Re: Cannot start apache tomcat 7.0 if server path contains two consecutive spaces.
Am 2013-07-31 07:11, schrieb TRAN Trung Thanh: Hi all, I am newbie here. Today, I tried to start apache tomcat 7.0.42 in Linux environment. Server path contains two consecutive spaces. When I run ./catalina.sh run, server cannot start and there is the following exception in console ./catalina.sh run Using CATALINA_BASE: /home/example/twoconsecutive spaces Using CATALINA_HOME: /home/example/twoconsecutive spaces Using CATALINA_TMPDIR: /home/example/twoconsecutive spaces/temp Using JRE_HOME:/home/example/java/jdk1.6 Using CLASSPATH: /home/example/twoconsecutive spaces/bin/bootstrap.jar:/home/example/twoconsecutive spaces/bin/tomcat-juli.jar Exception in thread main java.lang.NoClassDefFoundError: org/apache/catalina/startup/Bootstrap Caused by: java.lang.ClassNotFoundException: org.apache.catalina.startup.Bootstrap at java.net.URLClassLoader$1.run(URLClassLoader.java:202) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:190) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301) at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: org.apache.catalina.startup.Bootstrap. Program will exit. Tomcat server can start if server path does not contain consecutive space. Do anyone face to the same issue with me in this case? Have you any suggestion to fix this issue? It is quite important for my deployment. Did you try to quote or use backslash escapes? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secure cookies
On Tue, Jul 30, 2013 at 9:39 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, July 29, 2013 8:21 PM To: Tomcat Users List Subject: Re: secure cookies -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 7/29/13 4:09 PM, Jeffrey Janner wrote: Thanks for the verification, Mark. I was under the impression you'd only want to [set secure=true] if you were already front-ending the site with something that was doing the SSL for you (e.g. httpd or a proxy), and the server spoke HTTP between each other. We use secure=true for loopback-only connectors to avoid the overhead of SSL when we know the requests are going to come from localhost (we have Apache Cocoon running in a separate JVM calling-back to our main webapp for some XML). So there are some non-fronting use cases, too. (Note that mod_jk already sets the secure flag with each request if the original request to httpd came over HTTPS.) Our app accepts an initial request to the login page on HTTP, but should be automatically routed to the HTTPS connector due to transport-guarantee before the page is actually sent back. Then we actually invalidate the session and create a new on successful login, and that session/cookie is used for the rest of the user's time on the site. So all I really need to do to implement at 6.x is the context change. Tomcat changes the session id (without actually destroying the session) after authentication, so if you are using Tomcat's authentication, then there is no need for the invalidation you describe above. We don't use Tomcat Auth, though I'm arguing for changing to Tomcat w/Form Auth so it's easier to support 2-factor auth for those customers who insist on it. I'm not sure of the exact methodology employed, but I'm sure it's similar. Thanks Christopher for the clarification and the link -- BR, Prafull
Re: Cannot start apache tomcat 7.0 if server path contains two consecutive spaces.
Hi Micheal-O, I do not understand well your suggestion. Which file should be improved, catalina.sh, right? Anyway, I tried to deploy tomcat default package. AFAIK, quote and slash is used to fix problem if there is a space in path. According my test result, in Tomcat 7, in case of having no consecutive spaces, there is no problem. BR, On 07/31/2013 01:22 PM, Michael-O wrote: Am 2013-07-31 07:11, schrieb TRAN Trung Thanh: Hi all, I am newbie here. Today, I tried to start apache tomcat 7.0.42 in Linux environment. Server path contains two consecutive spaces. When I run ./catalina.sh run, server cannot start and there is the following exception in console ./catalina.sh run Using CATALINA_BASE: /home/example/twoconsecutive spaces Using CATALINA_HOME: /home/example/twoconsecutive spaces Using CATALINA_TMPDIR: /home/example/twoconsecutive spaces/temp Using JRE_HOME:/home/example/java/jdk1.6 Using CLASSPATH: /home/example/twoconsecutive spaces/bin/bootstrap.jar:/home/example/twoconsecutive spaces/bin/tomcat-juli.jar Exception in thread main java.lang.NoClassDefFoundError: org/apache/catalina/startup/Bootstrap Caused by: java.lang.ClassNotFoundException: org.apache.catalina.startup.Bootstrap at java.net.URLClassLoader$1.run(URLClassLoader.java:202) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:190) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301) at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: org.apache.catalina.startup.Bootstrap. Program will exit. Tomcat server can start if server path does not contain consecutive space. Do anyone face to the same issue with me in this case? Have you any suggestion to fix this issue? It is quite important for my deployment. Did you try to quote or use backslash escapes? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- TRAN Trung-Thanh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cannot start apache tomcat 7.0 if server path contains two consecutive spaces.
Tran, On 31.7.2013 7:11, TRAN Trung Thanh wrote: Today, I tried to start apache tomcat 7.0.42 in Linux environment. Server path contains two consecutive spaces. When I run ./catalina.sh run, server cannot start and there is the following exception in console I am able to reproduce the same problem. It seems that the problem is in catalina.sh. On several places in catalina.sh, there is eval command which seems to be inproperly escaped. E.g, if I want to pass parameter with two consecutive spaces using eval, this is the wrong way to do it: eval echo \foo bar\ (prints: foo bar) This is the right way to do it: eval echo \foo bar\ (prints: foo bar) I believe that catalina.sh should quote every parameter pass to eval in order to prevent whitespace collapse. Please file a bug report in Bugzilla: https://issues.apache.org/bugzilla/ -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuration question for 2500 simultaneous users.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alec, On 7/30/13 3:42 PM, Tomcat Random wrote: The project I'm working on has 5000 simultaneous users average. I have two physical servers both running an instance of Tomcat 7.0. They're behind a physical load balancer with sticky, least connections balancing. Nothing in front of the Tomcats. Port 80 to is routed to them by iptables. Anyone out there willing to offer some tips (or point me to them) on configuration for this amount of traffic? Environment is: DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory: 32 Single Socket Six Core Intel Xeon E5-2640 2.5GHz, #Processors: 1, #Cores per Proc: 6 RHEL 6 Are you experiencing any problems, or are you just interested in speculative performance tuning? Tomcat's default configuration is quite reasonable. How many simultaneous /connections/ do you expect? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR+SisAAoJEBzwKT+lPKRYXfQP/AvnWo09Ucm7xSr4zIaQgVtX PP0Uw7EV0valZEXlVsdRBJY6fFn2m3e43zpC6dsZidflUzS5ITZ0R7S5JShNZnLJ LpBDf8KQG6OrHuNsZ7iLvuSXWHBOvLqdHvXvrRH4vcj5xleMtZzm4FA5GyG/bS4P wvSltjkUkOtcaXg4kf50iXKNXtMrZPPuTBgdZxT6uHuM3x8Ux2sLPAufJ06Rf+Wx N/uAyylthDlI367G3ZrBRuzP5nbrdKjZNKHpd3uHVq0TkO9QtGn3/baa7+6SeFfP M3KycT9yjbOiiKFcpFCZ9OdJDQpSOXZhjGQZckqsyqN5lD1FL2fppDj9uWUdOgPT A73Hsy2Bu+rzfw6QIf5okVLy1PzF7dRv8/moGwN5fsNDY5nX7ccWua245X1irCwv z0Hw3jQWtVUTnbFu8oR9cEYuly+Hv5oFoc94vQ78/an44pAJgP3FNWU9lv5oE4YR RCPrPElyb50KNNeCfu4SEBO/DVo1XJSMb6Xi6k70oehac3mmeNlqRQBOJ9/BfrA+ pwU1JY3Q5V+yXTaGyzv1gLDViFoj0kIPtlch/WH4sfsQeZvS0oI/ol6U3rtb8PdO eKIsnOzynud7KDkWf+LO+C+GCcrcqeBl2XFirt4pd227VV36jHZgx5Zf5Epf9v04 o4etXLrcpbB6wgGkWR5K =FKB4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Controlling permissions when creating directories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Scott, On 7/30/13 1:51 PM, sderrick wrote: The host we use, uses the java service wrapper to launch tomcat so I added wrapper.java.umask=0002 to the .conf file. Now I can ratchet the the permissions down with PosixFilePermisions All is well now. So, Java won't override a process umask. Interesting. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR+SlnAAoJEBzwKT+lPKRYAHsQALDYRHapcaDFK0/c7XGcZV3j PPGI/p1QMYClUTDl88KYLNPeC+7URNN4AHdYrbYCFjPgBi9dyqLKGRWHN28pCelU Ly11wswdxkGUc9qjgOcYNpFCZw/KG6F8rcWz9lkdgGKbN8rn8dDP90fb2Vem06IA lY3wUsjdbKW7CF+QO27n8Mcjc4eNISfTx20hvMyyl8phfZ6UcMzjOVArpkJ7uomN 3XeXR/Z/MGoFmbg+HdoEC+8BRTuTYroaZRg6G7mGNKM1QUPxCZeZ5XNuqptUBWx3 rubq6pi3sKEj28tbJ9TOmcGMJgTpwqPIbVvWARF3dEg8tl6DhX5DbkEDG/ujjF2s ibG2o2ddeMXia1mQuKXczOaTBNHhLoNPPZvHnleAIeuj8gWZcYKKbbmNn774ddki gFppPx6qYMQwR6P80RLyM5Og3rp4tkUI8I5f5EgS1kbWBu10GUr8uefLZfxpKODS fZITIi8DEvwst1o3n7Kk8SQjY1fNhqlLMY9sKbOa6CDHNmHsOjjWtzOA937qwyG5 ounXgKnE5AlzfJaCWcFn8XtpCk83BTRYaLSb4uutM6cEaygRxDM1tKjB+fDuEiir v8G4ugMXjA7sbuCvBBTGKEmH8s9oYKi3TMazYcz3sfsAj9NpyQn9tJZdKlTUxNuy 3U3R9en2RNjm6BRMY4eR =U3r5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
WebappClassLoader problem
I'm losing my mind here. I finally went full standard to see if the changes
in tomcat 7 would allow me to avoid custom class loaders and contexts, but
ran into a catch-22 issue.
I was getting:
java.lang.ClassCastException:
com.sun.xml.ws.transport.http.servlet.WSServletContainerInitializer cannot
be cast to javax.servlet.ServletContainerInitializer
at
org.apache.catalina.startup.ContextConfig.getServletContainerInitializer(Con
textConfig.java:1654)
at
org.apache.catalina.startup.ContextConfig.processServletContainerInitializer
s(ContextConfig.java:1562)
at
org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1270)
at
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:
878)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:
376)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSuppor
t.java:119)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java
:90)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5322)
So I tracked down where the WSServletContainerInitializer was coming from
and removed the jar file. Now I get:
SEVERE: Error configuring application listener of class
org.apache.catalina.deploy.ApplicationListener@1b104d7
java.lang.ClassNotFoundException:
com.sun.xml.ws.transport.http.servlet.WSServletContextListener
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1714)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1559)
at
org.apache.catalina.core.DefaultInstanceManager.loadClass(DefaultInstanceMan
ager.java:527)
at
org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(Def
aultInstanceManager.java:509)
at
org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceM
anager.java:137)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:
4854)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5434)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:9
01)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1113)
at
org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1
671)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at
java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.ja
va:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:9
08)
at java.lang.Thread.run(Thread.java:662)
and what's in the context is:
?xml version=1.0 encoding=UTF-8?
Context path=/idwm docBase=${catalina.home}/webapps/idwm
Resources
className=org.apache.naming.resources.VirtualDirContext
extraResourcePaths=/idwm/*/=/usr/us/idwm/plugins/*//
Loader
className=org.apache.catalina.loader.VirtualWebappLoader
virtualClasspath=/usr/us/idwm/plugins/*/WEB-INF/classes;
/usr/us/idwm/plugins/*/WEB-INF/lib/*.jar;
/usr/us/idwm/plugins/*/;
/
/Context
So now what? I'm using the classes provided by apache and I'm damned if I do
and damned if I don't. Is there even a solution to this?
Re: WebappClassLoader problem
On Jul 31, 2013, at 11:40 AM, Edward W. Rouse wrote:
I'm losing my mind here. I finally went full standard to see if the changes
in tomcat 7 would allow me to avoid custom class loaders and contexts, but
ran into a catch-22 issue.
I was getting:
java.lang.ClassCastException:
com.sun.xml.ws.transport.http.servlet.WSServletContainerInitializer cannot
be cast to javax.servlet.ServletContainerInitializer
at
org.apache.catalina.startup.ContextConfig.getServletContainerInitializer(Con
textConfig.java:1654)
at
org.apache.catalina.startup.ContextConfig.processServletContainerInitializer
s(ContextConfig.java:1562)
at
org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1270)
at
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:
878)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:
376)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSuppor
t.java:119)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java
:90)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5322)
So I tracked down where the WSServletContainerInitializer was coming from
and removed the jar file. Now I get:
SEVERE: Error configuring application listener of class
org.apache.catalina.deploy.ApplicationListener@1b104d7
java.lang.ClassNotFoundException:
com.sun.xml.ws.transport.http.servlet.WSServletContextListener
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1714)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.jav
a:1559)
at
org.apache.catalina.core.DefaultInstanceManager.loadClass(DefaultInstanceMan
ager.java:527)
at
org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(Def
aultInstanceManager.java:509)
at
org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceM
anager.java:137)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:
4854)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5434)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:9
01)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1113)
at
org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1
671)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at
java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.ja
va:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:9
08)
at java.lang.Thread.run(Thread.java:662)
and what's in the context is:
?xml version=1.0 encoding=UTF-8?
Context path=/idwm docBase=${catalina.home}/webapps/idwm
Resources
className=org.apache.naming.resources.VirtualDirContext
extraResourcePaths=/idwm/*/=/usr/us/idwm/plugins/*//
Loader
className=org.apache.catalina.loader.VirtualWebappLoader
virtualClasspath=/usr/us/idwm/plugins/*/WEB-INF/classes;
/usr/us/idwm/plugins/*/WEB-INF/lib/*.jar;
/usr/us/idwm/plugins/*/;
/
/Context
So now what? I'm using the classes provided by apache and I'm damned if I do
and damned if I don't. Is there even a solution to this?
I've seen that before, with Persistence on GlassFish. Turned out I had the
Persistence API JARs in /WEB-INF/lib in my web application. Since two identical
classes loaded by two different class loaders are actually different classes,
the cast failed.
My bet is you have the javax.websocket JAR(s) in /WEB-INF/lib in your web
application. You can compile against these JARs, but they MUST NOT be in
/WEB-INF/lib.
Nick
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cannot start apache tomcat 7.0 if server path contains two consecutive spaces.
TRAN Trung Thanh wrote: Hi all, I am newbie here. Today, I tried to start apache tomcat 7.0.42 in Linux environment. Server path contains two consecutive spaces. When I run ./catalina.sh run, server cannot start and there is the following exception in console ./catalina.sh run Using CATALINA_BASE: /home/example/twoconsecutive spaces Using CATALINA_HOME: /home/example/twoconsecutive spaces Using CATALINA_TMPDIR: /home/example/twoconsecutive spaces/temp Using JRE_HOME:/home/example/java/jdk1.6 Using CLASSPATH: /home/example/twoconsecutive spaces/bin/bootstrap.jar:/home/example/twoconsecutive spaces/bin/tomcat-juli.jar Exception in thread main java.lang.NoClassDefFoundError: org/apache/catalina/startup/Bootstrap Caused by: java.lang.ClassNotFoundException: org.apache.catalina.startup.Bootstrap at java.net.URLClassLoader$1.run(URLClassLoader.java:202) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:190) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301) at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: org.apache.catalina.startup.Bootstrap. Program will exit. Tomcat server can start if server path does not contain consecutive space. Do anyone face to the same issue with me in this case? Have you any suggestion to fix this issue? Yes : don't do that (using spaces in paths). It is quite important for my deployment. That's a pity. Spaces in paths (and filenames) are evil, and should never have been allowed in the first place. A special place in hell is reserved for the genius who first allowed this stupid thing in an OS. I wish I had 0.1 cent for every programming hour lost because of this. Technically, you can certainly find the correct way to quote them in any particular place and environment. But usually, this is merely moving the problem to some other place further down the line, where it is even less visible and harder to find the bugs. I suppose the same could be said about any non-visible character, but spaces (along with TAB) are specially evil because in most environments, they are considered either as valid separators between words/tokens or as non-significant. My serious recommendation would be to think really hard about a way to nip this in the bud, and avoid allowing them and using them in the first place. Think that if you allow them somewhere, and even if you quote them correctly there, you will have to continue quoting them (appropriately) everywhere else that you are using the corresponding strings. It is almost guaranteed that this will bite you somewhere. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat and IP transparency
Hello, I already asked this question to the Apache HttpClient Forum. They don't know if this is possible with java/Tomcat. I have developed a proxy servlet with an xml cache, running in a Tomcat 6.0.37 on Linux Centos6.4. When the incoming xml request (sent from an external client) is not found in the proxy cache, I use HttpClient 4.2.5 to create a new http request and redirect it to the provider application servers to get the xml response. So far, everything worked ok with all our clients. But now we've a provider that needs ip transparency. Then, the request created by httpclient needs to carry the origin ip address (that from the external client), not the proxy ip. My proxy gets correctly the external IP (using request.getRemoteAddr()), but when the provider application reads the IP provided by the http client using request.getRemoteAddr(), they obviously get the proxy IP. The provider software is a blackbox, then reading ips with 'request.getRemoteAddr()' is something that they cannot change now. Therefore, things like adding a 'X-Forwarded-for' header cannot be implemented in this scenario. Is it possible tot achieve this at Tomcat level? Has anyone found an scenario like this? Thanks in advance, Joan.
RE: Tomcat and IP transparency
Hello, They may use RemoteIpValve to fetch real ip from x-forwarded-for and set it to remote_addr where getRemoteAddr will get it. Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: Joan Balagueró Ventus Proxy [mailto:joan.balagu...@ventusproxy.com] Sent: Wednesday, July 31, 2013 11:05 PM To: users@tomcat.apache.org Subject: Tomcat and IP transparency Hello, I already asked this question to the Apache HttpClient Forum. They don't know if this is possible with java/Tomcat. I have developed a proxy servlet with an xml cache, running in a Tomcat 6.0.37 on Linux Centos6.4. When the incoming xml request (sent from an external client) is not found in the proxy cache, I use HttpClient 4.2.5 to create a new http request and redirect it to the provider application servers to get the xml response. So far, everything worked ok with all our clients. But now we've a provider that needs ip transparency. Then, the request created by httpclient needs to carry the origin ip address (that from the external client), not the proxy ip. My proxy gets correctly the external IP (using request.getRemoteAddr()), but when the provider application reads the IP provided by the http client using request.getRemoteAddr(), they obviously get the proxy IP. The provider software is a blackbox, then reading ips with 'request.getRemoteAddr()' is something that they cannot change now. Therefore, things like adding a 'X-Forwarded-for' header cannot be implemented in this scenario. Is it possible tot achieve this at Tomcat level? Has anyone found an scenario like this? Thanks in advance, Joan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat and IP transparency
Hello Joan, I fear I have to disappoint you. If I understand you correctly you want to manipulate the packets on the IP level, setting the source ip address to the ip address of the originator of the packet, similar to what a loadbalancer would do. It is possible technically, but it's a very different kind of soup compared to http proxy and really hard to implement in java, just because native access to the network interface isn't something java was made for. And since it's not unfamiliar to the attack vector known as IP Spoofing, it will only work in close distance (network-wise). But last time I was programming something on ip leveI is about 15 years ago, so I may be wrong. However, you other side, should be able to retrieve the contents of the X-FORWARDED-FOR header and return it in the getRemoteAddress call to its application. At least tomcat would do. So the question is, how much access do you have to your blackbox? If you have access to the machine you could do it with apache httpd and mod_proxy or mod_proxy_ajp. If not I would ask the provider of the blackbox, how they handle proxies in general (and if they do it at all). I they support some kind of proxy behavior, all you need to do is mimic one, if not... well find another provider ;-) It sounds a bit like SEO, and there are a lot of SEO providers with better tech ;-) regards Leon On Wed, Jul 31, 2013 at 9:04 PM, Joan Balagueró Ventus Proxy joan.balagu...@ventusproxy.com wrote: Hello, I already asked this question to the Apache HttpClient Forum. They don't know if this is possible with java/Tomcat. I have developed a proxy servlet with an xml cache, running in a Tomcat 6.0.37 on Linux Centos6.4. When the incoming xml request (sent from an external client) is not found in the proxy cache, I use HttpClient 4.2.5 to create a new http request and redirect it to the provider application servers to get the xml response. So far, everything worked ok with all our clients. But now we've a provider that needs ip transparency. Then, the request created by httpclient needs to carry the origin ip address (that from the external client), not the proxy ip. My proxy gets correctly the external IP (using request.getRemoteAddr()), but when the provider application reads the IP provided by the http client using request.getRemoteAddr(), they obviously get the proxy IP. The provider software is a blackbox, then reading ips with 'request.getRemoteAddr()' is something that they cannot change now. Therefore, things like adding a 'X-Forwarded-for' header cannot be implemented in this scenario. Is it possible tot achieve this at Tomcat level? Has anyone found an scenario like this? Thanks in advance, Joan.
SSL and 408 error code (incomplete request)
Hi, Has anyone happened to stumble onto this issue, please: Our Ajax works perfectly as long as its non-secure. However, when switching to SSL we sometimes see 408 errors (incomplete request). This only happens on ajax, and inconsistently (similar requests might succeed on one moment, but fail on the other). Please note: 1. Our client is Chrome browser, using JQuery for ajax 2. Server is Tomcat 7 3. Network is fast and stable, and the ajax requests are small 4. Problem occurs for both our connectors: APR and Http (both with SSL enabled) 5. Our x509 certificate is valid (otherwise it would have failed on *all* ajax ssl requests, not to mention the non-ajax ssl) Thanks :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL and 408 error code (incomplete request)
what happens if you increase the connectionTimeout (on your ssl connector) to a longer interval e.g.? $CATALINA_HOME/conf/server.xml Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true connectionTimeout=3 Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Wed, 31 Jul 2013 14:32:39 -0700 From: solmy...@yahoo.com Subject: SSL and 408 error code (incomplete request) To: users@tomcat.apache.org Hi, Has anyone happened to stumble onto this issue, please: Our Ajax works perfectly as long as its non-secure. However, when switching to SSL we sometimes see 408 errors (incomplete request). This only happens on ajax, and inconsistently (similar requests might succeed on one moment, but fail on the other). Please note: 1. Our client is Chrome browser, using JQuery for ajax 2. Server is Tomcat 7 3. Network is fast and stable, and the ajax requests are small 4. Problem occurs for both our connectors: APR and Http (both with SSL enabled) 5. Our x509 certificate is valid (otherwise it would have failed on *all* ajax ssl requests, not to mention the non-ajax ssl) Thanks :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL and 408 error code (incomplete request)
sol myr wrote: Hi, Has anyone happened to stumble onto this issue, please: Our Ajax works perfectly as long as its non-secure. However, when switching to SSL we sometimes see 408 errors (incomplete request). This only happens on ajax, and inconsistently (similar requests might succeed on one moment, but fail on the other). Please note: 1. Our client is Chrome browser, using JQuery for ajax 2. Server is Tomcat 7 3. Network is fast and stable, and the ajax requests are small 4. Problem occurs for both our connectors: APR and Http (both with SSL enabled) 5. Our x509 certificate is valid (otherwise it would have failed on *all* ajax ssl requests, not to mention the non-ajax ssl) The HTTP RFC 2616 states : 10.4 Client Error 4xx The 4xx class of status code is intended for cases in which the client seems to have erred. and 10.4.9 408 Request Timeout The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time. On the face of it thus (and barring some real bug in Tomcat), this looks like a client error, scenario : - the client opens a TCP connection to the server, with the purpose of sending a request on that connection - but then the client fails to send a request on that connection, for a time sufficient for the server to declare a time-out (or takes an inordinate amount of time to send the request line - such as in one kind of DOS attack). Any idea why some of your client requests may have such a behaviour ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
