 03/12/2012 09:15, Jugal Thakkar wrote: Hello Sir, I am Java Developer. i develop web application using servlet and JSP. My problem is that i am not able to get server started in eclipse Juno.using Tomcat 7 with windows 7. Please Guide me for the same Installation Process of tomcat 7 on windows 7 I was previously using Windows XP and everything was fine But with Windows 7 i am Having the problem Please guide me regarding this Two options: 1. Read this: http://www.catb.org/esr/faqs/**smart-questions.htmlhttp://www.catb.org/esr/faqs/smart-questions.html and follow the excellent advice it offers. +1 +1 2. Apply the following logic: - It worked on Windows XP - It doesn't work on Windows 7 - Therefore a bug in Windows 7 is the root cause - Either: a) Report the
Re: [OT] Tomcat 7 SSL Session ID
Esmond Pitt wrote: Broken pipes don't invalidate the SSL session. They just break the TCP connection. The SSL session persists, across multiple TCP connections, until it is specifically invalidated by someone: for example, timed out by the SSLSessionContext. Ah. That would explain some other (totally unrelated) phenomenon which I had noticed and which puzzled me. I didn't know that. Thanks for the info. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org