RE: Customizing SSL in HttpClient
-Original Message- From: Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) Sent: Tuesday, June 11, 2013 11:23 AM To: Tomcat Users List Subject: RE: Customizing SSL in HttpClient -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, June 10, 2013 7:51 PM To: Tomcat Users List Subject: Re: Customizing SSL in HttpClient -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anil, On 6/10/13 8:42 AM, Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) wrote: I am trying to create a http client and send a request to certain port of a server using below code: HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8444(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 443 not 8444 which I set in client. Even request.getServerPort is giving 443 not 8444. Is there any kind of port-forwarding or anything else going on? The things are working fine for 8081(http port of tomcat) i..e HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8081(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 8081 which I set in client. Even request.getServerPort is giving 8081. Can you show us a bit more of the code? It's not clear from you client code that the port number is set correctly, and you only mentioned the server. Can you give us some of that, too? Also, what do your Connector elements look like in server.xml? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRteC5AAoJEBzwKT+lPKRY8TUP/3QuIqKPxB5HjVaUywkPmIQt +LoZLdHhOLdrkwE2ojW1qk0YnX2wpgr6W3W6uBk5l5yrrdcHAFcOWcNIi9fjl8bo xW8uZi+vGkyv1Pdii5JJrfDjbxdtbsTpHBn7yoKMUzJ9V9xmHwqNsi89xi/mZLty hj6LNMvftgpQQdPmoPoLJr4ZfmQj2DAI+wX0u/fNgk8cf5wdHJZZu03COPIeRbam Gn+fOjfK0YL93ntmLP2PbGtlCprBaqPcZRh+AiKFhg4W7+qGVDXGa2SIvrcWbgdU qHRKxyJ+5j3o0Y74Q0wKRcSEUXbidEhDAtJCQgNOJJi+S4SYgl2OLOXhkxMABBkS xYIXsAPu4SoVcuiCpGvb2LhD5uqMOyH0NxCpv/TVFsEzOy2EZHLrts1DYNAyIo7M zqZv2efOTPwcaHRZxgzUB2s23uzs3aiXiKOzYHB7AALJnASCx4fNeOgZwMxdK6o0 qs09m0EKL29QurG3iKXHCA0dOeZzxV4ZUduFZtR2eLIsayqoKpL6fh+asLZFW40y ZMOvPzlpXwdRX36IdzwTlwrvMOmynfgGfL/yAdCfqN0hlA0OVo7PYNryxSfZhX+2 O1//zDFNSxs2BS9ErQkNyKP8xfVk76XbYUybsbNtivnxjv1a8N72h3qeuixA/ZUJ gJEvsTX0kD+rb8xYmIlJ =Qqhu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Please consider the code flow as below: HttpClient client = new HttpClient(); portNumber = secure ? LocalNetworkConstants.DEFAULT_HTTPS_PORT : LocalNetworkConstants.DEFAULT_HTTP_PORT; // DEFAULT_HTTPS_PORT=8444 and DEFAULT_HTTP_PORT=8081 define in LocalNetworkConstants.java LOG.debug(the value of https port is+String.valueOf(portNumber)); if (secure) { Protocol protocol = new Protocol(LocalNetworkConstants.URISCHEME_HTTPS, new ExtendedProtocolSocketFactory(address, locationData.isAcceptSelfSignedCertificates(), locationData.isAcceptCertificateErrors()) , portNumber); client.getHostConfiguration().setHost(address, portNumber, protocol); LOG.debug(setting the host for https+String.valueOf(portNumber)); } else { client.getHostConfiguration().setHost(address, portNumber); LOG.debug(setting the host for http+String.valueOf(portNumber)); } GetMethod method = new GetMethod(LocalNetworkConstants.INFO_FEEDER_PATH); int returnCode = client.executeMethod(method); This is the code at the client side. At the server side, I have 8444 and 8081 port defined in server.xml Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true enableLookups=false maxHttpHeaderSize=8193 maxSpareThreads=25 maxThreads=25 minSpareThreads=10 port=8081 protocol=HTTP/1.1 redirectPort=8444 server= / Connector SSLEnabled=true URIEncoding=UTF-8 acceptCount=100 ciphers= clientAuth=false disableUploadTimeout=true enableLookups=false keystoreFile= keystorePass= keystoreType= maxHttpHeaderSize=8192 maxSpareThreads=25 maxThreads=25 minSpareThreads=10 port=8444 protocol=HTTP/1.1 scheme=https secure=true server= sslProtocol=TLS/ Also I have these two ports entry in iptables. Now in the tomcat redirection valve, I have below code written int port = request.getServerPort(); StringBuffer url = request.getRequestURL(); So now the problem are is, when from client I disable ssl and send the request at port
Re: mod_jk worker activation not working anymore in 1.2.37?
Am 10.06.2013 22:20, schrieb Rainer Jung: Looking at the current changelog, section name=Changes between 1.2.37 and 1.2.38 ... fix Fix status worker not updating parameters for all members. (mturk) /fix That is http://svn.apache.org/viewvc?view=revisionrevision=1354021 Yes that should be it. If the OP compiles himself, just add the tiny patch http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_status.c?r1=1354021r2=1354020pathrev=1354021 to your mod_jk source before compiling. Regards, Rainer Works like a charm, thanks to you two! In case there are other Debian Wheezy users reading this, here's what I did: apt-get build-dep libapache-mod-jk apt-get source libapache-mod-jk cd libapache-mod-jk-1.2.37 vim native/common/jk_status.c patch line 3650 to wr-sequence = -1; dpkg-source --commit dpkg-buildpackage cd .. dpkg -i libapache2-mod-jk_1.2.37-1_amd64.deb Thanks again best regards, David Gubler - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Customizing SSL in HttpClient
Anil if you want JSSE Handshaking to be enabled on server enable AprLifecycle Listener on server.xml e.g. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Any WebServer (including Tomcat) has no knowledge of external HTML Servers around it you should use netstat netstat -ab | grep 443 Tell us what you see Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: anigo...@cisco.com To: users@tomcat.apache.org Subject: RE: Customizing SSL in HttpClient Date: Tue, 11 Jun 2013 06:29:05 + -Original Message- From: Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) Sent: Tuesday, June 11, 2013 11:23 AM To: Tomcat Users List Subject: RE: Customizing SSL in HttpClient -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, June 10, 2013 7:51 PM To: Tomcat Users List Subject: Re: Customizing SSL in HttpClient -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anil, On 6/10/13 8:42 AM, Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) wrote: I am trying to create a http client and send a request to certain port of a server using below code: HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8444(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 443 not 8444 which I set in client. Even request.getServerPort is giving 443 not 8444. Is there any kind of port-forwarding or anything else going on? The things are working fine for 8081(http port of tomcat) i..e HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8081(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 8081 which I set in client. Even request.getServerPort is giving 8081. Can you show us a bit more of the code? It's not clear from you client code that the port number is set correctly, and you only mentioned the server. Can you give us some of that, too? Also, what do your Connector elements look like in server.xml? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRteC5AAoJEBzwKT+lPKRY8TUP/3QuIqKPxB5HjVaUywkPmIQt +LoZLdHhOLdrkwE2ojW1qk0YnX2wpgr6W3W6uBk5l5yrrdcHAFcOWcNIi9fjl8bo xW8uZi+vGkyv1Pdii5JJrfDjbxdtbsTpHBn7yoKMUzJ9V9xmHwqNsi89xi/mZLty hj6LNMvftgpQQdPmoPoLJr4ZfmQj2DAI+wX0u/fNgk8cf5wdHJZZu03COPIeRbam Gn+fOjfK0YL93ntmLP2PbGtlCprBaqPcZRh+AiKFhg4W7+qGVDXGa2SIvrcWbgdU qHRKxyJ+5j3o0Y74Q0wKRcSEUXbidEhDAtJCQgNOJJi+S4SYgl2OLOXhkxMABBkS xYIXsAPu4SoVcuiCpGvb2LhD5uqMOyH0NxCpv/TVFsEzOy2EZHLrts1DYNAyIo7M zqZv2efOTPwcaHRZxgzUB2s23uzs3aiXiKOzYHB7AALJnASCx4fNeOgZwMxdK6o0 qs09m0EKL29QurG3iKXHCA0dOeZzxV4ZUduFZtR2eLIsayqoKpL6fh+asLZFW40y ZMOvPzlpXwdRX36IdzwTlwrvMOmynfgGfL/yAdCfqN0hlA0OVo7PYNryxSfZhX+2 O1//zDFNSxs2BS9ErQkNyKP8xfVk76XbYUybsbNtivnxjv1a8N72h3qeuixA/ZUJ gJEvsTX0kD+rb8xYmIlJ =Qqhu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Please consider the code flow as below: HttpClient client = new HttpClient(); portNumber = secure ? LocalNetworkConstants.DEFAULT_HTTPS_PORT : LocalNetworkConstants.DEFAULT_HTTP_PORT; // DEFAULT_HTTPS_PORT=8444 and DEFAULT_HTTP_PORT=8081 define in LocalNetworkConstants.java LOG.debug(the value of https port is+String.valueOf(portNumber)); if (secure) { Protocol
RE: Customizing SSL in HttpClient
Hi, Netstat -an | grep 443 gives below output tcp0 0 :::8443 :::* LISTEN tcp0 0 :::443 :::* LISTEN unix 2 [ ] DGRAM662443 -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Tuesday, June 11, 2013 3:43 PM To: Tomcat Users List Subject: RE: Customizing SSL in HttpClient Anil if you want JSSE Handshaking to be enabled on server enable AprLifecycle Listener on server.xml e.g. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Any WebServer (including Tomcat) has no knowledge of external HTML Servers around it you should use netstat netstat -ab | grep 443 Tell us what you see Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: anigo...@cisco.com To: users@tomcat.apache.org Subject: RE: Customizing SSL in HttpClient Date: Tue, 11 Jun 2013 06:29:05 + -Original Message- From: Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) Sent: Tuesday, June 11, 2013 11:23 AM To: Tomcat Users List Subject: RE: Customizing SSL in HttpClient -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, June 10, 2013 7:51 PM To: Tomcat Users List Subject: Re: Customizing SSL in HttpClient -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anil, On 6/10/13 8:42 AM, Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) wrote: I am trying to create a http client and send a request to certain port of a server using below code: HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8444(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 443 not 8444 which I set in client. Even request.getServerPort is giving 443 not 8444. Is there any kind of port-forwarding or anything else going on? The things are working fine for 8081(http port of tomcat) i..e HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8081(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 8081 which I set in client. Even request.getServerPort is giving 8081. Can you show us a bit more of the code? It's not clear from you client code that the port number is set correctly, and you only mentioned the server. Can you give us some of that, too? Also, what do your Connector elements look like in server.xml? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRteC5AAoJEBzwKT+lPKRY8TUP/3QuIqKPxB5HjVaUywkPmIQt +LoZLdHhOLdrkwE2ojW1qk0YnX2wpgr6W3W6uBk5l5yrrdcHAFcOWcNIi9fjl8bo xW8uZi+vGkyv1Pdii5JJrfDjbxdtbsTpHBn7yoKMUzJ9V9xmHwqNsi89xi/mZLty hj6LNMvftgpQQdPmoPoLJr4ZfmQj2DAI+wX0u/fNgk8cf5wdHJZZu03COPIeRbam Gn+fOjfK0YL93ntmLP2PbGtlCprBaqPcZRh+AiKFhg4W7+qGVDXGa2SIvrcWbgdU qHRKxyJ+5j3o0Y74Q0wKRcSEUXbidEhDAtJCQgNOJJi+S4SYgl2OLOXhkxMABBkS xYIXsAPu4SoVcuiCpGvb2LhD5uqMOyH0NxCpv/TVFsEzOy2EZHLrts1DYNAyIo7M zqZv2efOTPwcaHRZxgzUB2s23uzs3aiXiKOzYHB7AALJnASCx4fNeOgZwMxdK6o0 qs09m0EKL29QurG3iKXHCA0dOeZzxV4ZUduFZtR2eLIsayqoKpL6fh+asLZFW40y ZMOvPzlpXwdRX36IdzwTlwrvMOmynfgGfL/yAdCfqN0hlA0OVo7PYNryxSfZhX+2 O1//zDFNSxs2BS9ErQkNyKP8xfVk76XbYUybsbNtivnxjv1a8N72h3qeuixA/ZUJ gJEvsTX0kD+rb8xYmIlJ =Qqhu -END PGP SIGNATURE- - To unsubscribe, e-mail:
[ANN] Apache Tomcat 7.0.41 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.41. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a number of bug fixes and improvements compared to version 7.0.40. The notable changes include: - Add a Servlet Filter that implements CORS. Patch provided by Mohit Soni. - Ensure that when Tomcat's anti-resource locking features are used that the temporary copy of the web application and not the original is removed when the web application stops. - Add support for the version attribute to the deploy command of the Ant tasks for interfacing with the text based Manager application. Patch provided by Sergey Tcherednichenko. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html Note: This version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures. Note: If you use the APR/native AJP or HTTP connector you *must* upgrade to version 1.1.24 or later of the AJP/native library and it is recommended that you upgrade to 1.1.27 Downloads: http://tomcat.apache.org/download-70.cgi Migration guides from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError
I org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1115) Caused by: java.lang.ClassNotFoundException: org.apache.zookeeper.server.ZooTrace MGput zookeeper*.jar on CLASSPATH at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1711) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556) ... 1 more at the same time,the following is also in catalina.out: INFO: Illegal access: this web application instance has been stopped already. Could not load org.apache.zookeeper.server.ZooTrace. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact. java.lang.IllegalStateException at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1597) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556) at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1115) I searched google and mail list ,couldn't find any solution,please help me. Enviroment info: JDK:1.6.0_45 Tomcat:7.0.40 Zookeeper:3.4.5 Can you give us any more of the stack trace? It looks like this is happening during shutdown, but all the ServletContextListeners should complete before the WebappClassLoader starts shedding its loaded classes. Are you explicitly shutting-down the ClientCnxn thread in a SCL's destroy() method? If not, you need to do that. Sorry,I can't get any more of the stack trace. We wrapped zookeepr client as a spring bean and invoked method close of zookeeper in destory-method of bean,in that method close,zookeeper Send Thread was closed. When tomcat was shut down, Spring closed it's container and bean was detroyed, then destroy-method of bean was invoked. I'am confusing why is Send Thread of Zookeeper seemed to exit slower than the WebappClassLoader shedding its loaded classes. ps: details of zookeeper closing org.apache.zookeeper.Zookeeper public synchronized void close() throws InterruptedException { if (!cnxn.getState().isAlive()) { if (LOG.isDebugEnabled()) { LOG.debug(Close called on already closed client); } return; } if (LOG.isDebugEnabled()) { LOG.debug(Closing session: 0x + Long.toHexString(getSessionId())); } try { cnxn.close(); } catch (IOException e) { if (LOG.isDebugEnabled()) { LOG.debug(Ignoring unexpected exception during close, e); } } LOG.info(Session: 0x + Long.toHexString(getSessionId()) + closed); } -- org.apache.zookeeper.ClientCnxn public void close() throws IOException { if (LOG.isDebugEnabled()) { LOG.debug(Closing client for session: 0x + Long.toHexString(getSessionId())); } try { RequestHeader h = new RequestHeader(); h.setType(ZooDefs.OpCode.closeSession); submitRequest(h, null, null, null); } catch (InterruptedException e) { // ignore, close the send/event threads } finally { disconnect(); } } public void disconnect() { if (LOG.isDebugEnabled()) { LOG.debug(Disconnecting client for session: 0x + Long.toHexString(getSessionId())); } sendThread.close(); eventThread.queueEventOfDeath(); } - org.apache.zookeeper.ClientCnxn.SendThread void close() { state = States.CLOSED; clientCnxnSocket.wakeupCnxn(); } @Override public void run() { clientCnxnSocket.introduce(this,sessionId); clientCnxnSocket.updateNow(); clientCnxnSocket.updateLastSendAndHeard(); int to; long lastPingRwServer = System.currentTimeMillis(); while (state.isAlive()) { try { if (!clientCnxnSocket.isConnected()) { if(!isFirstConnect){ try { Thread.sleep(r.nextInt(1000)); } catch (InterruptedException e) { LOG.warn(Unexpected exception, e); } } // don't re-establish connection if we are closing
SSL Issue- Support required.
Hello Team, Objective : Help and Support required to troubleshoot SSL issue on Tomcat. This Web application server would be used to Launch SAP Business Object's Login Page. Tomcat version: 6.0 Operation System: [cid:image002.jpg@01CE66C5.C2D32110] As of Now status : http://localhost/ andhttp://localhost:8080/ These two above links works displaying the Tomcat Homepage. [cid:image007.jpg@01CE66C5.C2D32110] The SSL configuration is done as per the standard SSL set up link http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html . Unfortunately after the SSL set up the link https://localhost:8443/BOE/BI is not displaying the Login page. Instead we get a Certification error as displayed below. [cid:image008.jpg@01CE66C5.C2D32110] Please help to trouble shoot this issue. More information on this would be provided as per the request. Thanks Regards Veena B S
RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError
Hi, Zookeeper jar had been under CLASSPATH. thanks, bob From: mgai...@hotmail.com To: users@tomcat.apache.org Subject: RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError Date: Tue, 11 Jun 2013 06:37:52 -0400 I org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1115) Caused by: java.lang.ClassNotFoundException: org.apache.zookeeper.server.ZooTrace MGput zookeeper*.jar on CLASSPATH at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1711) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556) ... 1 more at the same time,the following is also in catalina.out: INFO: Illegal access: this web application instance has been stopped already. Could not load org.apache.zookeeper.server.ZooTrace. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact. java.lang.IllegalStateException at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1597) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556) at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1115) I searched google and mail list ,couldn't find any solution,please help me. Enviroment info: JDK:1.6.0_45 Tomcat:7.0.40 Zookeeper:3.4.5 Can you give us any more of the stack trace? It looks like this is happening during shutdown, but all the ServletContextListeners should complete before the WebappClassLoader starts shedding its loaded classes. Are you explicitly shutting-down the ClientCnxn thread in a SCL's destroy() method? If not, you need to do that. Sorry,I can't get any more of the stack trace. We wrapped zookeepr client as a spring bean and invoked method close of zookeeper in destory-method of bean,in that method close,zookeeper Send Thread was closed. When tomcat was shut down, Spring closed it's container and bean was detroyed, then destroy-method of bean was invoked. I'am confusing why is Send Thread of Zookeeper seemed to exit slower than the WebappClassLoader shedding its loaded classes. ps: details of zookeeper closing org.apache.zookeeper.Zookeeper public synchronized void close() throws InterruptedException { if (!cnxn.getState().isAlive()) { if (LOG.isDebugEnabled()) { LOG.debug(Close called on already closed client); } return; } if (LOG.isDebugEnabled()) { LOG.debug(Closing session: 0x + Long.toHexString(getSessionId())); } try { cnxn.close(); } catch (IOException e) { if (LOG.isDebugEnabled()) { LOG.debug(Ignoring unexpected exception during close, e); } } LOG.info(Session: 0x + Long.toHexString(getSessionId()) + closed); } -- org.apache.zookeeper.ClientCnxn public void close() throws IOException { if (LOG.isDebugEnabled()) { LOG.debug(Closing client for session: 0x + Long.toHexString(getSessionId())); } try { RequestHeader h = new RequestHeader(); h.setType(ZooDefs.OpCode.closeSession); submitRequest(h, null, null, null); } catch (InterruptedException e) { // ignore, close the send/event threads } finally { disconnect(); } } public void disconnect() { if (LOG.isDebugEnabled()) { LOG.debug(Disconnecting client for session: 0x + Long.toHexString(getSessionId())); } sendThread.close(); eventThread.queueEventOfDeath(); } - org.apache.zookeeper.ClientCnxn.SendThread void close() { state = States.CLOSED; clientCnxnSocket.wakeupCnxn(); } @Override public void run() { clientCnxnSocket.introduce(this,sessionId); clientCnxnSocket.updateNow(); clientCnxnSocket.updateLastSendAndHeard(); int to; long lastPingRwServer = System.currentTimeMillis(); while (state.isAlive()) { try { if (!clientCnxnSocket.isConnected()) { if(!isFirstConnect){ try { Thread.sleep(r.nextInt(1000)); } catch (InterruptedException e) { LOG.warn(Unexpected exception, e); } } // don't re-establish connection if we are closing if (closing || !state.isAlive()) { break; } startConnect(); clientCnxnSocket.updateLastSendAndHeard(); } if (state.isConnected()) { // determine whether we need to send an AuthFailed event. if (zooKeeperSaslClient != null) { boolean sendAuthEvent = false; if (zooKeeperSaslClient.getSaslState() == ZooKeeperSaslClient.SaslState.INITIAL) { try {
undefined reference to `TLSv1_1_client_method
Hi everybody, With apache 2.4.4, i tried , without success, to build binaries. I've got this error each time : ab.o: In function `main': /opt/httpd-2.4.4/support/ab.c:2271: undefined reference to `TLSv1_1_client_method' /opt/httpd-2.4.4/support/ab.c:2273: undefined reference to `TLSv1_2_client_method' collect2: ld returned 1 exit status make[2]: *** [ab] Erreur 1 make[2]: quittant le répertoire « /opt/httpd-2.4.4/support » make[1]: *** [all-recursive] Erreur 1 make[1]: quittant le répertoire « /opt/httpd-2.4.4/support » make: *** [all-recursive] Erreur 1 by launching this command: ./configure --prefix=/usr/local/apache2 --enable-so --enable-mods-shared=all --with-included-apr --with-ssl=/opt/apache-tomcat-7.0.40/bin/tomcat-native-1.1.27-src/jni/native/srclib/openssl-1.0.1e --enable-ssl --enable-v4-mapped Have you got a workaround to fix this problem? Thx.
Re: SSL Issue- Support required.
Please help to trouble shoot this issue. ** More information on this would be provided as per the request. ** ** Thanks ** ** *Regards* *Veena B S* ** ** The mailing list strips attachments. Please try again, sending a plain text email without any attachments Thanks Chris
RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError
From: ruxing bao [mailto:brxonl...@hotmail.com] Subject: RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError Zookeeper jar had been under CLASSPATH. Do not ever use the CLASSPATH environment variable. In a Tomcat environment, it is properly ignored; in other environments, it can only create confusion. Read the Tomcat doc on classloading and decide in which of the standard locations you should put the Zookeper jar. It would normally be placed in the webapp's WEB-INF/lib directory. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Issue- Support required.
From: B S, Veena [mailto:veena@hp.com] Subject: SSL Issue- Support required. Tomcat version: 6.0 The SSL configuration is done as per the standard SSL set up link http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html . If you're using Tomcat 6, you have no reason to look at Tomcat 5.5 documentation. Use the proper doc for the level you're running on, and make sure you follow either the APR or JSSE versions, depending on whether or not you're using APR. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError
Yes, my reply caused some confusion. I mean that currently zookeeper jar is palced in the my web appllication's WEB-INF/lib directory. thanks, Bob From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Tue, 11 Jun 2013 07:15:20 -0500 Subject: RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError From: ruxing bao [mailto:brxonl...@hotmail.com] Subject: RE: Illegal access: this web application instance has been stopped already and NoClassDefFoundError Zookeeper jar had been under CLASSPATH. Do not ever use the CLASSPATH environment variable. In a Tomcat environment, it is properly ignored; in other environments, it can only create confusion. Read the Tomcat doc on classloading and decide in which of the standard locations you should put the Zookeper jar. It would normally be placed in the webapp's WEB-INF/lib directory. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: undefined reference to `TLSv1_1_client_method
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 6/11/13 7:58 AM, de...@cines.fr wrote: With apache 2.4.4, i tried , without success, to build binaries. I've got this error each time : ab.o: In function `main': /opt/httpd-2.4.4/support/ab.c:2271: undefined reference to `TLSv1_1_client_method' /opt/httpd-2.4.4/support/ab.c:2273: undefined reference to `TLSv1_2_client_method' collect2: ld returned 1 exit status make[2]: *** [ab] Erreur 1 make[2]: quittant le répertoire « /opt/httpd-2.4.4/support » make[1]: *** [all-recursive] Erreur 1 make[1]: quittant le répertoire « /opt/httpd-2.4.4/support » make: *** [all-recursive] Erreur 1 by launching this command: ./configure --prefix=/usr/local/apache2 --enable-so --enable-mods-shared=all --with-included-apr --with-ssl=/opt/apache-tomcat-7.0.40/bin/tomcat-native-1.1.27-src/jni/native/srclib/openssl-1.0.1e --enable-ssl --enable-v4-mapped Have you got a workaround to fix this problem? I think you've got the wrong mailing list: this list is for Apache Tomcat, a Java web application server. You appear to be building the Apache web server (a different product). The list you want can be found here: https://httpd.apache.org/lists.html#http-users - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRtykYAAoJEBzwKT+lPKRYQAYP/3cgecKKPg9hB5LUmi900ojF vYRZ2zxUGI3pLhuPgQlh4HMqzeTQxbi4oMwWws6e9yBANiXYi2L7c1lW1idE44la Y9axt9H1zZ4VTfyLWGPmkO/ZU8iMRl36FhQQNf2EMTt+yWFOZc92NT5592pczmy2 t3TTij3hPmrZZGEZsVJ+j/Q7dkF7MYdqefQQ9myc6tnlEL2KupLQBUKu/GZMa88y 3JJ6htITaLYFZvZAkaZqz/IagsSEKKhOH+rtOgZ2IHQn8fe13N3VJRTLkb2UVN9o Qg0bRaPHH3D/EWm1p7gbSZ7wAPh+yIubf+zoY4qk6J8UBEyO/xgciLSi3smal86U ES4H5e7ER6qAu4BnAWRByXtgZhL6lrjy/qraEKmZcTcniK+vMz0h5ealgrK7Wt2j wNA/m9FnGm9jejGhZSCSz8BgokpNgfRV/2TkwzXHYxc4dhw3sCcg24oPOZVQ3Ozf e1Jp5W0UX5fIKji3V+O8xQ/BYMtakraMjVuvpUs+eljKFZ7k+mQoF9U9343PiOSy Xs08igh5NVjAL8mUCBS42Sfvp2uxVb3B6/WVJfvo16m4f54tS+cWq0m9pxMXdo0D NdhEdaZkKxPaJkV0W22oZtRH4Co5NVMnHriW/LoHtsH71jxpwlvj9qd+WlNkEukr RMMayCzWDDmebr6hcxsz =qk7s -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: undefined reference to `TLSv1_1_client_method
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: undefined reference to `TLSv1_1_client_method by launching this command: ./configure --prefix=/usr/local/apache2 --enable-so --enable-mods-shared=all --with-included-apr --with-ssl=/opt/apache-tomcat-7.0.40/bin/tomcat-native-1.1.27-src/jni/native/srclib/openssl-1.0.1e --enable-ssl --enable-v4-mapped I think you've got the wrong mailing list: this list is for Apache Tomcat, a Java web application server. You appear to be building the Apache web server (a different product). The list you want can be found here: https://httpd.apache.org/lists.html#http-users I think the confusion is that the OP is trying to build httpd using the version of OpenSSL that comes with Tomcat - which seems a bit backwards, at the very least. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
http request (no only session) replication in cluster
What can be done to guarantee failover in below scenario: 2 tomcats behind cisco loadbalancer 1 http request can last very long about 50 seconds - response from webservice can take so long load is 200 requests per second I must response in max 4 seconds more than backing webservice is there something like http request replication ? 50 s * 200 req/s = 10.000 pending requests if one tomcat is eg killed, can in any way other tomcat serve his requests ? is there any out of the box solution, eg similar to session replication ? regards ps is it possible to save socket to database, or send it via network?
Re: Illegal access: this web application instance has been stopped already and NoClassDefFoundError
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Bob, On 6/11/13 1:05 AM, ruxing bao wrote: Sorry,I can't get any more of the stack trace. We wrapped zookeepr client as a spring bean and invoked method close of zookeeper in destory-method of bean,in that method close,zookeeper Send Thread was closed. When tomcat was shut down, Spring closed it's container and bean was destroyed, then destroy-method of bean was invoked. I'am confusing why is Send Thread of Zookeeper seemed to exit slower than the WebappClassLoader shedding its loaded classes. Threads don't always shut down immediately... let's see how you are telling the thread to shut down: ps: details of zookeeper closing (Thanks!) org.apache.zookeeper.Zookeeper public synchronized void close() throws InterruptedException { if (!cnxn.getState().isAlive()) { if (LOG.isDebugEnabled()) { LOG.debug(Close called on already closed client); } return; } if (LOG.isDebugEnabled()) { LOG.debug(Closing session: 0x + Long.toHexString(getSessionId())); } try { cnxn.close(); } catch (IOException e) { if (LOG.isDebugEnabled()) { LOG.debug(Ignoring unexpected exception during close, e); } } LOG.info(Session: 0x + Long.toHexString(getSessionId()) + closed); } So, during webapp shutdown you should be getting the message Closing session 0x[...], right? No errors? Is cnxn of type org.apache.zookeeped.ClientCnxn? That seems to be the case, but it's worth checking. -- org.apache.zookeeper.ClientCnxn public void close() throws IOException { if (LOG.isDebugEnabled()) { LOG.debug(Closing client for session: 0x + Long.toHexString(getSessionId())); } try { RequestHeader h = new RequestHeader(); h.setType(ZooDefs.OpCode.closeSession); submitRequest(h, null, null, null); } catch (InterruptedException e) { // ignore, close the send/event threads } finally { disconnect(); } } public void disconnect() { if (LOG.isDebugEnabled()) { LOG.debug(Disconnecting client for session: 0x + Long.toHexString(getSessionId())); } sendThread.close(); eventThread.queueEventOfDeath(); } Okay, so calling close asks the thread to stop (somewhat indirectly). org.apache.zookeeper.ClientCnxn.SendThread void close() { state = States.CLOSED; clientCnxnSocket.wakeupCnxn(); } @Override public void run() { clientCnxnSocket.introduce(this,sessionId); clientCnxnSocket.updateNow(); clientCnxnSocket.updateLastSendAndHeard(); int to; long lastPingRwServer = System.currentTimeMillis(); while (state.isAlive()) { try { if (!clientCnxnSocket.isConnected()) { if(!isFirstConnect){ try { Thread.sleep(r.nextInt(1000)); } catch (InterruptedException e) { LOG.warn(Unexpected exception, e); } } // don't re-establish connection if we are closing if (closing || !state.isAlive()) { break; } startConnect(); clientCnxnSocket.updateLastSendAndHeard(); } if (state.isConnected()) { // determine whether we need to send an AuthFailed event. if (zooKeeperSaslClient != null) { boolean sendAuthEvent = false; if (zooKeeperSaslClient.getSaslState() == ZooKeeperSaslClient.SaslState.INITIAL) { try { zooKeeperSaslClient.initialize(ClientCnxn.this); } catch (SaslException e) { LOG.error(SASL authentication with Zookeeper Quorum member failed: + e); state = States.AUTH_FAILED; sendAuthEvent = true; } } KeeperState authState = zooKeeperSaslClient.getKeeperState(); if (authState != null) { if (authState == KeeperState.AuthFailed) { // An authentication error occurred during authentication with the Zookeeper Server. state = States.AUTH_FAILED; sendAuthEvent = true; } else { if (authState == KeeperState.SaslAuthenticated) { sendAuthEvent = true; } } } if (sendAuthEvent == true) { eventThread.queueEvent(new WatchedEvent( Watcher.Event.EventType.None, authState,null)); } } to = readTimeout - clientCnxnSocket.getIdleRecv(); } else { to = connectTimeout - clientCnxnSocket.getIdleRecv(); } if (to = 0) { throw new SessionTimeoutException( Client session timed out, have not heard from server in + clientCnxnSocket.getIdleRecv() + ms + for sessionid 0x + Long.toHexString(sessionId)); } if (state.isConnected()) { int timeToNextPing = readTimeout / 2 - clientCnxnSocket.getIdleSend(); if (timeToNextPing = 0) { sendPing(); clientCnxnSocket.updateLastSend(); } else { if (timeToNextPing to) { to = timeToNextPing; } } } // If we are in read-only mode, seek for read/write server if (state == States.CONNECTEDREADONLY) { long now = System.currentTimeMillis(); int idlePingRwServer = (int) (now - lastPingRwServer); if (idlePingRwServer = pingRwTimeout) { lastPingRwServer = now; idlePingRwServer = 0; pingRwTimeout = Math.min(2*pingRwTimeout, maxPingRwTimeout); pingRwServer(); } to = Math.min(to, pingRwTimeout - idlePingRwServer); } clientCnxnSocket.doTransport(to, pendingQueue, outgoingQueue, ClientCnxn.this); } catch (Throwable e) { if
Re: undefined reference to `TLSv1_1_client_method
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 6/11/13 9:46 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: undefined reference to `TLSv1_1_client_method by launching this command: ./configure --prefix=/usr/local/apache2 --enable-so --enable-mods-shared=all --with-included-apr --with-ssl=/opt/apache-tomcat-7.0.40/bin/tomcat-native-1.1.27-src/jni/native/srclib/openssl-1.0.1e - --enable-ssl --enable-v4-mapped I think you've got the wrong mailing list: this list is for Apache Tomcat, a Java web application server. You appear to be building the Apache web server (a different product). The list you want can be found here: https://httpd.apache.org/lists.html#http-users I think the confusion is that the OP is trying to build httpd using the version of OpenSSL that comes with Tomcat - which seems a bit backwards, at the very least. Tomcat doesn't distribute OpenSSL, so the OP probably just happened to have it in that directory. I'm a bit confused as to why configure would have failed with a make error which is obviously trying to link something. configure should not be attempting to compile/link anything (except trivial programs to probe the environment). I suspect the problem is a broken environment where one OpenSSL (1.0.1e) is being used for part of the process and a different one (0.9.8? 1.0.0?) is being used for compilation (or linking). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRty6vAAoJEBzwKT+lPKRYGfsQAJLCu0rR93jjrEgodz+UkgfJ DArd+azI1oX5VMlh8YxVMsn3FfWQdMpXGKpTw2buvaJoCVumg4vkImw6e77AUzsA f3x9043DayCkRy9kyDSIl92lJVaohhPegl8buJFnLciiGnD5vin6rHS0/al6j3KU V2+GARxcigggR2vZwRic61TLJl3uizIBMsRGE4wJlpdI9v+Cy5e/TJr7p67U92g/ wYBIB4dL7gqIPlYEENDy6TligMAjjUXTKtakLBcKAq+vOTgaOzRjbgNlz7uJhlPq C3jTV2/iQO/MZVz7dqHsT1baduW2It6H95JyMuWg1Z2JSds3ITZWWFnjF6m5g6No OuqFutP92pJ/ZxdiuWcr0crnnIVHDBRN3FA1JyiBJPbse60uZ1xjJ0HWc0jlLsGK qtnVr2lELF51skERU7csFL5wf0c09PA3zRNHogMoVNtCKDQYXzT9u7nDW/FypplN 7DdFG7YD/vprWBOUnfkVVUsIjIZ+ZXPgCjeRrOuvbmFxHII4y+Tb49pUSARp5bFr 9/kBNNtQl9JKAUsi+7knGS3RVDbPXGUige4rKwSIervh69R2SKOnOXcggkZ/XlVU KWFsOX4nHEyO8Q15pUyfMsM8WiNnHCdSaPCf9NW0auzLsoYLztbPerV/af/ha8/r Aha1L6wwBHEpQ3DOtr4d =L8u3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: http request (no only session) replication in cluster
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ja, On 6/11/13 9:54 AM, Ja kub wrote: What can be done to guarantee failover in below scenario: 2 tomcats behind cisco loadbalancer 1 http request can last very long about 50 seconds - response from webservice can take so long load is 200 requests per second I must response in max 4 seconds more than backing webservice is there something like http request replication ? 50 s * 200 req/s = 10.000 pending requests if one tomcat is eg killed, can in any way other tomcat serve his requests ? is there any out of the box solution, eg similar to session replication ? The best way to do this is to configure your load balancer to buffer responses and re-try another cluster node in the case of an unexpected disconnect. If you can't buffer the response, then it is entirely inappropriate to re-process a request: instead, you should let the failure propagate all the way back to the client and let them decide what to do. is it possible to save socket to database, or send it via network? No. I think you are confused about what a socket is. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRtzM3AAoJEBzwKT+lPKRYPaEQAIEDPqvboqXW/X05PSmPwaCC IC8LegK8XFSc+IZvVHurGw0cemd8VcQOLRDlfK6OQM/wGfsTfsxWelJRm7KmjeS6 kZJuIfg6AAdEibgQj/dnQ/VhLAxBh8XYnDtkNyniAIwP5iigTXKsAUVNHz/o1vCI MFZ3ToqhtNHw7NkFXwyi6GnPuZOGXABedk1IQsD37iawYgjkPtdKteu6Y96M6L7y hguv4cilbk4N1RrNsIR2cxDYj/BZ+qide+ZVs5EPpbvym1FGTHqu+q911Ux/YURi wZI1ny/63AydWt9SOD3f6SOBBFHF20Nf5jKPQ+0F0zBso42Rw11kXevR93DrUCLV rseud/2odBjtn8w3dQMD/LthqUQQPrtCarx8qfa0yQHhnHKQQ0LDJhKxLzn3VEVg 6AO0tCNMyBrV9P2RH5kNo/ebBk7+d0A2IOqDloRb4k6ySKaJzirJ5LMmIxT0bUeg wGafZpqNJ6zcsXSPt1PLnJhx3wVya8gKF/ByFY65lz84rPV41/v1MN/iVVRltUC7 gZIa3w0MtibrG0A5DTuV31ZQSkmr6i1fwif2asktkZ08r91UO9yb8TXVfUVVBaL4 ZQenkl5thHLWf/0Np5PpTIAaNTRiKZvlJCo9/zCF8An3DeMgRbzNjnDKS02+pm9e h4tXjEX7UL1JDjoMBgJ1 =qd37 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Customizing SSL in HttpClient
2013/6/11 Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) anigo...@cisco.com: Please consider the code flow as below: HttpClient client = new HttpClient(); portNumber = secure ? LocalNetworkConstants.DEFAULT_HTTPS_PORT : LocalNetworkConstants.DEFAULT_HTTP_PORT; // DEFAULT_HTTPS_PORT=8444 and DEFAULT_HTTP_PORT=8081 define in LocalNetworkConstants.java LOG.debug(the value of https port is+String.valueOf(portNumber)); if (secure) { Protocol protocol = new Protocol(LocalNetworkConstants.URISCHEME_HTTPS, new ExtendedProtocolSocketFactory(address, locationData.isAcceptSelfSignedCertificates(), locationData.isAcceptCertificateErrors()) , portNumber); client.getHostConfiguration().setHost(address, portNumber, protocol); LOG.debug(setting the host for https+String.valueOf(portNumber)); } else { client.getHostConfiguration().setHost(address, portNumber); LOG.debug(setting the host for http+String.valueOf(portNumber)); } GetMethod method = new GetMethod(LocalNetworkConstants.INFO_FEEDER_PATH); int returnCode = client.executeMethod(method); This is the code at the client side. At the server side, I have 8444 and 8081 port defined in server.xml Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true enableLookups=false maxHttpHeaderSize=8193 maxSpareThreads=25 maxThreads=25 minSpareThreads=10 port=8081 protocol=HTTP/1.1 redirectPort=8444 server= / Connector SSLEnabled=true URIEncoding=UTF-8 acceptCount=100 ciphers= clientAuth=false disableUploadTimeout=true enableLookups=false keystoreFile= keystorePass= keystoreType= maxHttpHeaderSize=8192 maxSpareThreads=25 maxThreads=25 minSpareThreads=10 port=8444 protocol=HTTP/1.1 scheme=https secure=true server= sslProtocol=TLS/ Also I have these two ports entry in iptables. Now in the tomcat redirection valve, I have below code written int port = request.getServerPort(); StringBuffer url = request.getRequestURL(); So now the problem are is, when from client I disable ssl and send the request at port 8081 then in tomcat valve, port -8081 and url also contains port 8081. But when from client , I enable ssl and send the request at port 8444, then here in valve the request.getServerPort returns 443 and even in url also port is 443. So I am not able to understand why the https port is converting into 443 from 8444 while http port 8081 is working fine. Even in tomcat access valve, the request is coming at port 8444 as shown below [11/Jun/2013:11:16:58 +0530] 10.93.230.203 10.93.230.203 admin - 8444 GET /feeder/info HTTP/1.1 500 2581 123 For http port also the request is coming at port 8081 of tomcat [11/Jun/2013:11:18:29 +0530] 10.93.230.203 10.93.230.203 admin - 8081 GET /feeder/info HTTP/1.1 200 4377 286 But I am totally confused why request.getServerPort is giving 443 for https ??? AccessLogValve uses the same getServerPort() call, though directly on a tomcat-internal request object. So maybe your request is wrapped by some HttpServletRequestWrapper (which overrides getServerPort() method and provides a different value)? Try to connect a debugger and step into that getServerPort() call. https://wiki.apache.org/tomcat/FAQ/Developing#Debugging - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Customizing SSL in HttpClient
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anil, On 6/11/13 1:53 AM, Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, June 10, 2013 7:51 PM To: Tomcat Users List Subject: Re: Customizing SSL in HttpClient Anil, On 6/10/13 8:42 AM, Anil Goyal -X (anigoyal - Aricent Technologies at Cisco) wrote: I am trying to create a http client and send a request to certain port of a server using below code: HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8444(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 443 not 8444 which I set in client. Even request.getServerPort is giving 443 not 8444. Is there any kind of port-forwarding or anything else going on? The things are working fine for 8081(http port of tomcat) i..e HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(address, portNumber, protocol); Here portNumber that I am setting is 8081(https port of tomcat) When I execute client.executemethod() and at the server side when I tried to retrieve request.getRequestURL(), I am getting the url with port 8081 which I set in client. Even request.getServerPort is giving 8081. Can you show us a bit more of the code? It's not clear from you client code that the port number is set correctly, and you only mentioned the server. Can you give us some of that, too? Also, what do your Connector elements look like in server.xml? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Please consider the code flow as below: HttpClient client = new HttpClient(); portNumber = secure ? LocalNetworkConstants.DEFAULT_HTTPS_PORT : LocalNetworkConstants.DEFAULT_HTTP_PORT; // DEFAULT_HTTPS_PORT=8444 and DEFAULT_HTTP_PORT=8081 define in LocalNetworkConstants.java LOG.debug(the value of https port is+String.valueOf(portNumber)); if (secure) { Protocol protocol = new Protocol(LocalNetworkConstants.URISCHEME_HTTPS, new ExtendedProtocolSocketFactory(address, locationData.isAcceptSelfSignedCertificates(), locationData.isAcceptCertificateErrors()) , portNumber); client.getHostConfiguration().setHost(address, portNumber, protocol); LOG.debug(setting the host for https+String.valueOf(portNumber)); } else { client.getHostConfiguration().setHost(address, portNumber); LOG.debug(setting the host for http+String.valueOf(portNumber)); } GetMethod method = new GetMethod(LocalNetworkConstants.INFO_FEEDER_PATH); int returnCode = client.executeMethod(method); This is the code at the client side. At the server side, I have 8444 and 8081 port defined in server.xml Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true enableLookups=false maxHttpHeaderSize=8193 maxSpareThreads=25 maxThreads=25 minSpareThreads=10 port=8081 protocol=HTTP/1.1 redirectPort=8444 server= / Connector SSLEnabled=true URIEncoding=UTF-8 acceptCount=100 ciphers= clientAuth=false disableUploadTimeout=true enableLookups=false keystoreFile= keystorePass= keystoreType= maxHttpHeaderSize=8192 maxSpareThreads=25 maxThreads=25 minSpareThreads=10 port=8444 protocol=HTTP/1.1 scheme=https secure=true server= sslProtocol=TLS/ Also I have these two ports entry in iptables. Which two ports? What have you done with them in iptables? Now in the tomcat redirection valve, I have below code written int port = request.getServerPort(); StringBuffer url = request.getRequestURL(); What is the Tomcat redirection valve? So now the problem are is, when from client I disable ssl and send the request at port 8081 then in tomcat valve, port -8081 and url also contains port 8081. But when from client , I enable ssl and send the request at port 8444, then here in valve the request.getServerPort returns 443 and even in url also port is 443. If the URL contains port 443, then your client connection is not actually contacting port 8444. Can you confirm with a packet-sniffer or something else that you are connecting to 8444 and not 443? It's possible that there is a bug in HttpClient that makes it connect to whatever port you requested (8444) but then also sends hostname:443 as the Host header. If that happens, Tomcat will use that :443 as the return value for getServerPort (note that this is specified in the Servlet Javadocs). If you want the real port Tomcat answered on, use HttpServletRequest.getLocalPort. So I am not able to understand why the https port is converting into 443 from 8444 while http port 8081 is working fine. Even
Re: Customizing SSL in HttpClient
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 6/11/13 6:12 AM, Martin Gainty wrote: if you want JSSE Handshaking to be enabled on server enable AprLifecycle Listener on server.xml e.g. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / This is absolutely false. If you want JSSE, you must not configure SSLEngine=on in the AprLifecycleListener unless you also specify in your Connector that you don't want to use APR. Stop confusing everyone. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRtzUhAAoJEBzwKT+lPKRY+eUQAKnHzh4Wvq6FNq7omu/AulKW Z2f5STRH0J0Pm4Oqih46+ugPuh7ryI3W8JNgGyQIx9el9d+17YP0gejB9lYrCx2L LkcbunLbJXlpELlmyXvEOJzbdey0PL2mrJoNboGURJiU1YZ6qxw3t2ViaSUSiql8 VzEcaj+3zsuof7PccQPR4l8s8VkrB3n9LG/CNpK44GQ57fqDO8UuFWsd2yu8A2OQ RPtjrzNs4ef7gmcXXLdnjcS/CK4gPNk3DSl+Umra+hzWJahB347LQPst+eGU7PD2 Se473kxJ7tsZuox9M9Ue1N7x3aG8LdBMt/Z5zOrKB6h9CG9jE1O3EwJpi1qS04ZO aCkN39BWOeTYeZR1YT1JbXH3jG7DSpz+0dO9uuM9yxxJLOA5JnbhdZuYdu4NQRpt 6UvgAyLNtcrcfN5PM+HHUEHJs4ZUJ8HhHr3kc64cnisrqWEzOmBn+nMMeKYuKs5s bqhi3g466OPL1D0Y6CeD77lmR8BETRtdrUmK6Ck36NFAcvJifmqIic9tT0iIdjhx KumjWX7g7nzlE7Gx0GpZnJhTfy/IgOFVvOwVD/qttH5ti1OM1xAGu6IT5Kea6ZC0 sdyKO3YoV/vxnzo55/ApNRAlIwPDKE0F39sQOs0GSClQl0ETs73AFa1CwNMLAPZM bKDCE6EfytjuZjRUqP/C =XroP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Possible to expose a Tomcat Realm instance through JNDI ?
Hi, In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is already being used for HTTP Basic authentication but couldn't find a way how to get hold of the actual Realm instance. I spent quite some time looking for a solution (complicated by the fact that most Google hits actually referred to the LDAP authentication realm) but found none. Is there a config-file-only solution or do I need to dig into the Tomcat source code and come up with my own JNDI ObjectFactory to achieve this ? Cheers, Tobias - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: http request (no only session) replication in cluster
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ja, On 6/11/13 9:54 AM, Ja kub wrote: What can be done to guarantee failover in below scenario: 2 tomcats behind cisco loadbalancer 1 http request can last very long about 50 seconds - response from webservice can take so long load is 200 requests per second I must response in max 4 seconds more than backing webservice is there something like http request replication ? 50 s * 200 req/s = 10.000 pending requests if one tomcat is eg killed, can in any way other tomcat serve his requests ? is there any out of the box solution, eg similar to session replication ? The best way to do this is to configure your load balancer to buffer responses and re-try another cluster node in the case of an unexpected disconnect. If you can't buffer the response, then it is entirely inappropriate to re-process a request: instead, you should let the failure propagate all the way back to the client and let them decide what to do. is it possible to save socket to database, or send it via network? No. I think you are confused about what a socket is. Is that just me, or does this look like a *massive* imbalance between the load, and the resources dedicated to serve that load ? I somehow have trouble to envision any system working in any stable way, when right from the start it is assumed to have 10,000 requests simultaneously being in various stages of processing. Unless one would have some Google-like server farms behind the thing anyway. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Possible to expose a Tomcat Realm instance through JNDI ?
I don't think there is a HTTP Basic authentication realm. The authentication type is declared in the auth-method of your web.xml and can be used in conjunction with a number of different realm implementations. Exactly what do you mean by re-use? Does this mean you are doing authentication from within your web app? Oliver -Original Message- From: users-return-242237-OLIVER.TANGLIN=saic@tomcat.apache.org on behalf of Tobias Gierke Sent: Tue 6/11/2013 11:20 AM To: users@tomcat.apache.org Subject: Possible to expose a Tomcat Realm instance through JNDI ? Hi, In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is already being used for HTTP Basic authentication but couldn't find a way how to get hold of the actual Realm instance. I spent quite some time looking for a solution (complicated by the fact that most Google hits actually referred to the LDAP authentication realm) but found none. Is there a config-file-only solution or do I need to dig into the Tomcat source code and come up with my own JNDI ObjectFactory to achieve this ? Cheers, Tobias - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
James, Regarding your question a), HTTP 401 is a tangle of both not authenticated and not authorized. You're at least getting through authentication of the end user. At least that's my interpretation of Krb5Context logging of KrbApReq: authenticate succeed. and logged values for mySeqNumber and peerSeqNumber. (In my case I'm not getting even this far.) On your b), Felix's example for debugging a jmeter issue uses an LDAP call to check for group membership. This is configured within a realm / in server.xml, leveraging the the user's delegated credentials via a request attribute so applications can make use of them [presumably for more fine-grained authorization control]. Anyway, this seems to be an application level augmentation of SPNEGO vice a contradiction of the patch comment for the initial SPNEGO support in Tomcat-7.0.12. (48685: Add initial support for SPNEGO/Kerberos authentication also referred to as integrated Windows authentication. This includes user authentication, authorisation via the directory using the user's delegated credentials and exposing the user's delegated credentials via a request attribute so applications can make use of them to impersonate the current user when accessing third-party systems that use a compatible authentication mechanism. Based on a patch provided by Michael Osipov. (markt).) There doesn't seem to be documentation that expands authorisation via the directory using the user's delegated credentials into a configuration option. As written the comment for 48685 says SPNEGO support doesn't stop at authentication; it [somehow] handles authorization, too. On c), absent documentation, the details in https://issues.apache.org/bugzilla/show_bug.cgi?id=48685 might help explain the developers' sense of the intended working order, provide some clues on the JAAS and SPNEGO configuration requirements. At least that's what I'm reading through. On d), you might already know this, but KDCRep: init() encoding tag is 126 req type is 11 translates to exception: Asn1Exception - if an error occurs while decoding an ASN1 encoded data. The actual text is from sun.security.krb5.internal.KDCRep: 116 /** 117 * Initializes an KDCRep object. 118 * 119 * @param encoding a single DER-encoded value. 120 * @param req_type reply message type. 121 * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. 122 * @exception IOException if an I/O error occurs while reading encoded data. 123 * @exception RealmException if an error occurs while constructing 124 * a Realm object from DER-encoded data. 125 * @exception KrbApErrException if the value read from the DER-encoded 126 * data stream does not match the pre-defined value. 127 * 128 */ 129 protected void init(DerValue encoding, int req_type) 130 throws Asn1Exception, RealmException, IOException, 131 KrbApErrException { 132 DerValue der, subDer; 133 if ((encoding.getTag() 0x1F) != req_type) { 134 if (DEBUG) { 135 System.out.println( KDCRep: init() + 136 encoding tag is + 137 encoding.getTag() + 138 req type is + req_type); 139 } 140 throw new Asn1Exception(Krb5.ASN1_BAD_ID); 141 } This snippet is from openjdk; http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html. There's also Oracle's http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. It doesn't have the actual logging line, though. Edward From: james.henderson [james.hender...@rbc.com] Sent: Monday, June 10, 2013 5:35 PM To: users@tomcat.apache.org Subject: RE: Tomcat7 and SPNEGO configuration questions I am in a similar situation to Edward. My authentication says something like: principal's key obtained from the keytab Acquire TGT using AS Exchange default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq calling createMessage KrbAsReq in createMessage KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3, #bytes=166 KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=166 KrbKdcReq send: #bytes read=152 KrbKdcReq send: #bytes read=152 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000 suSec is 764076 error code is 25 error Message is Additional pre-authentication required realm is DEV sname is krbtgt/DEV eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23 Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 15 AcquireTGT: PREAUTH
Re: Possible to expose a Tomcat Realm instance through JNDI ?
Hi Oliver, I don't think there is a HTTP Basic authentication realm. The authentication type is declared in the auth-method of your web.xml and can be used in conjunction with a number of different realm implementations. Exactly what do you mean by re-use? Does this mean you are doing authentication from within your web app? My application is exposing a SOAP service (through Spring-WS servlet) for which I want to do method-level access control. Since the service endpoint already uses container-based HTTP Basic authentication, I'd like to reuse the realm implementation (and configuration, obviously) in my own code to get hold of the user's roles. I just found HttpServletRequest#getUserPrincipal() , maybe I can just downcast the result to org.apache.catalina.realm.GenericPrincipal and invoke getRoles() on this... ugly, but well... ;) Cheers, Tobi Oliver -Original Message- From: users-return-242237-OLIVER.TANGLIN=saic@tomcat.apache.org on behalf of Tobias Gierke Sent: Tue 6/11/2013 11:20 AM To: users@tomcat.apache.org Subject: Possible to expose a Tomcat Realm instance through JNDI ? Hi, In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is already being used for HTTP Basic authentication but couldn't find a way how to get hold of the actual Realm instance. I spent quite some time looking for a solution (complicated by the fact that most Google hits actually referred to the LDAP authentication realm) but found none. Is there a config-file-only solution or do I need to dig into the Tomcat source code and come up with my own JNDI ObjectFactory to achieve this ? Cheers, Tobias - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Tobias Gierke Development VOIPFUTURE GmbH Wendenstraße 4 20097 Hamburg, Germany Phone +49 40 688 900 111 Mobile +49 172 323 06 11 Fax +49 40 688 900 199 Email jan.bast...@voipfuture.com Web http://www.voipfuture.com CEO Jan Bastian Commercial Court AG Hamburg HRB 109896, VAT ID DE263738086
RE: Possible to expose a Tomcat Realm instance through JNDI ?
I think I now understand your issue. I was faced with a similar problem and could not figure out how to get the roles of an authenticated user through the servlet API. It seems to only allow the question 'request.isUserInRole(role)'. But does not seem to provide a way to get a list of roles that the user is in. I used a kludge whereby I defined the valid roles in a context init parameter (bad duplication of effort). Then used 'request.isUserInRole(role)'. I did not think to cast the 'request.getUserPrincipal()' return value. Please post if your methodology works. Oliver -Original Message- From: users-return-242241-OLIVER.TANGLIN=saic@tomcat.apache.org on behalf of Tobias Gierke Sent: Tue 6/11/2013 12:07 PM To: users@tomcat.apache.org Subject: Re: Possible to expose a Tomcat Realm instance through JNDI ? Hi Oliver, I don't think there is a HTTP Basic authentication realm. The authentication type is declared in the auth-method of your web.xml and can be used in conjunction with a number of different realm implementations. Exactly what do you mean by re-use? Does this mean you are doing authentication from within your web app? My application is exposing a SOAP service (through Spring-WS servlet) for which I want to do method-level access control. Since the service endpoint already uses container-based HTTP Basic authentication, I'd like to reuse the realm implementation (and configuration, obviously) in my own code to get hold of the user's roles. I just found HttpServletRequest#getUserPrincipal() , maybe I can just downcast the result to org.apache.catalina.realm.GenericPrincipal and invoke getRoles() on this... ugly, but well... ;) Cheers, Tobi Oliver -Original Message- From: users-return-242237-OLIVER.TANGLIN=saic@tomcat.apache.org on behalf of Tobias Gierke Sent: Tue 6/11/2013 11:20 AM To: users@tomcat.apache.org Subject: Possible to expose a Tomcat Realm instance through JNDI ? Hi, In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is already being used for HTTP Basic authentication but couldn't find a way how to get hold of the actual Realm instance. I spent quite some time looking for a solution (complicated by the fact that most Google hits actually referred to the LDAP authentication realm) but found none. Is there a config-file-only solution or do I need to dig into the Tomcat source code and come up with my own JNDI ObjectFactory to achieve this ? Cheers, Tobias - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Tobias Gierke Development VOIPFUTURE GmbH Wendenstraße 4 20097 Hamburg, Germany Phone +49 40 688 900 111 Mobile +49 172 323 06 11 Fax +49 40 688 900 199 Email jan.bast...@voipfuture.com Web http://www.voipfuture.com CEO Jan Bastian Commercial Court AG Hamburg HRB 109896, VAT ID DE263738086 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Pardon my apparent dislexia: This snippet is from openjdk; http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html. There's also Oracle's http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. It doesn't have the actual logging line, though. http://www.docjar.com/html/api/sun/security/krb5/internal/KDCRep.java.html does contain this. From: james.henderson [james.hender...@rbc.com] Sent: Monday, June 10, 2013 5:35 PM To: users@tomcat.apache.org Subject: RE: Tomcat7 and SPNEGO configuration questions I am in a similar situation to Edward. My authentication says something like: principal's key obtained from the keytab Acquire TGT using AS Exchange default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq calling createMessage KrbAsReq in createMessage KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3, #bytes=166 KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=166 KrbKdcReq send: #bytes read=152 KrbKdcReq send: #bytes read=152 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000 suSec is 764076 error code is 25 error Message is Additional pre-authentication required realm is DEV sname is krbtgt/DEV eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23 Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 15 AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ KrbAsReq salt is DEVserver.dev Pre-Authenticaton: find key for etype = 23 AS-REQ: Add PA_ENC_TIMESTAMP now EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq calling createMessage KrbAsReq in createMessage KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3, #bytes=249 KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=249 KrbKdcReq send: #bytes read=1384 KrbKdcReq send: #bytes read=1384 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev principal is HTTP/guedlvwcfv001.dev@DEV EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted) Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted) [Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV to Subject Commit Succeeded Found key for HTTP/server.dev@DEV(23) Entered Krb5Context.acceptSecContext with state=STATE_NEW EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 3 1 23 16 17 18. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Config reset default kdc DEV object 0: 1370899284091/91026 object 0: 1370899284091/91026 replay cache found. KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 1400102526 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Krb5Context setting mySeqNumber to: 909711492 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject But the page always returns 401 if I try to use it: 10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] GET /webeditors/hello HTTP/1.1 401 951 We have another page that uses spring SPNEGO and it works fine with exactly the same user. My security constraint/login config looks like this: security-constraint web-resource-collection web-resource-nameWildcard means whole app requires authentication/web-resource-name url-pattern/hello/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodSPNEGO/auth-method /login-config I would like some idea how to: a) get tomcat to tell me why it is returning 401 in this case (debug logs?) b) Understand how the windows users/roles are going to map to any used in my webapp. Is it a 1:1 mapping, or does it need some sort of configuration? c) get more documentation on how these things are actually supposed to work. Most of the information I find is examples, not proper documentation. d) Understand why I get this: init() encoding tag is 126 req type is 11 error. Thanks, James Henderson -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p477.html Sent from the Tomcat - User mailing list archive at Nabble.com.
Re: Mapping security role outside of servlet specification
Am 05.06.2013 13:42, schrieb Ilya Kazakevich: Hello, I use probe app for several tomcats. It's security model is based on servlet API security: security roles and constraints are provided in web.xml and mapped for each servlet it has. I use JNDIRealm to authenticate users via LDAP (actually AD is used). I want to grant access to Probe on Tomcat1' installation for people from Group1 and to Tomcat2 to people from Group2. But manager group is hard-coded in web.xml inside of probe! I want to map group Group1 from LDAP realm to role manager in tomcat. How can I do that? I can't use security-role-ref because I should put in servlet tag, so I can't do that on tomcat level. There is security-role-mapping tag in some servers but it is proprietary and not supported by tomcat. So the only way for me to extract .war file and patch web.xml. That is the way, we do it at work. For probe, that is. For other applications we are using different Attributes in the ldap group objects to map to different names for the role. Greetings Felix What is the best way to solve it? Ilya. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Hi Edward, Am 10.06.2013 21:31, schrieb Edward Siewick: Felix, Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two possibilities seem worth digging at. First, there's likely a gap in my understanding of the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to use the most simple authentication / authorization example available in the default Tomcat7 kit, the manager-gui auth-constraint / role-name and an ordinary conf/tomcat-users.xml. Regarding the web.xml, the HowTo only mentions that SPNEGO is to be used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of guesses on that point in the instruction. Is there something more needed in the web.xml? No, there is nothing else needed in web.xml. Authentication will be done by using SPNego and authorization by whatever realm you have configured for the context. Second, I'm restricting my configuration to only AES256 (aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default pre-built Tomcat7 kit known to work with that, by just adding Oracle's jce_policy-6.zip? In my example I used tomcat 7.0.40 with openjdk 7u21 without any modifications. My server keytab held an aes256-cts-hmac-sha1-96 encoded key. So tomcat has no problems per se with that encoding-combination. I'm picking at this because, where my log trace seems OK with the AD MSA's keytab, for a user authentication it jumps straight to a logout: Entered Krb5Context.acceptSecContext with state=STATE_NEW [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject It's at this point that your trace goes on to Using builtin default etypes for permitted_enctypes, authenticates an end user, and seems to be waiting for further end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using the AES128: My old trace was produced with an aes128 encrypted key, so that may explain that. I had to enable aes256 explicitly for apacheds, which I hadn't bothered first. With aes256 the trace looks like this: ... KrbAsRep cons in KrbAsReq.getReply HTTP/www.example.com Added key: 18version: 1 Ordering keys wrt default_tkt_enctypes list Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 18 17 16 23 1 3. Found KeyTab Found KerberosKey for HTTP/www.example@example.com Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: 18version: 1 Ordering keys wrt default_tkt_enctypes list Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 18 17 16 23 1 3. EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 18 17 16 23 1 3. EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType replay cache for user0...@example.com is null. object 0: 1370973475196/196436 KrbApReq: authenticate succeed. EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Delegated Creds have pname=user0...@example.com sname=krbtgt/example@example.com authtime=20130611175709Z starttime=20130611175755Z endtime=20130612175704ZrenewTill=null ... Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 18 17 16 23 1 3. EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType replay cache for user00...@example.com is null. object 0: 1370027872357/357663 KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 758340766 Krb5Context setting mySeqNumber to: 758340766 Edward P.S.: The example server.xml bit from your bugzilla test kit provides for role based authorization. If I can get my very simple example to work, I'll try to use it. On that point, the bit: Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://localhost:10389; userBase=ou=users,ou=security,dc=example,dc=com userSearch=(uid={0}) roleBase=ou=groups,dc=example,dc=com roleName=cn roleSearch=(uniqueMember={0}) useDelegatedCredential=false / or a similar tidy might be added to the HowTo, right after: The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, by default the JNDI Realm will use the user's delegated credentials to connect to the Active Directory. That would be a bad example, since I explicitly disabled the delegation of the credentials in my case :)
Re: Tomcat7 and SPNEGO configuration questions
Am 10.06.2013 22:06, schrieb Edward Siewick: I've tried an AES128 keytab and matching krb5.conf; this didn't get any further. Could you try an arc4 one? Felix Edward From: Edward Siewick [esiew...@ementum.com] Sent: Monday, June 10, 2013 3:31 PM To: Tomcat Users List Subject: RE: Tomcat7 and SPNEGO configuration questions Felix, Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two possibilities seem worth digging at. First, there's likely a gap in my understanding of the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to use the most simple authentication / authorization example available in the default Tomcat7 kit, the manager-gui auth-constraint / role-name and an ordinary conf/tomcat-users.xml. Regarding the web.xml, the HowTo only mentions that SPNEGO is to be used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of guesses on that point in the instruction. Is there something more needed in the web.xml? Second, I'm restricting my configuration to only AES256 (aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default pre-built Tomcat7 kit known to work with that, by just adding Oracle's jce_policy-6.zip? I'm picking at this because, where my log trace seems OK with the AD MSA's keytab, for a user authentication it jumps straight to a logout: Entered Krb5Context.acceptSecContext with state=STATE_NEW [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject It's at this point that your trace goes on to Using builtin default etypes for permitted_enctypes, authenticates an end user, and seems to be waiting for further end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using the AES128: Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 18 17 16 23 1 3. EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType replay cache for user00...@example.com is null. object 0: 1370027872357/357663 KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 758340766 Krb5Context setting mySeqNumber to: 758340766 Edward P.S.: The example server.xml bit from your bugzilla test kit provides for role based authorization. If I can get my very simple example to work, I'll try to use it. On that point, the bit: Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://localhost:10389; userBase=ou=users,ou=security,dc=example,dc=com userSearch=(uid={0}) roleBase=ou=groups,dc=example,dc=com roleName=cn roleSearch=(uniqueMember={0}) useDelegatedCredential=false / or a similar tidy might be added to the HowTo, right after: The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, by default the JNDI Realm will use the user's delegated credentials to connect to the Active Directory. From: Felix Schumacher [felix.schumac...@internetallee.de] Sent: Wednesday, June 05, 2013 4:12 PM To: users@tomcat.apache.org Subject: Re: Tomcat7 and SPNEGO configuration questions Am 03.06.2013 20:48, schrieb Edward Siewick: Felix Friends, I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID doesn't appear in the Tomcat7 logging at all, though it is in tomcat-users.xml. So I might now only be confused as to the syntax of: server.xml for JAAS; the webapp's realm bits in web.xml for SPNEGO, or; tomcat-users.xml. I have tried changing tomcat-users.xml to OPENIDMDEV/esiewick, COM.OPENIDMDEV/esiewick and just esiewick. And, I've adjusted the Account ID in the Windows Security prompt to match each of these. If I read your logs at the end of your mail correctly, I think you haven't gotten that far as to have authenticated an user. In my logs you could see an user1 being authenticated. But I can't really tell you, why your user was not authenticated. At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have described how I setup a tomcat with apacheds as a kerberos server. You might want to try that setup. Regards Felix - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Am 10.06.2013 23:35, schrieb james.henderson: I am in a similar situation to Edward. My authentication says something like: principal's key obtained from the keytab Acquire TGT using AS Exchange default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq calling createMessage KrbAsReq in createMessage KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3, #bytes=166 KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=166 KrbKdcReq send: #bytes read=152 KrbKdcReq send: #bytes read=152 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000 suSec is 764076 error code is 25 error Message is Additional pre-authentication required realm is DEV sname is krbtgt/DEV eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23 Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 15 AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ KrbAsReq salt is DEVserver.dev Pre-Authenticaton: find key for etype = 23 AS-REQ: Add PA_ENC_TIMESTAMP now EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq calling createMessage KrbAsReq in createMessage KrbKdcReq send: kdc=dev UDP:88, timeout=3, number of retries =3, #bytes=249 KDCCommunication: kdc=dev UDP:88, timeout=3,Attempt =1, #bytes=249 KrbKdcReq send: #bytes read=1384 KrbKdcReq send: #bytes read=1384 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev principal is HTTP/guedlvwcfv001.dev@DEV EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted) Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted) [Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV to Subject Commit Succeeded Found key for HTTP/server.dev@DEV(23) Entered Krb5Context.acceptSecContext with state=STATE_NEW EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 3 1 23 16 17 18. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Config reset default kdc DEV object 0: 1370899284091/91026 object 0: 1370899284091/91026 replay cache found. KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 1400102526 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Krb5Context setting mySeqNumber to: 909711492 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject But the page always returns 401 if I try to use it: 10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] GET /webeditors/hello HTTP/1.1 401 951 We have another page that uses spring SPNEGO and it works fine with exactly the same user. My security constraint/login config looks like this: security-constraint web-resource-collection web-resource-nameWildcard means whole app requires authentication/web-resource-name url-pattern/hello/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodSPNEGO/auth-method /login-config I would like some idea how to: a) get tomcat to tell me why it is returning 401 in this case (debug logs?) You can enable more logging of the realm code by adding org.apache.catalina.realm.level=FINE to your conf/logging.properties file. b) Understand how the windows users/roles are going to map to any used in my webapp. Is it a 1:1 mapping, or does it need some sort of configuration? SPNego will only do authentication. Authorization is done via the configured realm. If your users and roles are stored in an LDAP directory (as I suspect it is), you can use the JNDIRealm to configure where tomcat will look for your users and their roles. For more info look at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm c) get more documentation on how these things are actually supposed to work. Most of the information I find is examples, not proper documentation. If your are not happy with the examples, you can look at the configuration docs cunningly hidden athttp://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm Regards, Felix d) Understand why I get this: init() encoding tag is 126 req type is 11 error. Thanks, James Henderson -- View this message in context:
Re: Possible to expose a Tomcat Realm instance through JNDI ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tobias, On 6/11/13 11:20 AM, Tobias Gierke wrote: In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is already being used for HTTP Basic authentication but couldn't find a way how to get hold of the actual Realm instance. I spent quite some time looking for a solution (complicated by the fact that most Google hits actually referred to the LDAP authentication realm) but found none. Is there a config-file-only solution or do I need to dig into the Tomcat source code and come up with my own JNDI ObjectFactory to achieve this ? What are you actually trying to accomplish? Do you want to authenticate a user, or get information about an authenticated user? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRt4B8AAoJEBzwKT+lPKRYYMsP/0mmfpuoeHfhyBtk4r/FhNj+ ujAyd7Ah4lXSPGwZP+9oSLkQFNyn+KzXv0Mw7QpdbGVw1J0mQ/umwxikMriXEKmH rmXquK060IfAubj7ptvQBu6zgFis/6A1N8r51RmrbUej4bIWGrujB0nRAcpWhT3x Ynt+0sQ+jeNcPhL5QBwzttdBMJf6hRsmNdjMlnwk/zV/E0qaQTpX0NeUuAkgSFuF ThpkE92rla8S+NL0mS4knj54MVMs3/NRXtm3g+WMxAjPxbKEbNRWaWziK9Pt7N3H OWVOGJGvQ2x4XMtb3AULgnVNgWxtc7C6WLOTIVqHeqEDKuk+4UOyPB/o9C5Tyrz/ rChGpEMfhLstRDjOvF40oGewXJ+0vC6oaYa9VogMbf+NDtwnyDmX8sXPmROFChj6 9dP47LtJC+IOkMRwkiaRGbrQwzyWtDBdOMueYz2bdpAlbaCtUnb2IGOPddCSmIuX tNgqn084ZnmuzmgJE8x1QKkhBiZwrc2N5tcvP4JqujukM27mx5W+r31iTFXPUObQ 5ggpSdUB2ijy5+YOsKa6aYcMMSE+mjENTg/CqnHPPWm7czDYhxFUwokvT7ndXCsq /ZfxcGiccmYPkfpQJ5iQ6m9vtKmMtofr6/jMatv2sQjN17phc/Fb3fjDD5+pnYEG 214EIEkBhZ76WvOTUQ0X =gC6q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: http request (no only session) replication in cluster
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 6/11/13 11:32 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ja, On 6/11/13 9:54 AM, Ja kub wrote: What can be done to guarantee failover in below scenario: 2 tomcats behind cisco loadbalancer 1 http request can last very long about 50 seconds - response from webservice can take so long load is 200 requests per second I must response in max 4 seconds more than backing webservice is there something like http request replication ? 50 s * 200 req/s = 10.000 pending requests if one tomcat is eg killed, can in any way other tomcat serve his requests ? is there any out of the box solution, eg similar to session replication ? The best way to do this is to configure your load balancer to buffer responses and re-try another cluster node in the case of an unexpected disconnect. If you can't buffer the response, then it is entirely inappropriate to re-process a request: instead, you should let the failure propagate all the way back to the client and let them decide what to do. is it possible to save socket to database, or send it via network? No. I think you are confused about what a socket is. Is that just me, or does this look like a *massive* imbalance between the load, and the resources dedicated to serve that load ? +1 200 req/sec * 50 seconds per request? I get some folks do high-volume, high-response-time transactions. Thankfully, not I ;) I somehow have trouble to envision any system working in any stable way, when right from the start it is assumed to have 10,000 requests simultaneously being in various stages of processing. Unless one would have some Google-like server farms behind the thing anyway. 10k concurrent requests isn't really that insane. It's just having them for nearly a minute each that's quite extraordinary. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRt4EhAAoJEBzwKT+lPKRY/+oQAI+BlbCJ7i7DzRYD2PnQfGYH KXPTcXg7iYaiQtzP+jZBtKa9+EAkS2Kad+5fUyY8/rd81yxgRNVJ7N2EbNlOAJNM 9zbeAszl5+3tEUOuqktcibtuwdMjC4U0XcmyThBjFy1LAvggvoGOaZvVyLQleyps Lw6fdUh0gy4fvkfSCEwZb1BQRbF8qO8bpqfaR7WorOgAcXEQMp5d0iiUwBydJLYQ hFraOXvmDfNl6lbODoW0Wtd9YQKmj/sMCG86Tm9BVVUmOgL5df9Pbgac1FzDAMpP /llROIH+T/8aT4u+iSByKcqmpAB6qI/csRk09vn3O6ZfffrmPGTKT1XfcN8iU6bn b9nRTVah+pES6eHlOVMgFJ2hZ8uYSTETteZZAMUr24oH6TTvHDj7CYXfFioLQjI9 elvKvMpgU+JDpOfEX8ly/+u0GmMJH4WXT1EjL9l4JEMZuQyvWCgzwfC0JyqS0vVq hGCOZlLWhwDyEZ9atESKasuRamexYUMqgMQimXhWNzI+ruP4NU050M3n1bM+vl7J r1qzMCgcxD3jOvhoACQmfJ3APeoEfVKn2vc5ypzjGkS2fCK3rTmCnsEAl4R0JzBu zYVWTCqFPZlgKaqEb+xlzdoi7CwEDRHc12CblYAQBIXkEW4c9fI929wuQPsuI3yp bVZBgYBAeckMEr03ay+Y =30OJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat + mysql xa setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 이재만, Full disclosure: I've never done XA with any RDBMS. On 6/10/13 7:15 PM, 이재만 wrote: how do i setup xa(2pc) on the tomcat with mysql ??? please anybody tell me setup process.. 1. Make sure you are using Connector/J 5.0 or later [1] 2. Make sure you are using InnoDB storage engine for all involved tables [2] 3. Use com.mysql.jdbc.jdbc2.optional.MysqlXADataSource as your driver 4. Declare your TransactionManager in context.xml [3] Note that Tomcat does not provide its own TransactionManager: you have to use a 3rd party one (Hibernate, Atomikos, OpenJPA, Bitronix, etc.). You might want to check out this blog posting where someone has set everything up from scratch, albeit with their own personal preferences. Perhaps you can make some progress using it as a guide: http://codepitbull.wordpress.com/2011/07/08/tomcat-7-with-full-jta/ [1] http://dev.mysql.com/doc/refman/5.0/en/connector-j-versions.html [2] http://dev.mysql.com/doc/refman/5.0/en/xa-restrictions.html [3] http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Transaction -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRt445AAoJEBzwKT+lPKRYxDIQAK4+RiIuGFsBqoO4NyXieJ2R 0tjq78uUnJdcpPv2gi7C+gszt2KDYBLn1teSAi2+Fc7clqtIIEXWO6ryi361bOpX iPm0+ajqNYQfbO8cOo7OMog2hVtZTurVMBTePRATvdPIJw6lqhscesdN23AYCLqE u9ahgYFNY5yXJjyen2KEiMWFLs78UFchBycaE2yfhmsBxl5VxGuTb44uTSUQaFNT R7LXfZpLXK3KUkECtVqU2PzJ3ElQXM7nBOCUHqhDoKdIBOuD0m0OZbcc60yIizFq bo+Ow5Wnl/o2Ekzpzu1XD9MsZOLn34AXfgYJZ/h+WMD+yzsWgxp4lSS73gsOG2Vm CEYj6yweLO0Eg4CVigckVMwvvnWOqUT8jr3RBTwH9pAI5rTM/NyquU9awR623MJe gXqmEIX+liL6UqbM7/kwjxxk+HnXi8lGx/tUkwtKUImCrvfHaJ+piM+Y85Ao4qao vGPJps6Oyzd9rifwe36oDu9MCJ+2X8Wkph8yNoZ3ePl16tivSaggsbpxPH9UuSpj v9oAHiIYsniPI6IBWvrTwvPm3F4seXyUPw0IdSr59+IM/ENddoQ4KoOYpFCgF5nA +Ww7quoMDbKm2ljMpnOLgVjpzs2icLB3Vh0ZhUuuTlobNNEq9kG+iPvrD1zsi+ZC LqN/JOXQF4o8JAwdCKFE =tkk6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: http request (no only session) replication in cluster
Andre, Christopher thx for response, requirement is system should be possible to process 160 req/sec (200 is better to multiply) and system is kind of failover proxy itself there are 2 backing webservices, each can answer max 20s, it there is timeout on first, I must call the second, if there is timeout on second I send soap fault to client, so usually it shouldn't be more than 20s per req, guys say that normally it is 7-10 seconds/request, but in worst case it is 2*20s*160 requests/s ~= 6400 pending requests (and according to deal we must fulfill worst case) even if there are so many requests they are pending on sockets, I try to do it with NIO, asynchronous servlets and async cxf - both async cxf webservice is exposed by me, and I also call backing ws with async cxf I think even one tomcat on one server should be able to serve such 6400 pending requests with 160req/s, apart from proxy there are also 4-6 inserts into database (cli req, resp; 1st ws call, resp; 2nd ws call, resp how do You assess such architecture/attitude ? do You expect problems with async exposed webservice based on async servlet and NIO, and async cxf ws client ? afaik cxf use thread locals, are they all right with tomcat async servlets ? (I don't define threadlocals by myself, only cxf possibly does) Regards Jakub ps I didn't really expect to be able to serialize tcp socket to db, but if it where possible, than I would have request replication On Tue, Jun 11, 2013 at 9:57 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 6/11/13 11:32 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ja, On 6/11/13 9:54 AM, Ja kub wrote: What can be done to guarantee failover in below scenario: 2 tomcats behind cisco loadbalancer 1 http request can last very long about 50 seconds - response from webservice can take so long load is 200 requests per second I must response in max 4 seconds more than backing webservice is there something like http request replication ? 50 s * 200 req/s = 10.000 pending requests if one tomcat is eg killed, can in any way other tomcat serve his requests ? is there any out of the box solution, eg similar to session replication ? The best way to do this is to configure your load balancer to buffer responses and re-try another cluster node in the case of an unexpected disconnect. If you can't buffer the response, then it is entirely inappropriate to re-process a request: instead, you should let the failure propagate all the way back to the client and let them decide what to do. is it possible to save socket to database, or send it via network? No. I think you are confused about what a socket is. Is that just me, or does this look like a *massive* imbalance between the load, and the resources dedicated to serve that load ? +1 200 req/sec * 50 seconds per request? I get some folks do high-volume, high-response-time transactions. Thankfully, not I ;) I somehow have trouble to envision any system working in any stable way, when right from the start it is assumed to have 10,000 requests simultaneously being in various stages of processing. Unless one would have some Google-like server farms behind the thing anyway. 10k concurrent requests isn't really that insane. It's just having them for nearly a minute each that's quite extraordinary. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRt4EhAAoJEBzwKT+lPKRY/+oQAI+BlbCJ7i7DzRYD2PnQfGYH KXPTcXg7iYaiQtzP+jZBtKa9+EAkS2Kad+5fUyY8/rd81yxgRNVJ7N2EbNlOAJNM 9zbeAszl5+3tEUOuqktcibtuwdMjC4U0XcmyThBjFy1LAvggvoGOaZvVyLQleyps Lw6fdUh0gy4fvkfSCEwZb1BQRbF8qO8bpqfaR7WorOgAcXEQMp5d0iiUwBydJLYQ hFraOXvmDfNl6lbODoW0Wtd9YQKmj/sMCG86Tm9BVVUmOgL5df9Pbgac1FzDAMpP /llROIH+T/8aT4u+iSByKcqmpAB6qI/csRk09vn3O6ZfffrmPGTKT1XfcN8iU6bn b9nRTVah+pES6eHlOVMgFJ2hZ8uYSTETteZZAMUr24oH6TTvHDj7CYXfFioLQjI9 elvKvMpgU+JDpOfEX8ly/+u0GmMJH4WXT1EjL9l4JEMZuQyvWCgzwfC0JyqS0vVq hGCOZlLWhwDyEZ9atESKasuRamexYUMqgMQimXhWNzI+ruP4NU050M3n1bM+vl7J r1qzMCgcxD3jOvhoACQmfJ3APeoEfVKn2vc5ypzjGkS2fCK3rTmCnsEAl4R0JzBu zYVWTCqFPZlgKaqEb+xlzdoi7CwEDRHc12CblYAQBIXkEW4c9fI929wuQPsuI3yp bVZBgYBAeckMEr03ay+Y =30OJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windows service for tomcat7
Hi, I'm trying to install tomcat service for Windows 7 manually on my system through command prompt. I tried withservice.bat install MyProject but it looks like service doesn't get installed properly because I can see the service in the list but when I start it, it throws error. Any idea on what could be the issue? I'm not using tomcat's installer for windows as I would like to bundle it along with my project installer with bundled Java as well. I could use other Windows batch scripts of starting and shutting down tomcat which work well. Thanks
Re: Windows service for tomcat7
On 6/11/2013 5:06 PM, akshata chas wrote: Hi, I'm trying to install tomcat service for Windows 7 manually on my system through command prompt. I tried withservice.bat install MyProject but it looks like service doesn't get installed properly because I can see the service in the list but when I start it, it throws error. Any idea on what could be the issue? Did you check the startup parameters for the service? The easiest way to check them is with tomcat7w. I'm not using tomcat's installer for windows as I would like to bundle it along with my project installer with bundled Java as well. I could use other Windows batch scripts of starting and shutting down tomcat which work well. net start MyProject net stop MyProject Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Hi all, I've been trying to compile tcnative on Windows with a FIPS-compatible build of OpenSSL. I've been successful building and running tcnative this way, at least until I turn on FIPS mode on the AprLifecycleListener config in Tomcat. When FIPSMode is set to off, Tomcat works fine, and SSL services operate correctly. When it is set to on, however, Tomcat refuses to start, and I get the following error in the catalina log file: SEVERE: Failed to initialize the SSLEngine. java.lang.Exception: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match I'm fairly confident that the OpenSSL library I'm using is valid and uncorrupted (I've used a couple different copies: an existing set of binaries being used successfully in another product internally, and a newly built version which I have successfully used the openssl utility against, without error). My assumption is that I'm not building/linking OpenSSL correctly into tcnative. So far I've tried building both the tcnative and libtcnative projects via the supplied Visual Studio workspace. In the former case, the APR library appears to statically linked into tcnative-1.dll, so I don't have to provide libapr-1.dll, however I do still need to provide libeay.dll and ssleay.dll. In the latter case, I provide libtcnative-1.dll, libapr-1.dll, and the two OpenSSL libraries. In both cases, it works when FIPS mode is off, but not when it is on. Is there anything special I need to do to correctly build tcnative to support a FIPS-compatible OpenSSL build with FIPSMode turned on in Tomcat? All this is using Tomcat 7.0.32, tcnative 1.1.27, APR 1.4.6, and OpenSSL both 1.0.1c and 1.0.1e, on 32-bit Windows Server 2008. Thanks! --Steve Nickels Ipswitch, Inc.
Re: Windows service for tomcat7
akshata chas wrote: Hi, I'm trying to install tomcat service for Windows 7 manually on my system through command prompt. I tried withservice.bat install MyProject but it looks like service doesn't get installed properly because I can see the service in the list but when I start it, it throws error. What error and where ? Can you copy and paste the original error message here ? Check the Windows error logs. A service start error should be in the System part. Any idea on what could be the issue? I'm not using tomcat's installer for windows as I would like to bundle it along with my project installer with bundled Java as well. I could use other Windows batch scripts of starting and shutting down tomcat which work well. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Class cast exception when starting tomcat 7.0.1
I'm getting a class cast exception when starting up tomcat 7.0.1. I've migrated from 6.0.18 to 7.0.1. I got the same error when migrating directly to 7.0.4. The error is: SEVERE: Begin event threw exception Throwable occurred: java.lang.ClassCastException: org.apache.catalina.deploy.SecurityConstraint incompatible with org.apache.catalina.deploy.SecurityConstraint at org.apache.catalina.startup.SetAuthConstraintRule.begin(WebRuleSet.java:745) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1282) at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.startElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1543) at org.apache.catalina.startup.ContextConfig.parseWebXml(ContextConfig.java:1686) at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1201) at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:874) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:317) . . . Jun 11, 2013 2:17:07 PM org.apache.catalina.startup.ContextConfig parseWebXml SEVERE: Parse error in application web.xml file at jndi:/localhost/aldonsecurityservice/WEB-INF/web.xml Throwable occurred: java.lang.ClassCastException: org.apache.catalina.deploy.SecurityConstraint incompatible with org.apache.catalina.deploy.SecurityConstraint at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:2687) at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:2713) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1285) at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.startElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) . . . . at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:303) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431) Jun 11, 2013 2:17:07 PM org.apache.catalina.startup.ContextConfig parseWebXml SEVERE: Occurred at line 147 column 20 class load: java/util/LinkedHashMap$2 class load: java/util/LinkedHashMap$ValueIterator class load: org.apache.catalina.core.StandardWrapperFacade from: file:/ALDON/ALDONLS/tomcat_alcsq/lib/catalina.jar class load: org.apache.catalina.util.InstanceSupport from: file:/ALDON/ALDONLS/tomcat_alcsq/lib/catalina.jar class load: org.apache.catalina.InstanceListener from: file:/ALDON/ALDONLS/tomcat_alcsq/lib/catalina.jar class load: org.apache.catalina.core.StandardWrapperValve from: file:/ALDON/ALDONLS/tomcat_alcsq/lib/catalina.jar class load: javax.servlet.descriptor.TaglibDescriptor from: file:/ALDON/ALDONLS/tomcat_alcsq/lib/servlet-api.jar Is it possible my XML parsers need updating. I'm still using the same ones in my WEB-INF/lib of the webapp: xalan.jar xerces.jar xerces-2.6.2.jar xml-apis.jar xmlrpc-1.2-b1.jar Thanks, JMuse
RE: Class cast exception when starting tomcat 7.0.1
From: Jane Muse [mailto:jm...@rocketsoftware.com] Subject: Class cast exception when starting tomcat 7.0.1 I'm getting a class cast exception when starting up tomcat 7.0.1 You can't be serious. That version was never released, and would be almost three years old if it had been. Use the current version: 7.0.41. Do a fresh download and clean install, verify that Tomcat is working, then add your webapps one by one, insuring that each one operates properly before trying the next. Do not directly copy any configuration from previous versions of Tomcat to the new one; modify the conf/*.xml files with whatever you need for your installation. Also make sure you do not have the same classes in tomcat's lib directory and the webapp's WEB-INF/lib or WEB-INF/classes directories. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
OOME issue in Tomcat 6.0.18(with SSL)
Hi All, I am facing an Out of Memory Issue with my application. I am using Embedded Tomcat 6.0.18. I have a simple servlet deployed which does nothing but set the HTTPResponse and return it. Now I have 2 testing clients Client 1: HTTPClient 3.1 with MultiThreadedHttpConnectionManager with SSL maxConnections = 200 maxConnectionsPerHost=200 Client 2: HTTPClient 4.1 in which I configured multiple threads for (int i = 0; i noofConnections; i++) { Thread t = new Thread(my); t.start(); } With every thread executing HTTPGet on the servlet. This too with SSL. Now with client 1,my JVM crashes after just a few minutes. Running with 8gb heap space. I took a heap dump for 2gb heap space using Jmap and analyzed it with MAT. It seems that there were many instances of org.apache.catalina.session.StandardManager consuming almost 95% of heap space. CPU utilization is only 13 -14% and I can see only 65 threads active with netstat. With Client 2,everything looks fine. Though JVM crashes at 2gb,but at 8gb it works fine. Though CPU utilization is almost 90% and 100 simultaneous threads created for 100 simultaneous threads. Both my server and clients are on Linux 64 bit machines. I believe that this is something related to the client 1 i.e. either the HTTPClient 3.1 or the MultiThreadedConnectionManager,but posting here if someone can assist me in what might be the root cause. Chirag
RE: OOME issue in Tomcat 6.0.18(with SSL)
From: Chirag Dewan [mailto:chirag.dewa...@yahoo.in] Subject: OOME issue in Tomcat 6.0.18(with SSL) I am using Embedded Tomcat 6.0.18. Which is nearly five years old. Many, many fixes (including serious security-related ones) have gone in since that version was released; you should see if the problem still exists on the current version of Tomcat 6 or 7. What JVM version are you using, and what platform are you running on? (Be precise.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org