date:20130611

 From: ruxing bao [mailto:brxonl...@hotmail.com] 
 Subject: RE: Illegal access: this web application instance has been stopped 
 already and NoClassDefFoundError

 Zookeeper jar had been under  CLASSPATH.

Do not ever use the CLASSPATH environment variable.  In a Tomcat environment, 
it is properly ignored; in other environments, it can only create confusion.

Read the Tomcat doc on classloading and decide in which of the standard 
locations you should put the Zookeper jar.  It would normally be placed in the 
webapp's WEB-INF/lib directory.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SSL Issue- Support required.

 From: B S, Veena [mailto:veena@hp.com] 
 Subject: SSL Issue- Support required.

 Tomcat version: 6.0

 The SSL configuration is done as per the standard SSL set up link 
 http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html . 

If you're using Tomcat 6, you have no reason to look at Tomcat 5.5 
documentation.  Use the proper doc for the level you're running on, and make 
sure you follow either the APR or JSSE versions, depending on whether or not 
you're using APR.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError

2013-06-11 Thread ruxing bao

Yes,   my reply caused some confusion.
I mean that currently zookeeper jar is palced in the my web appllication's 
WEB-INF/lib directory.
thanks,
Bob

 From: chuck.caldar...@unisys.com
 To: users@tomcat.apache.org
 Date: Tue, 11 Jun 2013 07:15:20 -0500
 Subject: RE: Illegal access: this web application instance has been stopped 
 already and NoClassDefFoundError

  From: ruxing bao [mailto:brxonl...@hotmail.com] 
  Subject: RE: Illegal access: this web application instance has been stopped 
  already and NoClassDefFoundError

  Zookeeper jar had been under  CLASSPATH.

 Do not ever use the CLASSPATH environment variable.  In a Tomcat environment, 
 it is properly ignored; in other environments, it can only create confusion.

 Read the Tomcat doc on classloading and decide in which of the standard 
 locations you should put the Zookeper jar.  It would normally be placed in 
 the webapp's WEB-INF/lib directory.

  - Chuck

 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
 MATERIAL and is thus for use only by the intended recipient. If you received 
 this in error, please contact the sender and delete the e-mail and its 
 attachments from all computers.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: undefined reference to `TLSv1_1_client_method

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To whom it may concern,

On 6/11/13 7:58 AM, de...@cines.fr wrote:
 With apache 2.4.4, i tried , without success, to build binaries. 
 I've got this error each time :
 
 
 ab.o: In function `main': /opt/httpd-2.4.4/support/ab.c:2271:
 undefined reference to `TLSv1_1_client_method' 
 /opt/httpd-2.4.4/support/ab.c:2273: undefined reference to
 `TLSv1_2_client_method' collect2: ld returned 1 exit status 
 make[2]: *** [ab] Erreur 1 make[2]: quittant le rÃ©pertoire Â«
 /opt/httpd-2.4.4/support Â» make[1]: *** [all-recursive] Erreur 1 
 make[1]: quittant le rÃ©pertoire Â« /opt/httpd-2.4.4/support Â» 
 make: *** [all-recursive] Erreur 1
 
 by launching this command: ./configure --prefix=/usr/local/apache2
 --enable-so --enable-mods-shared=all --with-included-apr
 --with-ssl=/opt/apache-tomcat-7.0.40/bin/tomcat-native-1.1.27-src/jni/native/srclib/openssl-1.0.1e
 --enable-ssl --enable-v4-mapped
 
 Have you got a workaround to fix this problem?

I think you've got the wrong mailing list: this list is for Apache
Tomcat, a Java web application server. You appear to be building the
Apache web server (a different product). The list you want can be
found here: https://httpd.apache.org/lists.html#http-users

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRtykYAAoJEBzwKT+lPKRYQAYP/3cgecKKPg9hB5LUmi900ojF
vYRZ2zxUGI3pLhuPgQlh4HMqzeTQxbi4oMwWws6e9yBANiXYi2L7c1lW1idE44la
Y9axt9H1zZ4VTfyLWGPmkO/ZU8iMRl36FhQQNf2EMTt+yWFOZc92NT5592pczmy2
t3TTij3hPmrZZGEZsVJ+j/Q7dkF7MYdqefQQ9myc6tnlEL2KupLQBUKu/GZMa88y
3JJ6htITaLYFZvZAkaZqz/IagsSEKKhOH+rtOgZ2IHQn8fe13N3VJRTLkb2UVN9o
Qg0bRaPHH3D/EWm1p7gbSZ7wAPh+yIubf+zoY4qk6J8UBEyO/xgciLSi3smal86U
ES4H5e7ER6qAu4BnAWRByXtgZhL6lrjy/qraEKmZcTcniK+vMz0h5ealgrK7Wt2j
wNA/m9FnGm9jejGhZSCSz8BgokpNgfRV/2TkwzXHYxc4dhw3sCcg24oPOZVQ3Ozf
e1Jp5W0UX5fIKji3V+O8xQ/BYMtakraMjVuvpUs+eljKFZ7k+mQoF9U9343PiOSy
Xs08igh5NVjAL8mUCBS42Sfvp2uxVb3B6/WVJfvo16m4f54tS+cWq0m9pxMXdo0D
NdhEdaZkKxPaJkV0W22oZtRH4Co5NVMnHriW/LoHtsH71jxpwlvj9qd+WlNkEukr
RMMayCzWDDmebr6hcxsz
=qk7s
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: undefined reference to `TLSv1_1_client_method

 From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
 Subject: Re: undefined reference to `TLSv1_1_client_method

  by launching this command: ./configure --prefix=/usr/local/apache2
  --enable-so --enable-mods-shared=all --with-included-apr
  --with-ssl=/opt/apache-tomcat-7.0.40/bin/tomcat-native-1.1.27-src/jni/native/srclib/openssl-1.0.1e
  --enable-ssl --enable-v4-mapped

 I think you've got the wrong mailing list: this list is for Apache
 Tomcat, a Java web application server. You appear to be building the
 Apache web server (a different product). The list you want can be
 found here: https://httpd.apache.org/lists.html#http-users

I think the confusion is that the OP is trying to build httpd using the version 
of OpenSSL that comes with Tomcat - which seems a bit backwards, at the very 
least.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

http request (no only session) replication in cluster

2013-06-11 Thread Ja kub

What can be done to guarantee failover in below scenario:

2 tomcats behind cisco loadbalancer
1 http request can last very long about 50 seconds - response from
webservice can take so long
load is 200 requests per second
I must response in max 4 seconds more than backing webservice

is there something like http request replication ?

50 s * 200 req/s = 10.000 pending requests

if one tomcat is eg killed, can in any way other tomcat serve his requests ?

is there any out of the box solution, eg similar to session replication ?


regards

ps
is it possible to save socket to database, or send it via network?

Re: Illegal access: this web application instance has been stopped already and NoClassDefFoundError

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Bob,

On 6/11/13 1:05 AM, ruxing bao wrote:
 Sorry,I can't get any more of the stack trace.
 
 We wrapped zookeepr client as a spring bean and invoked method 
 close of zookeeper in destory-method of bean,in that method 
 close,zookeeper Send Thread was closed. When tomcat was shut
 down, Spring closed it's container and bean was destroyed, then 
 destroy-method of bean was invoked. I'am confusing why is Send 
 Thread of Zookeeper seemed to exit slower than the
 WebappClassLoader shedding its loaded classes.


Threads don't always shut down immediately... let's see how you are
telling the thread to shut down:

 ps: details of zookeeper closing

(Thanks!)

 org.apache.zookeeper.Zookeeper public synchronized void close()
 throws InterruptedException { if (!cnxn.getState().isAlive()) { if
 (LOG.isDebugEnabled()) { LOG.debug(Close called on already closed
 client); } return; } if (LOG.isDebugEnabled()) { 
 LOG.debug(Closing session: 0x +
 Long.toHexString(getSessionId())); } try { cnxn.close(); } catch
 (IOException e) { if (LOG.isDebugEnabled()) { LOG.debug(Ignoring
 unexpected exception during close, e); } } LOG.info(Session: 0x
 + Long.toHexString(getSessionId()) +  closed); }

So, during webapp shutdown you should be getting the message Closing
session 0x[...], right? No errors?

Is cnxn of type org.apache.zookeeped.ClientCnxn? That seems to be
the case, but it's worth checking.

 --

 
org.apache.zookeeper.ClientCnxn
 public void close() throws IOException { if (LOG.isDebugEnabled())
 { LOG.debug(Closing client for session: 0x +
 Long.toHexString(getSessionId())); } try { RequestHeader h = new
 RequestHeader(); h.setType(ZooDefs.OpCode.closeSession); 
 submitRequest(h, null, null, null); } catch (InterruptedException
 e) { // ignore, close the send/event threads } finally { 
 disconnect(); } }
 
 public void disconnect() { if (LOG.isDebugEnabled()) { 
 LOG.debug(Disconnecting client for session: 0x +
 Long.toHexString(getSessionId())); } sendThread.close(); 
 eventThread.queueEventOfDeath(); }

Okay, so calling close asks the thread to stop (somewhat indirectly).

 org.apache.zookeeper.ClientCnxn.SendThread void close() { state =
 States.CLOSED; clientCnxnSocket.wakeupCnxn(); }
 
 
 @Override public void run() { 
 clientCnxnSocket.introduce(this,sessionId); 
 clientCnxnSocket.updateNow(); 
 clientCnxnSocket.updateLastSendAndHeard(); int to; long
 lastPingRwServer = System.currentTimeMillis(); while
 (state.isAlive()) { try { if (!clientCnxnSocket.isConnected()) { 
 if(!isFirstConnect){ try { Thread.sleep(r.nextInt(1000)); } catch
 (InterruptedException e) { LOG.warn(Unexpected exception, e); } 
 } // don't re-establish connection if we are closing if (closing ||
 !state.isAlive()) { break; } startConnect(); 
 clientCnxnSocket.updateLastSendAndHeard(); } if
 (state.isConnected()) { // determine whether we need to send an
 AuthFailed event. if (zooKeeperSaslClient != null) { boolean
 sendAuthEvent = false; if (zooKeeperSaslClient.getSaslState() ==
 ZooKeeperSaslClient.SaslState.INITIAL) { try { 
 zooKeeperSaslClient.initialize(ClientCnxn.this); } catch
 (SaslException e) { LOG.error(SASL authentication with Zookeeper
 Quorum member failed:  + e); state = States.AUTH_FAILED; 
 sendAuthEvent = true; } } KeeperState authState =
 zooKeeperSaslClient.getKeeperState(); if (authState != null) { if
 (authState == KeeperState.AuthFailed) { // An authentication error
 occurred during authentication with the Zookeeper Server. state =
 States.AUTH_FAILED; sendAuthEvent = true; } else { if (authState ==
 KeeperState.SaslAuthenticated) { sendAuthEvent = true; } } } if
 (sendAuthEvent == true) { eventThread.queueEvent(new WatchedEvent( 
 Watcher.Event.EventType.None, authState,null)); } } to =
 readTimeout - clientCnxnSocket.getIdleRecv(); } else { to =
 connectTimeout - clientCnxnSocket.getIdleRecv(); }
 
 if (to = 0) { throw new SessionTimeoutException( Client session
 timed out, have not heard from server in  +
 clientCnxnSocket.getIdleRecv() + ms +  for sessionid 0x +
 Long.toHexString(sessionId)); } if (state.isConnected()) { int
 timeToNextPing = readTimeout / 2 - clientCnxnSocket.getIdleSend(); 
 if (timeToNextPing = 0) { sendPing(); 
 clientCnxnSocket.updateLastSend(); } else { if (timeToNextPing 
 to) { to = timeToNextPing; } } } // If we are in read-only mode,
 seek for read/write server if (state == States.CONNECTEDREADONLY)
 { long now = System.currentTimeMillis(); int idlePingRwServer =
 (int) (now - lastPingRwServer); if (idlePingRwServer =
 pingRwTimeout) { lastPingRwServer = now; idlePingRwServer = 0; 
 pingRwTimeout = Math.min(2*pingRwTimeout, maxPingRwTimeout); 
 pingRwServer(); } to = Math.min(to, pingRwTimeout -
 idlePingRwServer); } clientCnxnSocket.doTransport(to, pendingQueue,
 outgoingQueue, ClientCnxn.this); } catch (Throwable e) { if

Re: undefined reference to `TLSv1_1_client_method

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 6/11/13 9:46 AM, Caldarale, Charles R wrote:
 From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
 Subject: Re: undefined reference to `TLSv1_1_client_method

 by launching this command: ./configure
 --prefix=/usr/local/apache2 --enable-so
 --enable-mods-shared=all --with-included-apr 
 --with-ssl=/opt/apache-tomcat-7.0.40/bin/tomcat-native-1.1.27-src/jni/native/srclib/openssl-1.0.1e

- --enable-ssl --enable-v4-mapped

 I think you've got the wrong mailing list: this list is for
 Apache Tomcat, a Java web application server. You appear to be
 building the Apache web server (a different product). The list
 you want can be found here:
 https://httpd.apache.org/lists.html#http-users

 I think the confusion is that the OP is trying to build httpd
 using the version of OpenSSL that comes with Tomcat - which seems a
 bit backwards, at the very least.

Tomcat doesn't distribute OpenSSL, so the OP probably just happened to
have it in that directory.

I'm a bit confused as to why configure would have failed with a
make error which is obviously trying to link something. configure
should not be attempting to compile/link anything (except trivial
programs to probe the environment).

I suspect the problem is a broken environment where one OpenSSL
(1.0.1e) is being used for part of the process and a different one
(0.9.8? 1.0.0?) is being used for compilation (or linking).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRty6vAAoJEBzwKT+lPKRYGfsQAJLCu0rR93jjrEgodz+UkgfJ
DArd+azI1oX5VMlh8YxVMsn3FfWQdMpXGKpTw2buvaJoCVumg4vkImw6e77AUzsA
f3x9043DayCkRy9kyDSIl92lJVaohhPegl8buJFnLciiGnD5vin6rHS0/al6j3KU
V2+GARxcigggR2vZwRic61TLJl3uizIBMsRGE4wJlpdI9v+Cy5e/TJr7p67U92g/
wYBIB4dL7gqIPlYEENDy6TligMAjjUXTKtakLBcKAq+vOTgaOzRjbgNlz7uJhlPq
C3jTV2/iQO/MZVz7dqHsT1baduW2It6H95JyMuWg1Z2JSds3ITZWWFnjF6m5g6No
OuqFutP92pJ/ZxdiuWcr0crnnIVHDBRN3FA1JyiBJPbse60uZ1xjJ0HWc0jlLsGK
qtnVr2lELF51skERU7csFL5wf0c09PA3zRNHogMoVNtCKDQYXzT9u7nDW/FypplN
7DdFG7YD/vprWBOUnfkVVUsIjIZ+ZXPgCjeRrOuvbmFxHII4y+Tb49pUSARp5bFr
9/kBNNtQl9JKAUsi+7knGS3RVDbPXGUige4rKwSIervh69R2SKOnOXcggkZ/XlVU
KWFsOX4nHEyO8Q15pUyfMsM8WiNnHCdSaPCf9NW0auzLsoYLztbPerV/af/ha8/r
Aha1L6wwBHEpQ3DOtr4d
=L8u3
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: http request (no only session) replication in cluster

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ja,

On 6/11/13 9:54 AM, Ja kub wrote:
 What can be done to guarantee failover in below scenario:
 
 2 tomcats behind cisco loadbalancer 1 http request can last very
 long about 50 seconds - response from webservice can take so long 
 load is 200 requests per second I must response in max 4 seconds
 more than backing webservice
 
 is there something like http request replication ?
 
 50 s * 200 req/s = 10.000 pending requests
 
 if one tomcat is eg killed, can in any way other tomcat serve his
 requests ?
 
 is there any out of the box solution, eg similar to session
 replication ?

The best way to do this is to configure your load balancer to buffer
responses and re-try another cluster node in the case of an unexpected
disconnect.

If you can't buffer the response, then it is entirely inappropriate to
re-process a request: instead, you should let the failure propagate
all the way back to the client and let them decide what to do.

 is it possible to save socket to database, or send it via network?

No. I think you are confused about what a socket is.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRtzM3AAoJEBzwKT+lPKRYPaEQAIEDPqvboqXW/X05PSmPwaCC
IC8LegK8XFSc+IZvVHurGw0cemd8VcQOLRDlfK6OQM/wGfsTfsxWelJRm7KmjeS6
kZJuIfg6AAdEibgQj/dnQ/VhLAxBh8XYnDtkNyniAIwP5iigTXKsAUVNHz/o1vCI
MFZ3ToqhtNHw7NkFXwyi6GnPuZOGXABedk1IQsD37iawYgjkPtdKteu6Y96M6L7y
hguv4cilbk4N1RrNsIR2cxDYj/BZ+qide+ZVs5EPpbvym1FGTHqu+q911Ux/YURi
wZI1ny/63AydWt9SOD3f6SOBBFHF20Nf5jKPQ+0F0zBso42Rw11kXevR93DrUCLV
rseud/2odBjtn8w3dQMD/LthqUQQPrtCarx8qfa0yQHhnHKQQ0LDJhKxLzn3VEVg
6AO0tCNMyBrV9P2RH5kNo/ebBk7+d0A2IOqDloRb4k6ySKaJzirJ5LMmIxT0bUeg
wGafZpqNJ6zcsXSPt1PLnJhx3wVya8gKF/ByFY65lz84rPV41/v1MN/iVVRltUC7
gZIa3w0MtibrG0A5DTuV31ZQSkmr6i1fwif2asktkZ08r91UO9yb8TXVfUVVBaL4
ZQenkl5thHLWf/0Np5PpTIAaNTRiKZvlJCo9/zCF8An3DeMgRbzNjnDKS02+pm9e
h4tXjEX7UL1JDjoMBgJ1
=qd37
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Customizing SSL in HttpClient

2013-06-11 Thread Konstantin Kolinko

2013/6/11 Anil Goyal -X (anigoyal - Aricent Technologies at Cisco)
anigo...@cisco.com:

 Please consider the code flow as below:

 HttpClient client = new HttpClient();
 portNumber = secure ? LocalNetworkConstants.DEFAULT_HTTPS_PORT : 
 LocalNetworkConstants.DEFAULT_HTTP_PORT; // DEFAULT_HTTPS_PORT=8444 and 
 DEFAULT_HTTP_PORT=8081 define in  LocalNetworkConstants.java  LOG.debug(the 
 value of https port is+String.valueOf(portNumber)); if (secure) {
 Protocol protocol = new 
 Protocol(LocalNetworkConstants.URISCHEME_HTTPS, new 
 ExtendedProtocolSocketFactory(address, 
 locationData.isAcceptSelfSignedCertificates(), 
 locationData.isAcceptCertificateErrors()) , portNumber);
 client.getHostConfiguration().setHost(address, portNumber, protocol);
  LOG.debug(setting the host for https+String.valueOf(portNumber));
 }
 else {
 client.getHostConfiguration().setHost(address, portNumber);
 LOG.debug(setting the host for http+String.valueOf(portNumber));
 }


 GetMethod method = new GetMethod(LocalNetworkConstants.INFO_FEEDER_PATH);
 int returnCode = client.executeMethod(method);

 This is the code at the client side.

 At the server side,

 I have 8444 and 8081 port defined in server.xml

 Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 
 disableUploadTimeout=true enableLookups=false maxHttpHeaderSize=8193 
 maxSpareThreads=25 maxThreads=25 minSpareThreads=10 port=8081 
 protocol=HTTP/1.1 redirectPort=8444 server= /
 Connector SSLEnabled=true URIEncoding=UTF-8 acceptCount=100 
 ciphers=  clientAuth=false disableUploadTimeout=true 
 enableLookups=false keystoreFile= keystorePass= keystoreType= 
 maxHttpHeaderSize=8192 maxSpareThreads=25 maxThreads=25 
 minSpareThreads=10 port=8444 protocol=HTTP/1.1 scheme=https 
 secure=true server=  sslProtocol=TLS/

 Also I have these two ports entry in iptables.

 Now in the tomcat redirection valve, I have below code written

 int port = request.getServerPort();
 StringBuffer url = request.getRequestURL();


 So now the problem are is, when from client I disable ssl and send the 
 request at port 8081 then in tomcat valve, port -8081 and url also contains 
 port 8081.

 But when from client , I enable ssl and send the request at port 8444, then 
 here in valve the request.getServerPort returns 443 and even in url also port 
 is 443.

 So I am not able to understand why the https port is converting into 443 from 
 8444 while http port 8081 is working fine.

 Even in tomcat access valve, the request is coming at port 8444 as shown below
 [11/Jun/2013:11:16:58 +0530] 10.93.230.203 10.93.230.203 admin - 8444 GET 
 /feeder/info HTTP/1.1 500 2581 123

 For http port also the request is coming at port 8081 of tomcat
 [11/Jun/2013:11:18:29 +0530] 10.93.230.203 10.93.230.203 admin - 8081 GET 
 /feeder/info HTTP/1.1 200 4377 286

 But I am totally confused why request.getServerPort is giving 443 for https 
 ???


AccessLogValve uses the same getServerPort() call, though directly on
a tomcat-internal request object.

So maybe your request is wrapped by some HttpServletRequestWrapper
(which overrides getServerPort() method and provides a different
value)?

Try to connect a debugger and step into that getServerPort() call.
https://wiki.apache.org/tomcat/FAQ/Developing#Debugging

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Customizing SSL in HttpClient

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Anil,

On 6/11/13 1:53 AM, Anil Goyal -X (anigoyal - Aricent Technologies at
Cisco) wrote:
 
 
 -Original Message- From: Christopher Schultz
 [mailto:ch...@christopherschultz.net] Sent: Monday, June 10, 2013
 7:51 PM To: Tomcat Users List Subject: Re: Customizing SSL in
 HttpClient
 
 Anil,
 
 On 6/10/13 8:42 AM, Anil Goyal -X (anigoyal - Aricent Technologies
 at Cisco) wrote:
 I am trying to create a http client and send a request to certain
 port of a server using below code:
 
 HttpClient client = new HttpClient(); 
 client.getHostConfiguration().setHost(address, portNumber,
 protocol);
 
 Here portNumber that I am setting is 8444(https port of tomcat)
 
 When I execute client.executemethod() and at the server side when
 I tried to retrieve request.getRequestURL(), I am getting the url
 with port 443 not 8444 which I set in client. Even
 request.getServerPort is giving 443 not 8444.
 
 Is there any kind of port-forwarding or anything else going on?
 
 The things are working fine for 8081(http port of tomcat) i..e 
 HttpClient client = new HttpClient(); 
 client.getHostConfiguration().setHost(address, portNumber,
 protocol);
 
 Here portNumber that I am setting is 8081(https port of tomcat)
 
 When I execute client.executemethod() and at the server side when
 I tried to retrieve request.getRequestURL(), I am getting the url
 with port 8081 which I set in client. Even request.getServerPort
 is giving 8081.
 
 Can you show us a bit more of the code? It's not clear from you
 client code that the port number is set correctly, and you only
 mentioned the server. Can you give us some of that, too? Also, what
 do your Connector elements look like in server.xml?
 
 -chris
 
 -

 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 Please consider the code flow as below:
 
 HttpClient client = new HttpClient(); portNumber = secure ?
 LocalNetworkConstants.DEFAULT_HTTPS_PORT :
 LocalNetworkConstants.DEFAULT_HTTP_PORT; // DEFAULT_HTTPS_PORT=8444
 and DEFAULT_HTTP_PORT=8081 define in  LocalNetworkConstants.java 
 LOG.debug(the value of https port
 is+String.valueOf(portNumber)); if (secure) { Protocol protocol =
 new Protocol(LocalNetworkConstants.URISCHEME_HTTPS, new
 ExtendedProtocolSocketFactory(address,
 locationData.isAcceptSelfSignedCertificates(),
 locationData.isAcceptCertificateErrors()) , portNumber); 
 client.getHostConfiguration().setHost(address, portNumber,
 protocol); LOG.debug(setting the host for
 https+String.valueOf(portNumber)); } else { 
 client.getHostConfiguration().setHost(address, portNumber); 
 LOG.debug(setting the host for http+String.valueOf(portNumber)); 
 }
 
 
 GetMethod method = new
 GetMethod(LocalNetworkConstants.INFO_FEEDER_PATH); int returnCode =
 client.executeMethod(method);
 
 This is the code at the client side.
 
 At the server side,
 
 I have 8444 and 8081 port defined in server.xml
 
 Connector URIEncoding=UTF-8 acceptCount=100
 connectionTimeout=2 disableUploadTimeout=true
 enableLookups=false maxHttpHeaderSize=8193 maxSpareThreads=25
 maxThreads=25 minSpareThreads=10 port=8081
 protocol=HTTP/1.1 redirectPort=8444 server= / Connector
 SSLEnabled=true URIEncoding=UTF-8 acceptCount=100 ciphers= 
 clientAuth=false disableUploadTimeout=true
 enableLookups=false keystoreFile= keystorePass=
 keystoreType= maxHttpHeaderSize=8192 maxSpareThreads=25
 maxThreads=25 minSpareThreads=10 port=8444
 protocol=HTTP/1.1 scheme=https secure=true server= 
 sslProtocol=TLS/
 
 Also I have these two ports entry in iptables.

Which two ports? What have you done with them in iptables?

 Now in the tomcat redirection valve, I have below code written
 
 int port = request.getServerPort(); StringBuffer url =
 request.getRequestURL();

What is the Tomcat redirection valve?

 So now the problem are is, when from client I disable ssl and send 
 the request at port 8081 then in tomcat valve, port -8081 and url 
 also contains port 8081.
 
 But when from client , I enable ssl and send the request at port 
 8444, then here in valve the request.getServerPort returns 443 and
 even in url also port is 443.

If the URL contains port 443, then your client connection is not
actually contacting port 8444. Can you confirm with a packet-sniffer
or something else that you are connecting to 8444 and not 443?

It's possible that there is a bug in HttpClient that makes it connect
to whatever port you requested (8444) but then also sends
hostname:443 as the Host header. If that happens, Tomcat will use
that :443 as the return value for getServerPort (note that this is
specified in the Servlet Javadocs).

If you want the real port Tomcat answered on, use
HttpServletRequest.getLocalPort.

 So I am not able to understand why the https port is converting
 into 443 from 8444 while http port 8081 is working fine.
 
 Even

Re: Customizing SSL in HttpClient

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Martin,

On 6/11/13 6:12 AM, Martin Gainty wrote:
 if you want JSSE Handshaking to be enabled on server enable
 AprLifecycle Listener on server.xml e.g. Listener
 className=org.apache.catalina.core.AprLifecycleListener
 SSLEngine=on /

This is absolutely false. If you want JSSE, you must not configure
SSLEngine=on in the AprLifecycleListener unless you also specify in
your Connector that you don't want to use APR.

Stop confusing everyone.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRtzUhAAoJEBzwKT+lPKRY+eUQAKnHzh4Wvq6FNq7omu/AulKW
Z2f5STRH0J0Pm4Oqih46+ugPuh7ryI3W8JNgGyQIx9el9d+17YP0gejB9lYrCx2L
LkcbunLbJXlpELlmyXvEOJzbdey0PL2mrJoNboGURJiU1YZ6qxw3t2ViaSUSiql8
VzEcaj+3zsuof7PccQPR4l8s8VkrB3n9LG/CNpK44GQ57fqDO8UuFWsd2yu8A2OQ
RPtjrzNs4ef7gmcXXLdnjcS/CK4gPNk3DSl+Umra+hzWJahB347LQPst+eGU7PD2
Se473kxJ7tsZuox9M9Ue1N7x3aG8LdBMt/Z5zOrKB6h9CG9jE1O3EwJpi1qS04ZO
aCkN39BWOeTYeZR1YT1JbXH3jG7DSpz+0dO9uuM9yxxJLOA5JnbhdZuYdu4NQRpt
6UvgAyLNtcrcfN5PM+HHUEHJs4ZUJ8HhHr3kc64cnisrqWEzOmBn+nMMeKYuKs5s
bqhi3g466OPL1D0Y6CeD77lmR8BETRtdrUmK6Ck36NFAcvJifmqIic9tT0iIdjhx
KumjWX7g7nzlE7Gx0GpZnJhTfy/IgOFVvOwVD/qttH5ti1OM1xAGu6IT5Kea6ZC0
sdyKO3YoV/vxnzo55/ApNRAlIwPDKE0F39sQOs0GSClQl0ETs73AFa1CwNMLAPZM
bKDCE6EfytjuZjRUqP/C
=XroP
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Possible to expose a Tomcat Realm instance through JNDI ?

2013-06-11 Thread Tobias Gierke


Hi,

In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is 
already being used for HTTP Basic authentication but couldn't find a way 
how to get hold of the actual Realm instance.


I spent quite some time looking for a solution (complicated by the fact 
that most Google hits actually referred to the LDAP authentication 
realm) but found none. Is  there a config-file-only solution or do I 
need to dig into the Tomcat source code and come up with my own JNDI 
ObjectFactory to achieve this ?


Cheers,
Tobias



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: http request (no only session) replication in cluster

2013-06-11 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ja,

On 6/11/13 9:54 AM, Ja kub wrote:

What can be done to guarantee failover in below scenario:

2 tomcats behind cisco loadbalancer 1 http request can last very
long about 50 seconds - response from webservice can take so long 
load is 200 requests per second I must response in max 4 seconds

more than backing webservice

is there something like http request replication ?

50 s * 200 req/s = 10.000 pending requests

if one tomcat is eg killed, can in any way other tomcat serve his
requests ?

is there any out of the box solution, eg similar to session
replication ?


The best way to do this is to configure your load balancer to buffer
responses and re-try another cluster node in the case of an unexpected
disconnect.

If you can't buffer the response, then it is entirely inappropriate to
re-process a request: instead, you should let the failure propagate
all the way back to the client and let them decide what to do.


is it possible to save socket to database, or send it via network?


No. I think you are confused about what a socket is.



Is that just me, or does this look like a *massive* imbalance between the load, and the 
resources dedicated to serve that load ?
I somehow have trouble to envision any system working in any stable way, when right from 
the start it is assumed to have 10,000 requests simultaneously being in various stages of 
processing. Unless one would have some Google-like server farms behind the thing anyway.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Possible to expose a Tomcat Realm instance through JNDI ?

2013-06-11 Thread Tanglin, Oliver

I don't think there is a HTTP Basic authentication realm. The authentication 
type is declared in the auth-method of your web.xml and can be used in 
conjunction with a number of different realm implementations.

Exactly what do you mean by re-use? Does this mean you are doing authentication 
from within your web app?

Oliver



-Original Message-
From: users-return-242237-OLIVER.TANGLIN=saic@tomcat.apache.org on behalf 
of Tobias Gierke
Sent: Tue 6/11/2013 11:20 AM
To: users@tomcat.apache.org
Subject: Possible to expose a Tomcat Realm instance through JNDI ?
 
Hi,

In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is 
already being used for HTTP Basic authentication but couldn't find a way 
how to get hold of the actual Realm instance.

I spent quite some time looking for a solution (complicated by the fact 
that most Google hits actually referred to the LDAP authentication 
realm) but found none. Is  there a config-file-only solution or do I 
need to dig into the Tomcat source code and come up with my own JNDI 
ObjectFactory to achieve this ?

Cheers,
Tobias



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat7 and SPNEGO configuration questions

2013-06-11 Thread Edward Siewick

James,

Regarding your question a), HTTP 401 is a tangle of both not authenticated 
and not authorized.  You're at least getting through authentication of the 
end user. At least that's my interpretation of Krb5Context logging of 
KrbApReq: authenticate succeed. and logged values for mySeqNumber and 
peerSeqNumber. (In my case I'm not getting even this far.)

On your b), Felix's example for debugging a jmeter issue uses an LDAP call to 
check for group membership. This is configured within a realm / in 
server.xml, leveraging the the user's delegated credentials via a request 
attribute so applications can make use of them [presumably for more 
fine-grained authorization control]. Anyway, this seems to be an application 
level augmentation of SPNEGO vice a contradiction of the patch comment for the 
initial SPNEGO support in Tomcat-7.0.12.  (48685: Add initial support for 
SPNEGO/Kerberos authentication also referred to as integrated Windows 
authentication. This includes user authentication, authorisation via the 
directory using the user's delegated credentials and exposing the user's 
delegated credentials via a request attribute so applications can make use of 
them to impersonate the current user when accessing third-party systems that 
use a compatible authentication mechanism. Based on a patch provided by Michael 
Osipov. (markt).) There doesn't seem to be documentation that expands 
authorisation via the directory using the user's delegated credentials into a 
configuration option. As written the comment for 48685 says SPNEGO support 
doesn't stop at authentication; it [somehow] handles authorization, too.

On c), absent documentation, the details in 
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685
might help explain the developers' sense of the intended working order, provide 
some clues on the JAAS and SPNEGO configuration requirements. At least that's 
what I'm reading through.

On d), you might already know this, but KDCRep: init() encoding tag is 126 req 
type is 11 translates to exception: Asn1Exception - if an error occurs while 
decoding an ASN1 encoded data. The actual text is from 
sun.security.krb5.internal.KDCRep:

 116 /**
 117  * Initializes an KDCRep object.
 118  *
 119  * @param encoding a single DER-encoded value.
 120  * @param req_type reply message type.
 121  * @exception Asn1Exception if an error occurs while decoding an ASN1 
encoded data.
 122  * @exception IOException if an I/O error occurs while reading encoded 
data.
 123  * @exception RealmException if an error occurs while constructing
 124  * a Realm object from DER-encoded data.
 125  * @exception KrbApErrException if the value read from the DER-encoded
 126  * data stream does not match the pre-defined value.
 127  *
 128  */
129 protected void init(DerValue encoding, int req_type)
 130 throws Asn1Exception, RealmException, IOException,
 131 KrbApErrException {
 132 DerValue der, subDer;
 133 if ((encoding.getTag()  0x1F) != req_type) {
 134 if (DEBUG) {
 135 System.out.println( KDCRep: init()  +
 136 encoding tag is  +
 137 encoding.getTag() +
 138  req type is  + req_type);
 139 }
 140 throw new Asn1Exception(Krb5.ASN1_BAD_ID);
 141 }

This snippet is from openjdk; 
http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html.
There's also Oracle's 
http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. It 
doesn't have the actual logging line, though.

Edward


From: james.henderson [james.hender...@rbc.com]
Sent: Monday, June 10, 2013 5:35 PM
To: users@tomcat.apache.org
Subject: RE: Tomcat7 and SPNEGO configuration questions

I am in a similar situation to Edward.

My authentication says something like:

principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq calling createMessage
 KrbAsReq in createMessage
 KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3,
 #bytes=166
 KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=166
 KrbKdcReq send: #bytes read=152
 KrbKdcReq send: #bytes read=152
 KDCRep: init() encoding tag is 126 req type is 11
KRBError:
 sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
 suSec is 764076
 error code is 25
 error Message is Additional pre-authentication required
 realm is DEV
 sname is krbtgt/DEV
 eData provided.
 msgType is 30
Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23
Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
Pre-Authentication Data:
 PA-DATA type = 15
AcquireTGT: PREAUTH

Re: Possible to expose a Tomcat Realm instance through JNDI ?

2013-06-11 Thread Tobias Gierke


Hi Oliver,

I don't think there is a HTTP Basic authentication realm. The authentication type is 
declared in the auth-method of your web.xml and can be used in conjunction 
with a number of different realm implementations.

Exactly what do you mean by re-use? Does this mean you are doing authentication 
from within your web app?
My application is exposing a SOAP service (through Spring-WS servlet) 
for which I want to do method-level access control. Since the service 
endpoint already uses container-based HTTP Basic authentication, I'd 
like to reuse the realm implementation (and configuration, obviously) in 
my own code to get hold of the user's roles.


I just found HttpServletRequest#getUserPrincipal() , maybe I can just 
downcast the result to org.apache.catalina.realm.GenericPrincipal and 
invoke getRoles() on this... ugly, but well... ;)


Cheers,
Tobi



Oliver



-Original Message-
From: users-return-242237-OLIVER.TANGLIN=saic@tomcat.apache.org on behalf 
of Tobias Gierke
Sent: Tue 6/11/2013 11:20 AM
To: users@tomcat.apache.org
Subject: Possible to expose a Tomcat Realm instance through JNDI ?
  
Hi,


In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is
already being used for HTTP Basic authentication but couldn't find a way
how to get hold of the actual Realm instance.

I spent quite some time looking for a solution (complicated by the fact
that most Google hits actually referred to the LDAP authentication
realm) but found none. Is  there a config-file-only solution or do I
need to dig into the Tomcat source code and come up with my own JNDI
ObjectFactory to achieve this ?

Cheers,
Tobias



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



--
Tobias Gierke
Development

VOIPFUTURE GmbH   Wendenstraße 4   20097 Hamburg,  Germany
Phone +49 40 688 900 111 Mobile +49 172 323 06 11 Fax +49 40 688 900 199
Email jan.bast...@voipfuture.com   Web http://www.voipfuture.com
 
CEO Jan Bastian


Commercial Court AG Hamburg   HRB 109896, VAT ID DE263738086

RE: Possible to expose a Tomcat Realm instance through JNDI ?

2013-06-11 Thread Tanglin, Oliver

I think I now understand your issue. I was faced with a similar problem and 
could not figure out how to get the roles of an authenticated user through the 
servlet API.

It seems to only allow the question 'request.isUserInRole(role)'. But does not 
seem to provide a way to get a list of roles that the user is in.

I used a kludge whereby I defined the valid roles in a context init parameter 
(bad duplication of effort). Then used 'request.isUserInRole(role)'. I did not 
think to cast the 'request.getUserPrincipal()' return value.

Please post if your methodology works.

Oliver



-Original Message-
From: users-return-242241-OLIVER.TANGLIN=saic@tomcat.apache.org on behalf 
of Tobias Gierke
Sent: Tue 6/11/2013 12:07 PM
To: users@tomcat.apache.org
Subject: Re: Possible to expose a Tomcat Realm instance through JNDI ?
 
Hi Oliver,
 I don't think there is a HTTP Basic authentication realm. The authentication 
 type is declared in the auth-method of your web.xml and can be used in 
 conjunction with a number of different realm implementations.

 Exactly what do you mean by re-use? Does this mean you are doing 
 authentication from within your web app?
My application is exposing a SOAP service (through Spring-WS servlet) 
for which I want to do method-level access control. Since the service 
endpoint already uses container-based HTTP Basic authentication, I'd 
like to reuse the realm implementation (and configuration, obviously) in 
my own code to get hold of the user's roles.

I just found HttpServletRequest#getUserPrincipal() , maybe I can just 
downcast the result to org.apache.catalina.realm.GenericPrincipal and 
invoke getRoles() on this... ugly, but well... ;)

Cheers,
Tobi


 Oliver



 -Original Message-
 From: users-return-242237-OLIVER.TANGLIN=saic@tomcat.apache.org on behalf 
 of Tobias Gierke
 Sent: Tue 6/11/2013 11:20 AM
 To: users@tomcat.apache.org
 Subject: Possible to expose a Tomcat Realm instance through JNDI ?
   
 Hi,

 In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is
 already being used for HTTP Basic authentication but couldn't find a way
 how to get hold of the actual Realm instance.

 I spent quite some time looking for a solution (complicated by the fact
 that most Google hits actually referred to the LDAP authentication
 realm) but found none. Is  there a config-file-only solution or do I
 need to dig into the Tomcat source code and come up with my own JNDI
 ObjectFactory to achieve this ?

 Cheers,
 Tobias



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


-- 
Tobias Gierke
Development

VOIPFUTURE GmbH   Wendenstraße 4   20097 Hamburg,  Germany
Phone +49 40 688 900 111 Mobile +49 172 323 06 11 Fax +49 40 688 900 199
Email jan.bast...@voipfuture.com   Web http://www.voipfuture.com
  
CEO Jan Bastian

Commercial Court AG Hamburg   HRB 109896, VAT ID DE263738086




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat7 and SPNEGO configuration questions

2013-06-11 Thread Edward Siewick

Pardon my apparent dislexia:

 This snippet is from openjdk; 
 http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html.
 There's also Oracle's 
 http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. 
 It doesn't have the actual logging line, though.

http://www.docjar.com/html/api/sun/security/krb5/internal/KDCRep.java.html does 
contain this.


From: james.henderson [james.hender...@rbc.com]
Sent: Monday, June 10, 2013 5:35 PM
To: users@tomcat.apache.org
Subject: RE: Tomcat7 and SPNEGO configuration questions

I am in a similar situation to Edward.

My authentication says something like:

principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq calling createMessage
 KrbAsReq in createMessage
 KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3,
 #bytes=166
 KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=166
 KrbKdcReq send: #bytes read=152
 KrbKdcReq send: #bytes read=152
 KDCRep: init() encoding tag is 126 req type is 11
KRBError:
 sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
 suSec is 764076
 error code is 25
 error Message is Additional pre-authentication required
 realm is DEV
 sname is krbtgt/DEV
 eData provided.
 msgType is 30
Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23
Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
Pre-Authentication Data:
 PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
KrbAsReq salt is DEVserver.dev
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq calling createMessage
 KrbAsReq in createMessage
 KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3,
 #bytes=249
 KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=249
 KrbKdcReq send: #bytes read=1384
 KrbKdcReq send: #bytes read=1384
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
[Krb5LoginModule] added Krb5Principal  HTTP/server.dev@DEV
to Subject
Commit Succeeded


Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 Config reset default kdc DEV
object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.
 KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1400102526
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 909711492
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject

But the page always returns 401 if I try to use it:

10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] GET /webeditors/hello
HTTP/1.1 401 951

We have another page that uses spring SPNEGO and it works fine with exactly
the same user.

My security constraint/login config looks like this:

security-constraint
web-resource-collection
web-resource-nameWildcard means whole app requires
authentication/web-resource-name
url-pattern/hello/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
/web-resource-collection

auth-constraint
role-name*/role-name
/auth-constraint

user-data-constraint

transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint

login-config
auth-methodSPNEGO/auth-method
/login-config

I would like some idea how to:

a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
b) Understand how the windows users/roles are going to map to any used in my
webapp.  Is it a 1:1 mapping, or does it need some sort of configuration?
c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
d) Understand why I get this: init() encoding tag is 126 req type is 11
error.

Thanks,

James Henderson




--
View this message in context: 
http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p477.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

Re: Mapping security role outside of servlet specification


Am 05.06.2013 13:42, schrieb Ilya Kazakevich:

Hello,

I use probe app for several tomcats.
It's security model is based on servlet API security: security roles and
constraints are provided in web.xml and mapped for each servlet it has.
I use JNDIRealm to authenticate users via LDAP (actually AD is used).
I want to grant access to Probe on Tomcat1' installation for people from
Group1  and to Tomcat2 to people from Group2.
But manager group is hard-coded in web.xml inside of probe!

I want to map group Group1 from LDAP realm to role manager in tomcat.
How can I do that?
I can't use security-role-ref because I should put in servlet tag, so I
can't
do that on tomcat level.
There is  security-role-mapping tag in some servers but  it is proprietary
and not supported by tomcat.

So the only way for me to extract .war file and patch web.xml.

That is the way, we do it at work. For probe, that is.

For other applications we are using different Attributes in the ldap 
group objects to map to different names for the role.


Greetings
 Felix


What is the best way to solve it?

Ilya.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat7 and SPNEGO configuration questions

Hi Edward,

Am 10.06.2013 21:31, schrieb Edward Siewick:

Felix,

Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an
authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two
possibilities seem worth digging at. First, there's likely a gap in my understanding of the
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to
use the most simple authentication / authorization example available in the default Tomcat7
kit, the manager-gui auth-constraint / role-name and an ordinary
conf/tomcat-users.xml. Regarding the web.xml, the HowTo only mentions that SPNEGO is to be
used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of
guesses on that point in the instruction. Is there something more needed in the web.xml?
No, there is nothing else needed in web.xml. Authentication will be done
by using SPNego and authorization by whatever realm you have configured
for the context.

Second, I'm restricting my configuration to only AES256
(aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default
pre-built Tomcat7 kit known to work with that, by just adding Oracle's
jce_policy-6.zip?
In my example I used tomcat 7.0.40 with openjdk 7u21 without any
modifications. My server keytab held an aes256-cts-hmac-sha1-96 encoded
key. So tomcat has no problems per se with that encoding-combination.

I'm picking at this because, where my log trace seems OK with the AD MSA's
keytab, for a user authentication it jumps straight to a logout:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject

It's at this point that your trace goes on to Using builtin default etypes for
permitted_enctypes, authenticates an end user, and seems to be waiting for further
end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using
the AES128:
My old trace was produced with an aes128 encrypted key, so that may
explain that. I had to enable aes256 explicitly for apacheds, which I
hadn't bothered first.

With aes256 the trace looks like this:

... KrbAsRep cons in KrbAsReq.getReply HTTP/www.example.com
Added key: 18version: 1
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Found KeyTab
Found KerberosKey for HTTP/www.example@example.com
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 18version: 1
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
replay cache for user0...@example.com is null.
object 0: 1370973475196/196436
KrbApReq: authenticate succeed.
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Delegated Creds have pname=user0...@example.com
sname=krbtgt/example@example.com authtime=20130611175709Z
starttime=20130611175755Z endtime=20130612175704ZrenewTill=null

...

Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.

EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType

Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.

EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType

replay cache for user00...@example.com is null.
object 0: 1370027872357/357663

KrbApReq: authenticate succeed.

Krb5Context setting peerSeqNumber to: 758340766
Krb5Context setting mySeqNumber to: 758340766

Edward

P.S.: The example server.xml bit from your bugzilla test kit provides for role
based authorization. If I can get my very simple example to work, I'll try to
use it. On that point, the bit:

Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://localhost:10389;
userBase=ou=users,ou=security,dc=example,dc=com
userSearch=(uid={0})
roleBase=ou=groups,dc=example,dc=com
roleName=cn
roleSearch=(uniqueMember={0})
useDelegatedCredential=false
/

or a similar tidy might be added to the HowTo, right after:

The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm,
by default the JNDI Realm will use the user's delegated credentials to connect to the
Active Directory.
That would be a bad example, since I explicitly disabled the delegation
of the credentials in my case :)

Re: Tomcat7 and SPNEGO configuration questions


Am 10.06.2013 22:06, schrieb Edward Siewick:

I've tried an AES128 keytab and matching krb5.conf; this didn't get any further.

Could you try an arc4 one?

Felix


Edward



From: Edward Siewick [esiew...@ementum.com]
Sent: Monday, June 10, 2013 3:31 PM
To: Tomcat Users List
Subject: RE: Tomcat7 and SPNEGO configuration questions

Felix,

Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an 
authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two 
possibilities seem worth digging at. First, there's likely a gap in my understanding of the 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to 
use the most simple authentication / authorization example available in the default Tomcat7 
kit, the manager-gui auth-constraint / role-name and an ordinary 
conf/tomcat-users.xml. Regarding  the web.xml, the HowTo only mentions that SPNEGO is to be 
used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of 
guesses on that point in the instruction. Is there something more needed in the web.xml?

Second, I'm restricting my configuration to only AES256 
(aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default 
pre-built Tomcat7 kit known to work with that, by just adding Oracle's 
jce_policy-6.zip? I'm picking at this because, where my log trace seems OK with 
the AD MSA's keytab, for a user authentication it jumps straight to a logout:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
   [Krb5LoginModule]: Entering logout
   [Krb5LoginModule]: logged out Subject

It's at this point that your trace goes on to Using builtin default etypes for 
permitted_enctypes, authenticates an end user, and seems to be waiting for further 
end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using 
the AES128:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.

EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType

Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.

EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType

replay cache for user00...@example.com is null.
object 0: 1370027872357/357663

KrbApReq: authenticate succeed.

Krb5Context setting peerSeqNumber to: 758340766
Krb5Context setting mySeqNumber to: 758340766

Edward

P.S.: The example server.xml bit from your bugzilla test kit provides for role 
based authorization. If I can get my very simple example to work, I'll try to 
use it. On that point, the bit:

  Realm className=org.apache.catalina.realm.JNDIRealm
 connectionURL=ldap://localhost:10389;
 userBase=ou=users,ou=security,dc=example,dc=com
 userSearch=(uid={0})
 roleBase=ou=groups,dc=example,dc=com
 roleName=cn
 roleSearch=(uniqueMember={0})
 useDelegatedCredential=false
  /

or a similar tidy might be added to the HowTo, right after:

The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, 
by default the JNDI Realm will use the user's delegated credentials to connect to the 
Active Directory.





From: Felix Schumacher [felix.schumac...@internetallee.de]
Sent: Wednesday, June 05, 2013 4:12 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat7 and SPNEGO configuration questions

Am 03.06.2013 20:48, schrieb Edward Siewick:

Felix  Friends,

I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID 
doesn't appear in the Tomcat7 logging at all, though it is in tomcat-users.xml. So I might now only be confused as to the 
syntax of: server.xml for JAAS; the webapp's realm bits in web.xml for SPNEGO, or;  tomcat-users.xml. I have 
tried changing tomcat-users.xml to OPENIDMDEV/esiewick, COM.OPENIDMDEV/esiewick and just 
esiewick. And, I've adjusted the Account ID in the Windows Security prompt to match each of these.

If I read your logs at the end of your mail correctly, I think you
haven't gotten that far as to have authenticated an user. In my logs you
could see an user1 being authenticated. But I can't really tell you,
why your user was not authenticated.

At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have
described how I setup a tomcat with apacheds as a kerberos server. You
might want to try that setup.

Regards
   Felix
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat7 and SPNEGO configuration questions


Am 10.06.2013 23:35, schrieb james.henderson:

I am in a similar situation to Edward.

My authentication says something like:

principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3,
#bytes=166
KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=166
KrbKdcReq send: #bytes read=152
KrbKdcReq send: #bytes read=152
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

  sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
  suSec is 764076
  error code is 25
  error Message is Additional pre-authentication required
  realm is DEV
  sname is krbtgt/DEV
  eData provided.
  msgType is 30

Pre-Authentication Data:

  PA-DATA type = 11
  PA-ETYPE-INFO etype = 23

Pre-Authentication Data:

  PA-DATA type = 2
  PA-ENC-TIMESTAMP

Pre-Authentication Data:

  PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ

KrbAsReq salt is DEVserver.dev

Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3,
#bytes=249
KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=249
KrbKdcReq send: #bytes read=1384
KrbKdcReq send: #bytes read=1384
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev

principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
 [Krb5LoginModule] added Krb5Principal  HTTP/server.dev@DEV
to Subject
Commit Succeeded


Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Config reset default kdc DEV

object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.

KrbApReq: authenticate succeed.

Krb5Context setting peerSeqNumber to: 1400102526

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

Krb5Context setting mySeqNumber to: 909711492
 [Krb5LoginModule]: Entering logout
 [Krb5LoginModule]: logged out Subject

But the page always returns 401 if I try to use it:

10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] GET /webeditors/hello
HTTP/1.1 401 951

We have another page that uses spring SPNEGO and it works fine with exactly
the same user.

My security constraint/login config looks like this:

 security-constraint
 web-resource-collection
 web-resource-nameWildcard means whole app requires
authentication/web-resource-name
 url-pattern/hello/url-pattern
 http-methodGET/http-method
 http-methodPOST/http-method
 /web-resource-collection

 auth-constraint
 role-name*/role-name
 /auth-constraint

 user-data-constraint
 
 transport-guaranteeNONE/transport-guarantee

 /user-data-constraint
 /security-constraint

 login-config
 auth-methodSPNEGO/auth-method
 /login-config

I would like some idea how to:

a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
You can enable more logging of the realm code by adding 
org.apache.catalina.realm.level=FINE to your conf/logging.properties file.

b) Understand how the windows users/roles are going to map to any used in my
webapp.  Is it a 1:1 mapping, or does it need some sort of configuration?
SPNego will only do authentication. Authorization is done via the 
configured realm. If your users and roles are stored in an LDAP 
directory (as I suspect it is), you can use the JNDIRealm to configure 
where tomcat will look for your users and their roles. For more info 
look at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm

c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
If your are not happy with the examples, you can look at the 
configuration docs cunningly hidden 
athttp://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm


Regards,
 Felix

d) Understand why I get this: init() encoding tag is 126 req type is 11
error.

Thanks,

James Henderson




--
View this message in context:

Re: Possible to expose a Tomcat Realm instance through JNDI ?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Tobias,

On 6/11/13 11:20 AM, Tobias Gierke wrote:
 In my web app, I'd like to re-use the (server-wide) Tomcat Realm
 that is already being used for HTTP Basic authentication but
 couldn't find a way how to get hold of the actual Realm instance.
 
 I spent quite some time looking for a solution (complicated by the
 fact that most Google hits actually referred to the LDAP
 authentication realm) but found none. Is  there a
 config-file-only solution or do I need to dig into the Tomcat
 source code and come up with my own JNDI ObjectFactory to achieve
 this ?

What are you actually trying to accomplish? Do you want to
authenticate a user, or get information about an authenticated user?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRt4B8AAoJEBzwKT+lPKRYYMsP/0mmfpuoeHfhyBtk4r/FhNj+
ujAyd7Ah4lXSPGwZP+9oSLkQFNyn+KzXv0Mw7QpdbGVw1J0mQ/umwxikMriXEKmH
rmXquK060IfAubj7ptvQBu6zgFis/6A1N8r51RmrbUej4bIWGrujB0nRAcpWhT3x
Ynt+0sQ+jeNcPhL5QBwzttdBMJf6hRsmNdjMlnwk/zV/E0qaQTpX0NeUuAkgSFuF
ThpkE92rla8S+NL0mS4knj54MVMs3/NRXtm3g+WMxAjPxbKEbNRWaWziK9Pt7N3H
OWVOGJGvQ2x4XMtb3AULgnVNgWxtc7C6WLOTIVqHeqEDKuk+4UOyPB/o9C5Tyrz/
rChGpEMfhLstRDjOvF40oGewXJ+0vC6oaYa9VogMbf+NDtwnyDmX8sXPmROFChj6
9dP47LtJC+IOkMRwkiaRGbrQwzyWtDBdOMueYz2bdpAlbaCtUnb2IGOPddCSmIuX
tNgqn084ZnmuzmgJE8x1QKkhBiZwrc2N5tcvP4JqujukM27mx5W+r31iTFXPUObQ
5ggpSdUB2ijy5+YOsKa6aYcMMSE+mjENTg/CqnHPPWm7czDYhxFUwokvT7ndXCsq
/ZfxcGiccmYPkfpQJ5iQ6m9vtKmMtofr6/jMatv2sQjN17phc/Fb3fjDD5+pnYEG
214EIEkBhZ76WvOTUQ0X
=gC6q
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: http request (no only session) replication in cluster

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 6/11/13 11:32 AM, André Warnier wrote:
 Christopher Schultz wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
 
 Ja,
 
 On 6/11/13 9:54 AM, Ja kub wrote:
 What can be done to guarantee failover in below scenario:
 
 2 tomcats behind cisco loadbalancer 1 http request can last
 very long about 50 seconds - response from webservice can take
 so long load is 200 requests per second I must response in max
 4 seconds more than backing webservice
 
 is there something like http request replication ?
 
 50 s * 200 req/s = 10.000 pending requests
 
 if one tomcat is eg killed, can in any way other tomcat serve
 his requests ?
 
 is there any out of the box solution, eg similar to session 
 replication ?
 
 The best way to do this is to configure your load balancer to
 buffer responses and re-try another cluster node in the case of
 an unexpected disconnect.
 
 If you can't buffer the response, then it is entirely
 inappropriate to re-process a request: instead, you should let
 the failure propagate all the way back to the client and let them
 decide what to do.
 
 is it possible to save socket to database, or send it via
 network?
 
 No. I think you are confused about what a socket is.
 
 
 Is that just me, or does this look like a *massive* imbalance
 between the load, and the resources dedicated to serve that load ?

+1

200 req/sec * 50 seconds per request?

I get some folks do high-volume, high-response-time transactions.
Thankfully, not I ;)

 I somehow have trouble to envision any system working in any stable
 way, when right from the start it is assumed to have 10,000
 requests simultaneously being in various stages of processing.
 Unless one would have some Google-like server farms behind the
 thing anyway.

10k concurrent requests isn't really that insane. It's just having
them for nearly a minute each that's quite extraordinary.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRt4EhAAoJEBzwKT+lPKRY/+oQAI+BlbCJ7i7DzRYD2PnQfGYH
KXPTcXg7iYaiQtzP+jZBtKa9+EAkS2Kad+5fUyY8/rd81yxgRNVJ7N2EbNlOAJNM
9zbeAszl5+3tEUOuqktcibtuwdMjC4U0XcmyThBjFy1LAvggvoGOaZvVyLQleyps
Lw6fdUh0gy4fvkfSCEwZb1BQRbF8qO8bpqfaR7WorOgAcXEQMp5d0iiUwBydJLYQ
hFraOXvmDfNl6lbODoW0Wtd9YQKmj/sMCG86Tm9BVVUmOgL5df9Pbgac1FzDAMpP
/llROIH+T/8aT4u+iSByKcqmpAB6qI/csRk09vn3O6ZfffrmPGTKT1XfcN8iU6bn
b9nRTVah+pES6eHlOVMgFJ2hZ8uYSTETteZZAMUr24oH6TTvHDj7CYXfFioLQjI9
elvKvMpgU+JDpOfEX8ly/+u0GmMJH4WXT1EjL9l4JEMZuQyvWCgzwfC0JyqS0vVq
hGCOZlLWhwDyEZ9atESKasuRamexYUMqgMQimXhWNzI+ruP4NU050M3n1bM+vl7J
r1qzMCgcxD3jOvhoACQmfJ3APeoEfVKn2vc5ypzjGkS2fCK3rTmCnsEAl4R0JzBu
zYVWTCqFPZlgKaqEb+xlzdoi7CwEDRHc12CblYAQBIXkEW4c9fI929wuQPsuI3yp
bVZBgYBAeckMEr03ay+Y
=30OJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat + mysql xa setup

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

이재만,

Full disclosure: I've never done XA with any RDBMS.

On 6/10/13 7:15 PM, 이재만 wrote:
 how do i setup xa(2pc) on the tomcat with mysql ??? please anybody
 tell me setup process..

1. Make sure you are using Connector/J 5.0 or later [1]

2. Make sure you are using InnoDB storage engine for all involved
tables [2]

3. Use com.mysql.jdbc.jdbc2.optional.MysqlXADataSource as your driver

4. Declare your TransactionManager in context.xml [3]

Note that Tomcat does not provide its own TransactionManager: you have
to use a 3rd party one (Hibernate, Atomikos, OpenJPA, Bitronix, etc.).

You might want to check out this blog posting where someone has set
everything up from scratch, albeit with their own personal
preferences. Perhaps you can make some progress using it as a guide:

http://codepitbull.wordpress.com/2011/07/08/tomcat-7-with-full-jta/


[1] http://dev.mysql.com/doc/refman/5.0/en/connector-j-versions.html
[2] http://dev.mysql.com/doc/refman/5.0/en/xa-restrictions.html
[3]
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Transaction
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRt445AAoJEBzwKT+lPKRYxDIQAK4+RiIuGFsBqoO4NyXieJ2R
0tjq78uUnJdcpPv2gi7C+gszt2KDYBLn1teSAi2+Fc7clqtIIEXWO6ryi361bOpX
iPm0+ajqNYQfbO8cOo7OMog2hVtZTurVMBTePRATvdPIJw6lqhscesdN23AYCLqE
u9ahgYFNY5yXJjyen2KEiMWFLs78UFchBycaE2yfhmsBxl5VxGuTb44uTSUQaFNT
R7LXfZpLXK3KUkECtVqU2PzJ3ElQXM7nBOCUHqhDoKdIBOuD0m0OZbcc60yIizFq
bo+Ow5Wnl/o2Ekzpzu1XD9MsZOLn34AXfgYJZ/h+WMD+yzsWgxp4lSS73gsOG2Vm
CEYj6yweLO0Eg4CVigckVMwvvnWOqUT8jr3RBTwH9pAI5rTM/NyquU9awR623MJe
gXqmEIX+liL6UqbM7/kwjxxk+HnXi8lGx/tUkwtKUImCrvfHaJ+piM+Y85Ao4qao
vGPJps6Oyzd9rifwe36oDu9MCJ+2X8Wkph8yNoZ3ePl16tivSaggsbpxPH9UuSpj
v9oAHiIYsniPI6IBWvrTwvPm3F4seXyUPw0IdSr59+IM/ENddoQ4KoOYpFCgF5nA
+Ww7quoMDbKm2ljMpnOLgVjpzs2icLB3Vh0ZhUuuTlobNNEq9kG+iPvrD1zsi+ZC
LqN/JOXQF4o8JAwdCKFE
=tkk6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: http request (no only session) replication in cluster

2013-06-11 Thread Ja kub

Andre, Christopher
thx for response,
requirement is system should be possible to process 160 req/sec (200 is
better to multiply)
and system is kind of failover proxy itself

there are 2 backing webservices, each can answer max 20s, it there is
timeout on first, I must call the second, if there is timeout on second I
send soap fault to client,
so usually it shouldn't be more than 20s per req, guys say that normally it
is 7-10 seconds/request,
but in worst case it is 2*20s*160 requests/s ~= 6400 pending requests (and
according to deal we must fulfill worst case)

even if there are so many requests they are pending on sockets,
I try to do it with NIO, asynchronous servlets and async cxf - both async
cxf webservice is exposed by me, and I also call backing ws with async cxf
I think even one tomcat on one server should be able to serve such 6400
pending requests with 160req/s,
apart from proxy there are also 4-6 inserts into database (cli req, resp;
1st ws call, resp; 2nd ws call, resp

how do You assess such architecture/attitude ?
do You expect problems with async exposed webservice based on async servlet
and NIO, and async cxf ws client ?
afaik cxf use thread locals, are they all right with tomcat async servlets
? (I don't define threadlocals by myself, only cxf possibly does)

Regards
Jakub

ps
I didn't really expect to be able to serialize tcp socket to db, but if it
where possible, than I would have request replication


On Tue, Jun 11, 2013 at 9:57 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 André,

 On 6/11/13 11:32 AM, André Warnier wrote:
  Christopher Schultz wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
 
  Ja,
 
  On 6/11/13 9:54 AM, Ja kub wrote:
  What can be done to guarantee failover in below scenario:
 
  2 tomcats behind cisco loadbalancer 1 http request can last
  very long about 50 seconds - response from webservice can take
  so long load is 200 requests per second I must response in max
  4 seconds more than backing webservice
 
  is there something like http request replication ?
 
  50 s * 200 req/s = 10.000 pending requests
 
  if one tomcat is eg killed, can in any way other tomcat serve
  his requests ?
 
  is there any out of the box solution, eg similar to session
  replication ?
 
  The best way to do this is to configure your load balancer to
  buffer responses and re-try another cluster node in the case of
  an unexpected disconnect.
 
  If you can't buffer the response, then it is entirely
  inappropriate to re-process a request: instead, you should let
  the failure propagate all the way back to the client and let them
  decide what to do.
 
  is it possible to save socket to database, or send it via
  network?
 
  No. I think you are confused about what a socket is.
 
 
  Is that just me, or does this look like a *massive* imbalance
  between the load, and the resources dedicated to serve that load ?

 +1

 200 req/sec * 50 seconds per request?

 I get some folks do high-volume, high-response-time transactions.
 Thankfully, not I ;)

  I somehow have trouble to envision any system working in any stable
  way, when right from the start it is assumed to have 10,000
  requests simultaneously being in various stages of processing.
  Unless one would have some Google-like server farms behind the
  thing anyway.

 10k concurrent requests isn't really that insane. It's just having
 them for nearly a minute each that's quite extraordinary.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJRt4EhAAoJEBzwKT+lPKRY/+oQAI+BlbCJ7i7DzRYD2PnQfGYH
 KXPTcXg7iYaiQtzP+jZBtKa9+EAkS2Kad+5fUyY8/rd81yxgRNVJ7N2EbNlOAJNM
 9zbeAszl5+3tEUOuqktcibtuwdMjC4U0XcmyThBjFy1LAvggvoGOaZvVyLQleyps
 Lw6fdUh0gy4fvkfSCEwZb1BQRbF8qO8bpqfaR7WorOgAcXEQMp5d0iiUwBydJLYQ
 hFraOXvmDfNl6lbODoW0Wtd9YQKmj/sMCG86Tm9BVVUmOgL5df9Pbgac1FzDAMpP
 /llROIH+T/8aT4u+iSByKcqmpAB6qI/csRk09vn3O6ZfffrmPGTKT1XfcN8iU6bn
 b9nRTVah+pES6eHlOVMgFJ2hZ8uYSTETteZZAMUr24oH6TTvHDj7CYXfFioLQjI9
 elvKvMpgU+JDpOfEX8ly/+u0GmMJH4WXT1EjL9l4JEMZuQyvWCgzwfC0JyqS0vVq
 hGCOZlLWhwDyEZ9atESKasuRamexYUMqgMQimXhWNzI+ruP4NU050M3n1bM+vl7J
 r1qzMCgcxD3jOvhoACQmfJ3APeoEfVKn2vc5ypzjGkS2fCK3rTmCnsEAl4R0JzBu
 zYVWTCqFPZlgKaqEb+xlzdoi7CwEDRHc12CblYAQBIXkEW4c9fI929wuQPsuI3yp
 bVZBgYBAeckMEr03ay+Y
 =30OJ
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Windows service for tomcat7

2013-06-11 Thread akshata chas

Hi,

I'm trying to install tomcat service for Windows 7 manually on my system
through command prompt.

I tried withservice.bat install MyProject but it looks like service
doesn't get installed properly because I can see the service in the list
but when I start it, it throws error.

Any idea on what could be the issue?

I'm not using tomcat's installer for windows as I would like to bundle it
along with my project installer with bundled Java as well. I could use
other Windows batch scripts of starting and shutting down tomcat which work
well.

Thanks

Re: Windows service for tomcat7

2013-06-11 Thread David kerber


On 6/11/2013 5:06 PM, akshata chas wrote:

Hi,

I'm trying to install tomcat service for Windows 7 manually on my system
through command prompt.

I tried withservice.bat install MyProject but it looks like service
doesn't get installed properly because I can see the service in the list
but when I start it, it throws error.

Any idea on what could be the issue?


Did you check the startup parameters for the service?  The easiest way 
to check them is with tomcat7w.





I'm not using tomcat's installer for windows as I would like to bundle it
along with my project installer with bundled Java as well. I could use
other Windows batch scripts of starting and shutting down tomcat which work
well.


net start MyProject

net stop MyProject




Thanks




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode

2013-06-11 Thread Steve Nickels

Hi all,

I've been trying to compile tcnative on Windows with a FIPS-compatible build of 
OpenSSL. I've been successful building and running tcnative this way, at least 
until I turn on FIPS mode on the AprLifecycleListener config in Tomcat.

When FIPSMode is set to off, Tomcat works fine, and SSL services operate 
correctly. When it is set to on, however, Tomcat refuses to start, and I get 
the following error in the catalina log file:

SEVERE: Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06B06F:FIPS 
routines:FIPS_check_incore_fingerprint:fingerprint does not match

I'm fairly confident that the OpenSSL library I'm using is valid and 
uncorrupted (I've used a couple different copies: an existing set of binaries 
being used successfully in another product internally, and a newly built 
version which I have successfully used the openssl utility against, without 
error). My assumption is that I'm not building/linking OpenSSL correctly into 
tcnative.

So far I've tried building both the tcnative and libtcnative projects via the 
supplied Visual Studio workspace. In the former case, the APR library appears 
to statically linked into tcnative-1.dll, so I don't have to provide 
libapr-1.dll, however I do still need to provide libeay.dll and ssleay.dll. In 
the latter case, I provide libtcnative-1.dll, libapr-1.dll, and the two OpenSSL 
libraries. In both cases, it works when FIPS mode is off, but not when it is on.

Is there anything special I need to do to correctly build tcnative to support a 
FIPS-compatible OpenSSL build with FIPSMode turned on in Tomcat?

All this is using Tomcat 7.0.32, tcnative 1.1.27, APR 1.4.6, and OpenSSL both 
1.0.1c and 1.0.1e, on 32-bit Windows Server 2008.

Thanks!

--Steve Nickels
Ipswitch, Inc.

Re: Windows service for tomcat7

2013-06-11 Thread André Warnier


akshata chas wrote:

Hi,

I'm trying to install tomcat service for Windows 7 manually on my system
through command prompt.

I tried withservice.bat install MyProject but it looks like service
doesn't get installed properly because I can see the service in the list
but when I start it, it throws error.


What error and where ?  Can you copy and paste the original error message here ?
Check the Windows error logs. A service start error should be in the System 
part.




Any idea on what could be the issue?

I'm not using tomcat's installer for windows as I would like to bundle it
along with my project installer with bundled Java as well. I could use
other Windows batch scripts of starting and shutting down tomcat which work
well.

Thanks




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Class cast exception when starting tomcat 7.0.1

2013-06-11 Thread Jane Muse

I'm getting a class cast exception when starting up tomcat 7.0.1. I've migrated 
from 6.0.18 to 7.0.1. I got the same error when migrating directly to 7.0.4. 
The error is:

SEVERE: Begin event threw exception
Throwable occurred: java.lang.ClassCastException: 
org.apache.catalina.deploy.SecurityConstraint incompatible with 
org.apache.catalina.deploy.SecurityConstraint
at org.apache.catalina.startup.SetAuthConstraintRule.begin(WebRuleSet.java:745)
 at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1282)
 at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
 at org.apache.xerces.impl.dtd.XMLDTDValidator.startElement(Unknown Source)
 at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown 
Source)
 at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
 Source)
 at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown 
Source)
 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
 at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
 at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
 at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
 at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1543)
 at 
org.apache.catalina.startup.ContextConfig.parseWebXml(ContextConfig.java:1686)
 at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1201)
 at 
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:874)
 at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:317)
.
.
.

Jun 11, 2013 2:17:07 PM org.apache.catalina.startup.ContextConfig parseWebXml
SEVERE: Parse error in application web.xml file at 
jndi:/localhost/aldonsecurityservice/WEB-INF/web.xml
Throwable occurred: java.lang.ClassCastException: 
org.apache.catalina.deploy.SecurityConstraint incompatible with 
org.apache.catalina.deploy.SecurityConstraint
at 
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:2687)
 at 
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:2713)
 at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1285)
 at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
 at org.apache.xerces.impl.dtd.XMLDTDValidator.startElement(Unknown Source)
 at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown 
Source)
 at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
 Source)
 at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown 
Source)
 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
 at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)

.
.
.
.
at java.lang.reflect.Method.invoke(Method.java:611)
 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:303)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
Jun 11, 2013 2:17:07 PM org.apache.catalina.startup.ContextConfig parseWebXml
SEVERE: Occurred at line 147 column 20
class load: java/util/LinkedHashMap$2
class load: java/util/LinkedHashMap$ValueIterator
class load: org.apache.catalina.core.StandardWrapperFacade from: 
file:/ALDON/ALDONLS/tomcat_alcsq/lib/catalina.jar
class load: org.apache.catalina.util.InstanceSupport from: 
file:/ALDON/ALDONLS/tomcat_alcsq/lib/catalina.jar
class load: org.apache.catalina.InstanceListener from: 
file:/ALDON/ALDONLS/tomcat_alcsq/lib/catalina.jar
class load: org.apache.catalina.core.StandardWrapperValve from: 
file:/ALDON/ALDONLS/tomcat_alcsq/lib/catalina.jar
class load: javax.servlet.descriptor.TaglibDescriptor from: 
file:/ALDON/ALDONLS/tomcat_alcsq/lib/servlet-api.jar

Is it possible my XML parsers need updating. I'm still using the same ones in 
my WEB-INF/lib of the webapp:

  xalan.jar
  xerces.jar
  xerces-2.6.2.jar
  xml-apis.jar
  xmlrpc-1.2-b1.jar

Thanks,

JMuse

RE: Class cast exception when starting tomcat 7.0.1

 From: Jane Muse [mailto:jm...@rocketsoftware.com] 
 Subject: Class cast exception when starting tomcat 7.0.1

 I'm getting a class cast exception when starting up tomcat 7.0.1

You can't be serious.  That version was never released, and would be almost 
three years old if it had been.  Use the current version: 7.0.41.

Do a fresh download and clean install, verify that Tomcat is working, then add 
your webapps one by one, insuring that each one operates properly before trying 
the next.  Do not directly copy any configuration from previous versions of 
Tomcat to the new one; modify the conf/*.xml files with whatever you need for 
your installation.  Also make sure you do not have the same classes in tomcat's 
lib directory and the webapp's WEB-INF/lib or WEB-INF/classes directories.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

OOME issue in Tomcat 6.0.18(with SSL)

2013-06-11 Thread Chirag Dewan

Hi All,

I am facing an Out of Memory Issue with my application. I am using Embedded 
Tomcat 6.0.18. I have a simple servlet deployed which does nothing but set the 
HTTPResponse and return it.

Now I have 2 testing clients

Client 1:

HTTPClient 3.1 with MultiThreadedHttpConnectionManager with SSL 
maxConnections = 200
maxConnectionsPerHost=200

Client 2:

HTTPClient 4.1 in which I configured multiple threads  

                for (int i = 0; i  noofConnections; i++) { 
                Thread t = new Thread(my); 
                t.start(); 
            }


With every thread executing HTTPGet on the servlet. This too with SSL.


Now with client 1,my JVM crashes after just a few minutes. Running with 8gb 
heap space. 


I took a heap dump for 2gb heap space using Jmap and analyzed it with MAT. It 
seems that there were many instances of 
org.apache.catalina.session.StandardManager consuming almost 95% of heap space.

CPU utilization is only 13 -14% and I can see only 65 threads active with 
netstat.


With Client 2,everything looks fine. Though JVM crashes at 2gb,but at 8gb it 
works fine. Though CPU utilization is almost 90% and 100 simultaneous threads 
created for 100 simultaneous threads. 

Both my server and clients are on Linux 64 bit machines.

I believe that this is something related to the client 1 i.e. either the 
HTTPClient 3.1 or the MultiThreadedConnectionManager,but posting here if 
someone can assist me in what might be the root cause.


Chirag

RE: OOME issue in Tomcat 6.0.18(with SSL)