Re: Error 404 - The requested resource is not available

2017-01-13 Thread Christoph Nenning 
> From: Torsten Krah 
> To: users@tomcat.apache.org, 
> Date: 13.01.2017 08:56
> Subject: Re: Error 404 - The requested resource is not available
> 
> Am Donnerstag, den 12.01.2017, 13:38 -0600 schrieb fonsin2008 .:
> > Here are the  log files.
> 
> What about fixing those NPE and enable debug/trace logs of struts2 to
> get more information about how struts is going to map the request and
> where the 404 is written to the response.
> 
> 

Yes, the NPE happens in application code so you have to ask developers of 
that app.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Error 404 - The requested resource is not available

2017-01-11 Thread Christoph Nenning 
> From: "fonsin2008 ." 
> To: Tomcat Users List , 
> Date: 12.01.2017 07:19
> Subject: Re: Error 404 - The requested resource is not available
> 
> Hi!
> 
> The url is: http://somehost/evaluacion/login_formaLogin.action
> 
> The problem is that it used to run without problems.
> 
> 2017-01-11 19:50 GMT-06:00 Tim Watts :
> > On Wed, 2017-01-11 at 15:49 -0600, fonsin2008 . wrote:
> >> Hi all!
> >>
> >> First, I need to say that I'm new(ignorant) with Tomcat. One of our
> >> systems is written with tomcat, but today something went wrong and 
the
> >> following error appears on the webpage:
> >>
> >> --Estado HTTP 404 - /evaluacion/WEB-INF/pages/login/forma_login.jsp
> >> --__
> >> --type Informe de estado
> >> --mensaje /evaluacion/WEB-INF/pages/login/forma_login.jsp
> >> --descripción El recurso requerido no está disponible.
> >> --
> >> --Apache Tomcat/6.0.37
> >>
> >> The file exists on the virtualserver, at
> >>
> >> home/desarrollo/produccioncbi/virtualhost/cbi_desarrollo/
> evaluacion/WEB-INF/pages/login
> >>
> >> And:
> >> ls -l
> >> -rw-r--r-- 1  desarrollo 3744 feb 11  2015 forma_login.jsp
> >>
> >> the evaluacion.war file lives at
> >> /home/desarrollo/produccioncbi/virtualhost/cbi_desarrollo
> >>
> >> And in /WEB-INF/classes/struts.xm I found:
> >> ./WEB-INF/classes/struts.xml:   >> name="forma_login">/WEB-INF/pages/login/forma_login.jsp
> >>
> >> So, I can't figure out why this error appears. May be I'm missing
> >> something obvious. I also googled it, but I only found permission
> >> errors and wrong paths.
> >>
> >> If you need some additional information, feel free to ask.
> >>
> >
> > What URL was used to produce the error message?
> >
> > Since you're unfamiliar with Tomcat, and presumably Servlet based web
> > applications, you need to know that /WEB-INF and anything below it is
> > inaccessible outside the web app; it's only accessible from within the
> > web app.  So if you issued a URL like:
> >
> > http://some-host/evaluacion/WEB-INF/pages/login/forma_login.jsp
> >
> > You will unsurprisingly get the 404 error.
> >
> > If this is the case then your task is to learn more about the 
specifics
> > of your application and what the proper login URL is.  Looks like it's
> > built with Struts so you may need to learn about that -- starting with
> > what version was used.
> >
> > -- Tim.
> >
> >
> >> Thank you guys for your time!
> >>
> >> Jesus Mager
> >> [www.h1n1-al.blogspot.com]
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> 

Hi,

what is in the logs?

Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Error 500, restoring backup, GeoNode 2.4 to Geonode 2.4.1

2016-10-19 Thread Christoph Nenning 
> From: "LEOPOLDO JAVIER NUNEZ DE SANTIAGO ." 
> To: users@tomcat.apache.org, 
> Date: 19.10.2016 18:35
> Subject: Error 500, restoring backup, GeoNode 2.4 to Geonode 2.4.1
> 
> Users Hello, my problem is related to an error in Tomcat 7 to update a
> GeoNode gis system.
> 
> Thanks for your support.
> 
> Restarting the service tomcat7 by ssh, the system does not indicate an
> error, but tomcat 7 does not start.
> 
> 2.4 GeoNode proceeding to backup. Next restoring in GeoNode 2.4.1
> 
> *steps for Backup files (GeoNode 2.4)*
> 
> Stop service
> 
> sudo service apache2 stop
> 
> sudo service tomcat7 stop
> 
> sudo service postgresql stop
> 
> 
> 
> sudo -u postgres -i pg_dump -c -Fc geonode > geonodedb.backup
> 
> 
> 
> tar -cvzf geonodeConfigBackup.tgz /etc/geonode
> 
> tar -zcvf geonodeVarDataBackup.tgz /var/lib/geoserver/geonode-data/
> 
> tar -zcvf geonodeUsrDataBackup.tgz /usr/share/geoserver/data/
> 
> tar -zcvf geonodeWWWDataBackup.tgz /var/www/geonode/
> 
> tar -cvzf geonodei18nBackup.tgz /usr/local/lib/python2.7/dist-
> packages/geonode/locale/
> 
> tar -cvzf geonodePyDjangoBackup.tgz /usr/local/lib/python2.7/dist-
> packages/geonode/
> 
> tar -cvzf geonodePyDjangoEggBackup.tgz /usr/local/lib/python2.7/dist-
> packages/GeoNode-2.4.1.egg-info/
> 
> 
> 
> *steps, restoring backup (GeoNode 2.4.1)*
> 
> 
> sudo service apache2 stop
> 
> sudo service tomcat7 stop
> 
> sudo service postgresql stop
> 
> 
> sudo tar -C / -xvzf geonodeConfigBackup.tgz
> 
> sudo tar -C / -xvzf geonodei18nBackup.tgz
> 
> sudo tar -C / -xvzf geonodePyDjangoEggBackup.tgz
> 
> sudo tar -C / -xvzf geonodeVarDataBackup.tgz
> 
> sudo tar -C / -xvzf geonodePyDjangoBackup.tgz
> 
> sudo tar -C / -xvzf geonodeUsrDataBackup.tgz
> 
> sudo tar -C / -xvzf geonodeWWWDataBackup.tgz
> 
> sudo service postgresql start
> 
> sudo -u postgres -i psql -c 'drop database geonode;'
> 
> sudo -u postgres -i psql -c 'create database geonode;'
> 
> sudo -u postgres -i pg_restore -Fc -d geonode /path/to/geonodedb.backup
> 
> 
> 
> sudo service apache2 stop
> 
> sudo service tomcat7 stop
> 
> 
> 
> Did not receive errors during the restore.
> 
> But I have server 500 error.
> 
> Check the access.log file, folder apache2
> 
> 
> 
> 
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:55 +] "GET / HTTP/1.1" 200 
5234
> "-" "this is a test ua "
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/geonode/css/ext-compatibility.css?v=2.4.1 HTTP/1.1" 200 678 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/lib/css/assets.min.css?v=2.4.1 HTTP/1.1" 200 27247 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/geonode/css/base.css?v=2.4.1 HTTP/1.1" 200 3113 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/geonode/js/utils/utils.js?v=2.4.1 HTTP/1.1" 200 1292 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/autocomplete_light/django_admin.js HTTP/1.1" 200 832 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/autocomplete_light/autocomplete.js HTTP/1.1" 200 8094 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/autocomplete_light/addanother.js HTTP/1.1" 200 1525 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/geonode/js/base/base.js?v=2.4.1 HTTP/1.1" 200 491 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/lib/js/assets.min.js?v=2.4.1 HTTP/1.1" 200 259982 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/autocomplete_light/widget.js HTTP/1.1" 200 4674 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/autocomplete_light/remote.js HTTP/1.1" 200 983 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/geonode/fonts/lato_font.css HTTP/1.1" 200 501 "
> http://172.125.122.68/static/geonode/css/base.css?v=2.4.1; "this is a 
test
> ua "
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/autocomplete_light/style.css HTTP/1.1" 200 1610 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - - [18/Oct/2016:15:19:57 +] "GET
> /static/autocomplete_light/text_widget.js HTTP/1.1" 200 2991 "
> http://172.125.122.68/; "this is a test ua  alert(99)  >"
> 
> 172.125.121.52 - -

RE: Getting a blank page in Tomcat 6.3

2016-10-07 Thread Christoph Nenning 
> From: "Nagappan , Ganesh  - IT- PLM - Bhuj" 

> To: Tomcat Users List , 
> Date: 06.10.2016 13:54
> Subject: RE: Getting a blank page in Tomcat 6.3
> 
> 
> 
> "-Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
> Sent: Thursday, October 06, 2016 4:28 PM
> To: users@tomcat.apache.org
> Subject: Re: Getting a blank page in Tomcat 6.3
> 
> On 06.10.2016 12:43, Nagappan , Ganesh  - IT- PLM - Bhuj wrote:
> >
> > "-Original Message-
> > From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> > Sent: Thursday, October 06, 2016 3:47 PM
> > To: users@tomcat.apache.org
> > Subject: Re: Getting a blank page in Tomcat 6.3
> >
> > On 06.10.2016 11:00, Nagappan , Ganesh  - IT- PLM - Bhuj wrote:
> >> Hi,
> >>
> >>   Version : Apache Tomvcat 6.3
> >>
> >>   OS  : Windows server 2008 R2
> >>
> >>   We are using Tomcat for our TCRA application extracting
> reports. When I start the Tomcat the default homepage, It is working 
fine.
> >>
> >> But When I go to http://teamcenter:8080/TCRA/Portal/  It displays
> a blank page.
> >>
> >> Please give me an suggestion.
> >>
> >
> > 1) if you are using IE, turn off the "display friendly error pages" 
> > option
> > 2) turn off Tomcat
> > 3) find the Tomcat logfiles directory, and delete all the files
> > 4) turn on Tomcat
> > 5) make *one* access to http://teamcenter:8080/TCRA/Portal/ to get the 

> > blank page
> > 6) turn off Tomcat again
> > 7) look at the logfiles.  Any indication of a problem there ?
> >
> > and when you have some real information that might allow us to 
> help you without having to unwrap our crystal ball, come back here.
> >
> > 8) upgrade your Tomcat. That version is 10 (?) years old.
> > (Do not know really, because Tomcat 6.3 does not exist, and 
> neither does 6.0.3) Use (tomcat-directory)/bin/version.bat to find 
> out the real version.
> > Or look in the first lines of the Tomcat logfile."
> >
> >
> > Hi Andre,
> >
> >
> > First thanks for replying.
> >
> > Sorry for wrong specification of my version
> >
> > It is Apache Tomcat 6.0.35
> >
> > I had done all the the steps specified by you and attached the 
> catalina.log and local host log file.
> >
> > Awaiting for your reply.
> >
> 
> Well, the attachments did not make it to the list.
> This list software often strips attachments.
> Try again, but copy/paste the relevant log sections directly in the 
> message then.
> And apologies for the tone of the previous message, but without the 
> attachments, it looked really like a poor post with insufficient 
information.
> 
> 
> "
> Hi,
> 
> I found that there is problem with Ports 8005 and 8009 before 
> itself. I had also tried by changing the port, But I had got the 
> same "Blank Page " error.
> 
> I have displayed my log file below.
> 
> This is my catalina log file
> 
> 

> Oct 6, 2016 4:05:24 PM org.apache.catalina.core.AprLifecycleListener 
init
> INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
> Oct 6, 2016 4:05:24 PM org.apache.catalina.core.AprLifecycleListener 
init
> INFO: APR capabilities: IPv6 [false], sendfile [true], accept 
> filters [false], random [true].
> Oct 6, 2016 4:05:25 PM org.apache.coyote.http11.Http11AprProtocol init
> INFO: Initializing Coyote HTTP/1.1 on http-8080
> Oct 6, 2016 4:05:25 PM org.apache.coyote.ajp.AjpAprProtocol init
> SEVERE: Error initializing endpoint
> java.lang.Exception: Socket bind failed: [730048] Only one usage of 
> each socket address (protocol/network address/port) is normally 
permitted. 
>at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:649)
>at org.apache.coyote.ajp.AjpAprProtocol.init(AjpAprProtocol.java:160)
>at 
org.apache.catalina.connector.Connector.initialize(Connector.java:1049)
>at org.apache.catalina.core.StandardService.initialize
> (StandardService.java:703)
>at org.apache.catalina.core.StandardServer.initialize
> (StandardServer.java:838)
>at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>at sun.reflect.NativeMethodAccessorImpl.invoke
> (NativeMethodAccessorImpl.java:39)
>at sun.reflect.DelegatingMethodAccessorImpl.invoke
> (DelegatingMethodAccessorImpl.java:25)
>at java.lang.reflect.Method.invoke(Method.java:597)
>at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
>at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
> Oct 6, 2016 4:05:25 PM org.apache.catalina.core.StandardService 
initialize
> SEVERE: Failed to initialize connector [Connector[AJP/1.3-8009]]
> LifecycleException:  Protocol handler initialization failed: 
> java.lang.Exception: Socket bind failed: [730048] Only one usage

Re: Context Dependency Injection with Tomcat 7.0 x / 8.0 x

2016-10-06 Thread Christoph Nenning 
> 
> Hi All,
> 
> I wanted to check if their is a way to do CDI with Tomcat for 7x and 8x
> version as per JEE spec ?
> 
> I have a project for which I wanted to use CDI the way spring does it.
> 
> Appreciate if someone can suggest something.
> 
> 
> - Kiran


Open Web Beans:

http://openwebbeans.apache.org/


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Housing and reading internal resources using Tomcat 8.5.4 and JDK 1.8

2016-08-30 Thread Christoph Nenning 
> Hello everyone,
> 
> I have a file xyz.txt that is specific to my web application which needs 
to
> be located by my web application, and I wish to find that resource via
> getClass().ClassLoader().getResource("xyz.txt") at runtime. The xyz.txt
> file has no relation to any particular Java class in our application. 
This
> resource is used internally by the application and should not be served
> directly by the container to inbound HTTP requests, therefore I have it
> located in the WEB-INF/properties directory of my web app deployment.
> However, the getResource("xyz.txt") method returns null, even though my
> xyz.txt file is certainly where it is expected to be found.
> 
> Where should I place this file ideally, and given that file exists in 
that
> location, what is the parameter value I need to pass to getResource() so 
it
> returns a non-null value?
> 
> Thanks, Doug


Hi,

the file must be present in classpath. For a webapp that means 
WEB-INF/classes. When you place it not in a sub dir you must pass 
"/xyz.txt" to getResource() (note the leading slash).

If you use eclipse for development you can create a "source folder" and 
place it there. eclipse will take care of copying it to WEB-INF/classes. 
Other IDEs or build tools call that a resources dir. In maven it defaults 
to src/main/resources.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: jdbc check available database

2016-08-02 Thread Christoph Nenning 
> Hello guys,
> 
> I’ve SQL Server database with Tomcat 7 and, when I restart only 
database,
>  webapps on Tomcat didn’t works , it show me error to connect to 
database ..
> 
> In webapp context I use jdbc driver for connect, so there is a kind of
> method for retry to connect to database when it return available?
> 
> 
> 

Hi,

I suggest to use a DataSource instead of dealing with jdbc connections on 
your own.

see:
http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html


Regards,
Christoph


This Email was scanned by Sophos Anti Virus

Re: mod-jk + ssl: requests are not forward to tomcat correctly

2016-07-12 Thread Christoph Nenning 
> > Probably the quickest : download these files, install them on your
> server, and change the above links.
> Like : create a sub-directory "/js" of your webapp, and install them 
there.
> Then change the above links to : href="js/jquery.mobile-1.4.5.min.css"
> 
> Yes. It works. Thanks.
> 
> It is okay for now. but, if I do not want host these files, what should 
I
> do? Can you point a direction for me please?
> 


It could be a "mixed content" issue. When html is served via https and it 
links resources served via http (not https) browsers are not happy.


> >>http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.css"/>
> >>http://code.jquery.com/jquery-1.11.3.min.js
">
> >>http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js
">


Try to use https here.



Regards,
Christoph



> On Mon, Jul 11, 2016 at 12:38 PM, André Warnier (tomcat) 
> wrote:
> 
> > On 11.07.2016 19:38, Wayne Li wrote:
> >
> >> Thank you for quick reply.
> >> Thank you for suggest LiveHTTPHeaders for firefox. I just tried. 
Good. It
> >> says that the file was loaded. So I think the problems are in the 
lines
> >> of:
> >>
> >>http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.css"/>
> >>http://code.jquery.com/jquery-1.11.3.min.js
">
> >>http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js
">
> >>
> >> These lines could not be forwarded under ssl? What should I do?
> >> Thanks.
> >>
> >
> > Probably the quickest : download these files, install them on your 
server,
> > and change the above links.
> > Like : create a sub-directory "/js" of your webapp, and install them 
there.
> > Then change the above links to : href="js/jquery.mobile-1.4.5.min.css"
> >
> >
> >>
> >> On Mon, Jul 11, 2016 at 9:28 AM, André Warnier (tomcat) 

> >> wrote:
> >>
> >> On 11.07.2016 15:57, Wayne Li wrote:
> >>>
> >>> Hi All,
> 
> 
>  Hi. Thanks you for communicating the versions and the configuration
> >>> below..
> >>> That helps a lot in helping you.
> >>>
> >>> Can you also provide the version of the mod_jk module ? It should be 
in
> >>> the first line of the Apache httpd error log (when it starts up).
> >>>
> >>> I have a servlet/jsp application running on tomcat 7.0.47. There are 
no
> >>>
>  static html files.
>  Now I am try to use apache 2.4.7 (Ubuntu)
>  as the front and forwad eveything to tomcat. I installed mod_jk 
using
>  Ubuntu's software
>  center.. Things are working: I type "localhost" on my brower bar, 
it
>  shows
>  my application.
> 
>  Then, I also trying to use ssl and generated self-signed 
certificate. It
>  works, because
>  the browser warns me about unknown certificate. If I type "
>  https://www.mytest.com/index.jsp;
>  on the browser's bar, it shows the page. But not correctly: the 
page
>  contains:
>    
>    
>  These extra files are not be called.
> 
> 
> >>> Sorry to ask, but *are* these files present, in the same directory 
as
> >>> your
> >>> index.jsp page ?
> >>>
> >>>
> >>> What is wrong on my side? Any information would be appreciated. 
Thank you
> >>>
>  in advance.
> 
> 
> >>> There is some configuration information missing below : in
> >>> /etc/apache2/mods-available, there should be a couple of files : 
jk.load
> >>> and jk.conf.
> >>> What is the content of these files ?
> >>>
> >>>
> >>> the /etc/apache2/conf/default-ssl.conf:
>  
>    
>  SSLEngine on
>  SSLCertificateFile /etc/apache2/ssl/server.crt
>  SSLCertificateFile /etc/apache2/ssl/server.crt
> 
> 
> >>> above, duplicate lines ?
> >>>
> >>>
> >>> JkMount /* ajp13_worker
> >>>
>    
>  
> 
>  the /etc/apache2/conf/000-default.conf:
>  
>  ServerName localhost
>  DocumentRoot /ROOT
>  JkMountCopy On
>  
>    JkMount jk-status
>    Order deny,allow
>    Allow from 127.0.0.1,localhost
>  
>  
>    JkMount jk-manager
>    Order deny,allow
>    Allow from 127.0.0.1,localhost
>   
>  
> 
>  the /etc/apache2/workers/worker.properties:
>  workers.tomcat_home=/tomcat
>  workers.java_home=/jdk8
>  ps=/
>  worker.list=ajp13_worker
>  worker.ajp13_worker.port=8009
>  worker.ajp13_worker.host=localhost
>  worker.ajp13_worker.type=ajp13
>  worker.ajp13_worker.lbfactor=1
>  worker.loadbalancer.type=lb
>  worker.loadbalancer.balance_workers=ajp13_worker
>  worker.list=jk-status
>  worker.jk-status.type=status
>  worker.jk-status.read_only=true
>  worker.list=jk-manager
>  worker.jk-manager.type=status
> 
> 
>  That workers.properties looks old, and contains some deprecated 
lines :
> >>>
>

Re: Suggestions for deploying context.xml for different environments?

2016-07-07 Thread Christoph Nenning 
> >> Hello.  I am seeking some advice for the best ways to deploy Java web
> >> applications to different Tomcat environments.
> >>
> >> In particular, my application requires that a JNDI resource be 
defined
> >> for a database, where the database server address and credentials 
will
> >> vary depending on the environment the application is deployed to.
> >>
> >> * Tomcat: 8.0.36
> >> * OS: varies depending on the environment deployed to
> >>
> >> If I include in the WAR file, a META-INF/context.xml that includes 
the
> >> Resource element, Tomcat will use that to create the file:
> >> $CATALINA_HOME/conf/engine/host/my-application.xml
> >>
> >> The context file my-application.xml can then be modified so that the
> >> Resource settings are appropriate for the environment.
> >>
> >> However, if, for any reason, the application is undeployed and then
> >> re-deployed, my-application.xml will be recreated with the settings 
as
> >> they originally appeared in the WAR file.
> >>
> >> The options that seem evident to me are:
> >>
> >> 1) Create a different WAR file for each environment.  This strikes me 
as
> >> a bit onerous.
> >>
> >> 2) Use environment variables in my-application.xml such as:
> >> url="${databaseurl}" and then define those environment variables 
using
> >> the Environment element in the GlobalNamingResources of Tomcat's
> > server.xml.
> >> Regarding #2, would it be possible to instead use a properties file 
to
> >> define the variables?  I assume adding entries to catalina.properties
> >> would work, but is it possible to define a properties file separate 
from
> >> catalina.properties which deals more with system properties rather 
than
> >> application properties?
> >>
> > We set such system properties in setenv.sh, e.g.:
> >
> > JAVA_OPTS="$JAVA_OPTS -Ddatabase.password=$DATABASE_PASSWORD"
> >
> >
> > The environment variable $DATABASE_PASSWORD is used because we wrap 
our
> > applications along with tomcat and jvm in docker images. Operations
> > specify environment specific parameters (as database passwords) when 
they
> > launch the docker container with -e switch, e.g.:
> >
> > docker run -d -e DATABASE_PASSWORD=secret .
> >
> >
> > Due to docker we don't need context.xml files inside WARs. Instead we 
have
> > application specific tomcat config files in our source trees. Our 
build
> > process includes them in the docker image as top level tomcat config. 
As
> > we build application specific images there is just one app per image 
and
> > thus per tomcat instance.
> >
> >
> > Of course that is linux only.
> 
> I don't believe docker is an option for me.  At least, not at this 
> time.  I do like the idea of setting environment-specific variables as 
> system properties in the setenv.sh.  However, setting passwords there 
> gives me pause for security reasons since it would be visible to 
> anything running within the Tomcat environment, should there be some way 

> to exploit a vulnerability and access Tomcat's system properties or 
> environment variables remotely.
> 
> Thank you for sharing,
> Philip
> 


Well, having passwords in config files does not add much security ;)


Regards,
Christoph


This Email was scanned by Sophos Anti Virus

Re: Suggestions for deploying context.xml for different environments?

2016-07-05 Thread Christoph Nenning 
> Hello.  I am seeking some advice for the best ways to deploy Java web 
> applications to different Tomcat environments.
> 
> In particular, my application requires that a JNDI resource be defined 
> for a database, where the database server address and credentials will 
> vary depending on the environment the application is deployed to.
> 
> * Tomcat: 8.0.36
> * OS: varies depending on the environment deployed to
> 
> If I include in the WAR file, a META-INF/context.xml that includes the 
> Resource element, Tomcat will use that to create the file:
> $CATALINA_HOME/conf/engine/host/my-application.xml
> 
> The context file my-application.xml can then be modified so that the 
> Resource settings are appropriate for the environment.
> 
> However, if, for any reason, the application is undeployed and then 
> re-deployed, my-application.xml will be recreated with the settings as 
> they originally appeared in the WAR file.
> 
> The options that seem evident to me are:
> 
> 1) Create a different WAR file for each environment.  This strikes me as 

> a bit onerous.
> 
> 2) Use environment variables in my-application.xml such as: 
> url="${databaseurl}" and then define those environment variables using 
> the Environment element in the GlobalNamingResources of Tomcat's 
server.xml.
> 
> Regarding #2, would it be possible to instead use a properties file to 
> define the variables?  I assume adding entries to catalina.properties 
> would work, but is it possible to define a properties file separate from 

> catalina.properties which deals more with system properties rather than 
> application properties?
> 

We set such system properties in setenv.sh, e.g.:

JAVA_OPTS="$JAVA_OPTS -Ddatabase.password=$DATABASE_PASSWORD"


The environment variable $DATABASE_PASSWORD is used because we wrap our 
applications along with tomcat and jvm in docker images. Operations 
specify environment specific parameters (as database passwords) when they 
launch the docker container with -e switch, e.g.:

docker run -d -e DATABASE_PASSWORD=secret .


Due to docker we don't need context.xml files inside WARs. Instead we have 
application specific tomcat config files in our source trees. Our build 
process includes them in the docker image as top level tomcat config. As 
we build application specific images there is just one app per image and 
thus per tomcat instance.


Of course that is linux only.


regards,
Christoph



> I haven't been able to find a documented standard methodology for Tomcat 

> deployments to different environments, but I'm certain there must be 
> some common and elegant ways of doing this.  I'm interested in hearing 
> what others have done.
> 
> Thank you,
> Philip
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 






This Email was scanned by Sophos Anti Virus

Re: Remove Port from Https URL || SSL Port Issue || Important

2016-06-10 Thread Christoph Nenning 
> > Hello Gurus,
> >
> > We are using Tomcat to serve our User Base (we are not using 
> Apache http Server but only Tomcat). We have recently enabled SSL in
> our Project and everything runs just fine. We raised the CSR using 
> keytool, got the Certificates, So both of my below URLs work perfectly:
> >
> > http://hostname:8080
> > https://hostname:8443
> >
> > Framework Details:
> > OS: Red Hat Enterprise Linux Server release 5.9 (Tikanga)
> > Tomcat Version: 7.x
> >
> > Port 8443 which was not coming in the netstat o/p, now comes:
> >
> > netstat -an | grep 8443
> > tcp0  0 0.0.0.0:84430.0.0.0:* LISTEN
> >
> >
> > Here is how the server.xml looks like (excluding the ciphers list):
> >
> > 
> 
===
> >
> >   > port="8080" protocol="HTTP/1.1"
> > connectionTimeout="2"
> > redirectPort="8443" />
> >
> >  
> >
> >
> >
> >   > maxThreads="150" scheme="https" secure="true"
> > keystoreFile="/abc/xyz/
> XX.keystore" keystorePass="XX"
> > clientAuth="false" sslProtocol="TLS"
> > ciphers="X" />
> >
> > 
> 
=
> >
> > Now the requirement is that, we exclude the Port no. from the URL.
> Believe the only way out is to use Port 443 instead of 8443, so in 
> the above configuration in the SSL section we just replace the port 
> "8443" with Port "443" and give the redirectPort as "8443".
> >
> > However, it is not working out for us. We did a lot of 
> investigation, surfing but could not find any solution.
> > Also we confirmed that Port 443 is not blocked anywhere. Also 
> "netstat -an" doesn't give any o/p for Port 443:Below is how our 
> config looks like when we tried it out enabling 443 (excluding ciphers).
> >
> > 
> 
==
> >
> >   > port="8080" protocol="HTTP/1.1"
> > connectionTimeout="2"
> > redirectPort="8443" />
> >
> >  
> >
> >
> >
> >   protocol="HTTP/1.1" SSLEnabled="true"
> > maxThreads="150" scheme="https" secure="true"
> > keystoreFile="/abc/xyz/
> XX.keystore" keystorePass="XX"
> > clientAuth="false" sslProtocol="TLS" 
redirectPort="8443"
> > ciphers="XXX" />
> >
> >
> > 
> 
==
> >
> > Really appreciate your help and guidance towards resolving the 
> issue. Many thanks in advance...
> >
> 
> Hi.
> Thanks for the info provided above.
> (Suggested improvement still : provide the exact Tomcat version, and
> the Java version.)
> 
> Others :
> - the "redirectPort" attribute above (on the SSL Connector), is not 
> needed (and ignored) 
> if the Connector is already HTTPS anyway. See : 
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Attributes 
> --> redirectPort
> 
> but more importantly : what does the Tomcat logfile say ?
> (It should open port 443; if it doesn't, it may be that this port is
> already in use by 
> another program. The log would tell you that.)
> 
> netstat -pan | grep LISTEN | grep 443
> 
> (-pan will also list the program name and PID of what owns it)
> 
> 
> 
> 

Hi,

ports below 1024 are privileged ports and can be opened by root only. Of 
course you don't want to run tomcat as root. There are several ways to 
open them anyway as non-root, e.g. the capability CAP_NET_BIND_SERVICE or 
the tool authbind  (not sure if available in your version of redhat).

Hope that points you in the right direction.

Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Adding Tomcat instances dynamically to Apache Load Balancer without restart

2016-04-07 Thread Christoph Nenning 
> Hi All,
> 
> Good Morning.
> 
> I am working in a Cloud based project where I encounter Scale-in/ Scale 
out
> of Tomcat instances.
> We have Apache load balancer as well. The requirement is to dynamically 
add
> any new Tomcat instances during scale out to Load balancer and remove
> tomcat instances during scale-in, without restart of balancer.
> 
> I did initial analysis on this. I understand that with mod_jk or 
mod_proxy,
> we need to restart the balancer in the above cases.
> 
> I came across a module mod_cluster which supports to dynamically add or
> remove tomcat instances from load balancer, without restart. Here the
> tomcat automatically registers with load balancer through separate 
channel.
> But I have process running which gets the status of tomcat whether it is
> successfully started or not. Is there a way to register the tomcat 
through
> my process with the balancer instead of tomcat itself registering with
> balancer?
> 
> Could someone please suggest me any other modules if any, other than
> mod-cluster.
> Also is it possible to  handle dynamic registration of tomcat with LB in
> tomcat itself with minimal changes ?
> If anyone used mod_cluster or some other modules, can you please share 
some
> links for doing the setup.
> 
> Thanks in Advance.
> 
> Best Regards,
> Mohan


We do it like this:
- mod_proxy
- several small config files which can be easily overwritten (and 
generated by scripts)
- apache graceful instead of restart

So when a tomcat instance is created or stopped we re-generate the 
according httpd config file and do graceful reload.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Symlinks to index JSP files.

2016-02-26 Thread Christoph Nenning 
> > > Hi all,
> > > I'm having some trouble with tomcat and symbolic links. I am working
> > with
> > > OSX and I use a local instance of Tomcat to do some testing before
> > > deploying my site elsewhere.
> > >
> > > What I want to do: I'd like to create a small script which will stop
> > > tomcat, clear out old deployment folders, rebuild my project, copy 
the
> > > resulting WAR file to the webapps folder, restart tomcat, wait for
> > > deployment to finish, and finally replace a JSP file with a symbolic
> > link
> > > to the corresponding file that is in my workspace.
> > >
> > > Why I want to do this: I'd like to be able to quickly rebuild and
> > redeploy
> > > my WAR and also edit my JSP files and see those changes by simply
> > > refreshing the already-open page.
> > >
> >
> >
> > e.g. eclipse provides good support for such a workflow. You would not 
need
> > symlinks then...
> >
> >
> > You can find out more here:
> >
> >
> > http://help.eclipse.org/juno/index.jsp?topic=%
> 2Forg.eclipse.wst.server.ui.doc.user%2Ftopics%2Frwrcview.html
> >
> > https://www.youtube.com/results?search_query=eclipse+tomcat
> >
> >
> >
> > Regards,
> > Christoph
> >
> >
> >
> > 
> >
> > This Email was scanned by Sophos Anti Virus
> >
> 
> Christoph,
> I have a little experience with the way eclipse does this and I have 
gotten
> it to work nicely, but to be honest I would like to keep my solution IDE
> independent. There is little to no consensus among my peers about which 
IDE
> is preferable and if I can provide a solution that will work for 
everyone,
> that would be best.


Yes, usage of IDEs can be controversial in teams. I cannot help with the 
symlink issue, I just have the alternative approach to use an IDE to 
support that JSP editing workflow.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Symlinks to index JSP files.

2016-02-26 Thread Christoph Nenning 
> Hi all,
> I'm having some trouble with tomcat and symbolic links. I am working 
with
> OSX and I use a local instance of Tomcat to do some testing before
> deploying my site elsewhere.
> 
> What I want to do: I'd like to create a small script which will stop
> tomcat, clear out old deployment folders, rebuild my project, copy the
> resulting WAR file to the webapps folder, restart tomcat, wait for
> deployment to finish, and finally replace a JSP file with a symbolic 
link
> to the corresponding file that is in my workspace.
> 
> Why I want to do this: I'd like to be able to quickly rebuild and 
redeploy
> my WAR and also edit my JSP files and see those changes by simply
> refreshing the already-open page.
> 


e.g. eclipse provides good support for such a workflow. You would not need 
symlinks then...


You can find out more here:

http://help.eclipse.org/juno/index.jsp?topic=%2Forg.eclipse.wst.server.ui.doc.user%2Ftopics%2Frwrcview.html

https://www.youtube.com/results?search_query=eclipse+tomcat



Regards,
Christoph





This Email was scanned by Sophos Anti Virus

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

2016-02-15 Thread Christoph Nenning 
> > Perhaps I¹m naïve, but I was looking for a Tomcat provided 
> ³getCurrentURL
> > ()² call, and assumed that nothing else could have that. :-)
> > 
> > Thank you for the SecurityManager suggestion, I hadn¹t thought about 
> that.
> >  I¹ll look in to how much of a pain that is.
> 
> 
> You can rebuild the url with several methods of HttpServletRequest like:
> - getScheme()
> - getServerPort()
> - getContextPath()
> - getServletPath()
> - getPathInfo()
> 
> To figure out the host name you can use the Host header:
> getHeader("Host")
> 

Oh, now I see there have been much more messages on this thread. Sorry for 
not reading it first.


 
Regards,
Christoph
> 
> 
> 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On 2/11/16, 5:33 PM, "Mark Thomas"  wrote:
> > 
> > >On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
> > >> I would like to have a jar file in tomcat/lib that can be called 
from
> > >>any of the running web apps.  I need for the code in the jar to 
behave
> > >>differently depending on which web app called it.  It is not in this
> > >>case possible for the code to ³trust² the caller to tell it the URL 
of
> > >>the caller.
> > >> 
> > >> Is it possible for that code to independently determine the URL of 
> the
> > >>caller?
> > >
> > >If you can't trust the caller to tell you the URL, you can't trust 
that
> > >the caller isn't going to tinker with whatever mechanism you do use 
to
> > >determine the URL.
> > >
> > >You'd have a better chance of doing this if you ran under a
> > >SecurityManager but unless you write an application from the start 
with
> > >the intention of running it under a SecurityManager it is usually a 
lot
> > >of additional effort to update the app so it runs correctly.
> > >
> > >Mark
> > >
> > >
> > >-
> > >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > >For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > 
> > 
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> 
> This Email was scanned by Sophos Anti Virus

This Email was scanned by Sophos Anti Virus

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

2016-02-15 Thread Christoph Nenning 
> Perhaps I¹m naïve, but I was looking for a Tomcat provided 
³getCurrentURL
> ()² call, and assumed that nothing else could have that. :-)
> 
> Thank you for the SecurityManager suggestion, I hadn¹t thought about 
that.
>  I¹ll look in to how much of a pain that is.


You can rebuild the url with several methods of HttpServletRequest like:
- getScheme()
- getServerPort()
- getContextPath()
- getServletPath()
- getPathInfo()

To figure out the host name you can use the Host header:
getHeader("Host")


Regards,
Christoph



> 
> 
> 
> 
> 
> 
> 
> On 2/11/16, 5:33 PM, "Mark Thomas"  wrote:
> 
> >On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
> >> I would like to have a jar file in tomcat/lib that can be called from
> >>any of the running web apps.  I need for the code in the jar to behave
> >>differently depending on which web app called it.  It is not in this
> >>case possible for the code to ³trust² the caller to tell it the URL of
> >>the caller.
> >> 
> >> Is it possible for that code to independently determine the URL of 
the
> >>caller?
> >
> >If you can't trust the caller to tell you the URL, you can't trust that
> >the caller isn't going to tinker with whatever mechanism you do use to
> >determine the URL.
> >
> >You'd have a better chance of doing this if you ran under a
> >SecurityManager but unless you write an application from the start with
> >the intention of running it under a SecurityManager it is usually a lot
> >of additional effort to update the app so it runs correctly.
> >
> >Mark
> >
> >
> >-
> >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

This Email was scanned by Sophos Anti Virus

Re: HTTP communication

2016-01-29 Thread Christoph Nenning 
> I have a problem with my java application related to HTTP communication.
> 
> Application description:
> 
> 1.  Client – server. Server is running in servlet container. We 
> use Tomcat.
> 
> Client use java HTTP library to communicate with the server.
> 
> 2.  When client establish connection to the server it sends GET 
> request (keepalive) and server creates AsyncContext for the client 
> with 10 days timeout.
> 
> 3.  After connection established server periodically sends data 
> to the client using AsyncContext and on the client side there is 
> special thread which reads and processes the data.
> 
> Client reading thread example:
> 
> private class GetRunnable implements Runnable {
> 
>private final HttpURLConnection httpConn;
>private final MyConnection myConn;
> 
>public GetRunnable(final MyConnection myConn) throws 
> IOException, AppException {
>  this.myConn = myConn;
>  final String jSession = myConn.getJSession();
>  httpConn = openHttpUrlConnection(false, 
> httpPostTimeout, jSession);
>  httpConn.connect();
>  final int respCode = httpConn.getResponseCode();
>  if (respCode != HttpURLConnection.HTTP_OK) {
> String info = "Incorrect response from server, 
> responseCode:" + respCode + ", message:" + 
httpConn.getResponseMessage();
> log.error(info);
> throw new AppException(info);
>  } else {
> log.trace("GET connected");
>  }
>}
> 
>@Override
>public void run() {
>  try (final BufferedReader reader = new BufferedReader
> (new InputStreamReader(httpConn.getInputStream(), "UTF-8")) ) {
> log.info("doGet STARTED");
> final Thread t = Thread.currentThread();
> while (!t.isInterrupted()) {
>log.trace("before readline");
>final String line = reader.readLine();
>log.trace("after readline: [" + line + "]");
> 
>//INFO: DATA PROCESSING HERE
> }
>  } catch (IOException e) {
> log.error("Error while doGet");
>  } catch (Throwable e) {
> log.debug("doGet STOPED...");
> log.error("Error while read input msg, do logoff", 
e);
> logoff();
> throw e;
>  }
>  log.debug("doGet STOPED...");
>  myCallback.onGetClose(myConn, connInfo);
>}
> }
> 
> Server side code to push data looks like this:
> 
> protected int sendMsgs(final MyConnection myConn, final String info) {
> 
>int res;
>try {
>  final AsyncContext lAc = _ac;
>  final ServletRequest req = lAc.getRequest();
>  if (!req.isAsyncStarted()) {
> log.debug("AsyncStarted=false on begin, uid:" + 
> uid + ", sid:" + sid);
> return -1;
>  }
> 
>  final ServletResponse res = lAc.getResponse();
>  ServletOutputStream  os = null;
>  final String text = getData(myConn);
> 
>  if (os == null)
> os = res.getOutputStream();
> 
>  write2stream(os, text, 0x4000);
>  os.println();
> 
>  if (os != null)
> os.flush();
> } catch(IOException ex) {
>  log.error("Notify failed");
> } catch (InterruptedException e) {
>  log.error("Notify failed");
>  Thread.currentThread().interrupt();
>  } catch (Throwable e) {
> log.error("Notify failed");
> logoff(true);
>  }
> 
> return res;
> }
> 
> public static void write2stream(final OutputStream outputStream, 
> final String text, int bufferSize) throws IOException {
>  final CharsetEncoder encoder = getHttpEncodingCharset
> ().newEncoder();
> 
>  final int fullLen = text.length();
>  final int byteBufferSize = Math.min(bufferSize, fullLen);
> 
>  final int en = (int)(byteBufferSize * (double)
> encoder.maxBytesPerChar());
>  final byte[] byteArray = new byte[en];
> 
>   final ByteBuffer byteBuffer = ByteBuffer.wrap(byteArray);
>   final CharBuffer charBuffer = CharBuffer.wrap(text);
>  for(int pos=0, len=byteBufferSize;
>pos < fullLen;
>pos=len, len=Math.min(pos+byteBufferSize,
> fullLen)) {
> 
>   try {
> final CharBuffer window = charBuffer.subSequence(pos, 
len);
> 
>CoderResult res = encoder.encode(window, 
> byteBuffer, true);
> 
> if (!res.isUnderflow())
>

Re: Installing APR based Apache Tomcat Native Library

2016-01-28 Thread Christoph Nenning 
> Hello,
> 
> tomcat version: 8.0.22
> java: jdk1.8.0_05
> server: Amazon Linux AMI
> 
> When deploying my web application to my production environment (detailed
> above), I get a message:
> 
> 
> 
> *The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path*
> So I wanted to install the Apache Tomcat Native library (does this 
improve
> performance even for a web app that doesn't use SSL?)
> According to the documentation: http://tomcat.apache.org/native-doc/
> I installed the apr-devel and openssl-devel packages with the command:
> 
> yum install apr-devel openssl-devel
> 
> However, I don't understand the next part of the instructions which
> discusses the "make && make install" command.
> From where do I run this command? I searched and I could not find a
> "jni/native" directory.
> From where do I run the "./configure --help" command and the other
> "./configure" commands?
> 
> Thank you.


Those commands mean you compile source code of those libraries. So you 
have to either download source code as zip archives and extract them or 
check it out from version control. You probably need more C development 
tools like a compiler.


Instead of compiling it yourself you can try to install a precompiled 
version from your linux disros repositories:

yum install apr tomcat-native

If you use a recent version of tomcat it might happen that precompiled 
libraries are outdated.

If you just want to avoid that log message you can disable apr connector 
AprLifecycleListener in server.xml.



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

2015-11-26 Thread Christoph Nenning 
> All,
> 
> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
> now available on the Apache Tomcat YouTube channel:
> 
> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
> 
> Mark
> 


We run all our tomcats behind reverse proxies. Would be interesting how 
server push could work in such an environment.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

2015-11-26 Thread Christoph Nenning 
> >> All,
> >>
> >> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
> >> now available on the Apache Tomcat YouTube channel:
> >>
> >> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
> >>
> >> Mark
> >>
> > 
> > 
> > We run all our tomcats behind reverse proxies. Would be interesting 
how 
> > server push could work in such an environment.
> 
> You'd need an HTTP/2 compliant reverse proxy. The proxy would then
> decide whether to push the resource to the client, cache it on the proxy
> or just drop it on the floor. How the proxy decides what to do is TBD.
> 
> Mark
> 
> 

Well, in our case the proxy does not have all the resources to be pushed 
and not the knowledge which resources should be pushed. For us it would be 
great if the application could push through the proxy to the client.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

2015-11-26 Thread Christoph Nenning 
>  All,
> 
>  As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" 
is
>  now available on the Apache Tomcat YouTube channel:
> 
>  https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
> 
>  Mark
> 
> >>>
> >>>
> >>> We run all our tomcats behind reverse proxies. Would be interesting 
> > how 
> >>> server push could work in such an environment.
> >>
> >> You'd need an HTTP/2 compliant reverse proxy. The proxy would then
> >> decide whether to push the resource to the client, cache it on the 
proxy
> >> or just drop it on the floor. How the proxy decides what to do is 
TBD.
> >>
> >> Mark
> >>
> >>
> > 
> > Well, in our case the proxy does not have all the resources to be 
pushed 
> > and not the knowledge which resources should be pushed. For us it 
would be 
> > great if the application could push through the proxy to the client.
> 
> Sorry if I wasn't clear. The app would push to the proxy and then the
> proxy decides whether to push to client, cache or drop the request.
> 
> Mark
> 

Alright, we just need to patch mod_proxy :)



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Tomcat clustering for simplified config

2015-10-12 Thread Christoph Nenning 
Christopher,

> >> Hi list,
> >> 
> >> I just signed up to the list - please forgive any newb mistakes
> >> but hopefully I'm following the right format, style and content.
> >> 
> >> I currently work in a production environment with eight app
> >> servers, all running the same version of Tomcat (currently
> >> 7.0.62).  Four servers support version 1 of our app, the other
> >> four servers support version 2.  Within each group of four, two
> >> serve completely open content via 80, the other two support
> >> queries of sensitive data via 443.  Servers are named with a
> >> number system where all odd-named servers are for the secure
> >> content, all evens are open.
> >> 
> >> So here's the setup in a hopefully clearer portrayal:
> >> 
> >> App Version 1: Server 01: secure queries via 443 Server 02: open
> >> content via 80 Server 03: secure queries via 443 Server 04: open
> >> content via 80
> >> 
> >> App Version 2: Server 05: secure queries via 443 Server 06: open
> >> content via 80 Server 07: secure queries via 443 Server 08: open
> >> content via 80
> >> 
> >> Each pair of even and odd named servers are *conceptually*
> >> linked, but physically stand on their own.  All http traffic and
> >> https traffic for each version is directed to a particular server
> >> by a load balancer.  No Apache Web Server is in the mix and we
> >> would like to keep it that way for simplicity.  Load-wise, our
> >> eight Tomcats are not taxed.
> >> 
> >> I'm responsible for upkeep of these servers, which requires
> >> regular version upgrades and configuration changes when any
> >> vulnerability is found by regular, periodic Nessus scans
> >> (http://www.tenable.com/ products/nessus-vulnerability-scanner).
> >> Sometimes the changes are related to ciphers, sometimes other
> >> things, but I'd say 90% of the time, I just need to upgrade to a
> >> newer version.
> >> 
> >> So no big deal conceptually, I fully admit, but doing this across
> >>  eight servers is TEDIOUS.  And more importantly, it's a ripe 
> >> opportunity for introducing user error.  On three occasions I
> >> have brought our production systems by stupid mistakes in
> >> server.xml or other config files, or most recently, accidentally
> >> copying the wrong ROOT from a version 2 (05) box into the version
> >> one boxes (01 and 03). I got things up and running fine with no
> >> serious consequences but this being the third time, I thought
> >> "there has to be a better way" right after I talked myself off
> >> the "you're a complete idiot"
> > ledge.
> >> 
> >> I'm starting to research Tomcat clustering but everything I see
> >> just talks about load balancing and failover.  **What about ease
> >> of configuration??** I'd like to be able to set up Tomcat
> >>  (clusters?) to help automate what I've described
> >> above to make it less tedious and reduce the chances of making
> >> stupid mistakes when I'm on the 6th, 7th, 8th server.  I'm not
> >> sure if Tomcat clustering is what I need, or if I should look at
> >> something else.
> >> 
> >> Can you nice folks help direct me to where I should look for 
> >> starters?  Will Tomcat clustering get me what I want?  or
> >> something else, like Zookeeper?
> >> 
> >> Thanks, Mark Bramer
> >> 
> > 
> > 
> > We do somthing similar by utilizing docker containers.
> > 
> > At first we create a base-image consisting of: - minified linux
> > distro - jvm - tomcat
> > 
> > Then we have application images based on that which add: - app
> > specific tomcat config - the app itself
> > 
> > These images can be run as multiple instances and thus becoming 
> > containers.
> > 
> > When we update tomcat it is done in the base-image and all
> > app-images are rebuilt and containers restarted. So it is just one
> > place where the change has to be done.
> > 
> > On config updates the according app-image is changed, rebuilt and 
> > restarted.
> 
> I would love to invite you to ApacheCon and have you give a
> presentation on how you do this because it's something I've been
> wanting to do for a while, now.
> 

Happy to hear that :)



> Would your employer send you to ApacheCon?
> 

Looks bad. ApacheCon Europe *might* be possible.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Tomcat clustering for simplified config

2015-10-12 Thread Christoph Nenning 
> I don't have a solution or advice to contribute, but I hope I can 
> spur along some more discussion on the issue.
> 
> We struggle with the problem of pets versus cattle also. 
> 
> We have a farm of pets right now. 
> 
> Our team is still evaluating at what level in our infrastructure our
> tomcat servers will live. 
> 


Here are some notes how *we* do it:


> Tomcat is its own container server, able to deploy and undeploy 
> multiple apps all by itself. Making docker containers of tomcats 
> which will then run multiple webapps-- would we deploy a whole 
> container, pre-loaded with war files? That gives us the power of 
> docker but eliminates the power of tomcat's own deployment. 

We think of it as "application containers", not "tomcat containers". So 
yes, we don't use tomcat's deployment powers anymore.



> Do we 
> create empty tomcat docker containers and fill them with warfiles 
> once they are running? 

We package tomcat, app and app-specific-tomcat-config in one image. 
Deploying a new version of an app means we deploy the whole image. 
Warfiles are not deployed anymore.



> That gives us long-running docker containers 
> which, from what I understand, misses the point of docker. 

We do use long-running docker containers.



> Or do we 
> go old school and use chef/puppet/ansible to create cattle servers 
> in our private cloud without docker altogether. They will be long-
> running, but we will likely pay a price at server creation time. 

We were thinking about that, too. But we concluded that maintaining our 
tomcats and apps with those tools is too hard for us. But actually we use 
puppet to run containers.



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Tomcat clustering for simplified config

2015-10-07 Thread Christoph Nenning 
> Hi list,
> 
> I just signed up to the list - please forgive any newb mistakes but 
> hopefully I'm following the right format, style and content.
> 
> I currently work in a production environment with eight app servers,
> all running the same version of Tomcat (currently 7.0.62).  Four 
> servers support version 1 of our app, the other four servers support
> version 2.  Within each group of four, two serve completely open 
> content via 80, the other two support queries of sensitive data via 
> 443.  Servers are named with a number system where all odd-named 
> servers are for the secure content, all evens are open. 
> 
> So here's the setup in a hopefully clearer portrayal:
> 
> App Version 1:
> Server 01: secure queries via 443
> Server 02: open content via 80
> Server 03: secure queries via 443
> Server 04: open content via 80
> 
> App Version 2:
> Server 05: secure queries via 443
> Server 06: open content via 80
> Server 07: secure queries via 443
> Server 08: open content via 80
> 
> Each pair of even and odd named servers are *conceptually* linked, 
> but physically stand on their own.  All http traffic and https 
> traffic for each version is directed to a particular server by a 
> load balancer.  No Apache Web Server is in the mix and we would like
> to keep it that way for simplicity.  Load-wise, our eight Tomcats 
> are not taxed.
> 
> I'm responsible for upkeep of these servers, which requires regular 
> version upgrades and configuration changes when any vulnerability is
> found by regular, periodic Nessus scans (http://www.tenable.com/
> products/nessus-vulnerability-scanner).  Sometimes the changes are 
> related to ciphers, sometimes other things, but I'd say 90% of the 
> time, I just need to upgrade to a newer version.
> 
> So no big deal conceptually, I fully admit, but doing this across 
> eight servers is TEDIOUS.  And more importantly, it's a ripe 
> opportunity for introducing user error.  On three occasions I have 
> brought our production systems by stupid mistakes in server.xml or 
> other config files, or most recently, accidentally copying the wrong
> ROOT from a version 2 (05) box into the version one boxes (01 and 
> 03). I got things up and running fine with no serious consequences 
> but this being the third time, I thought "there has to be a better 
> way" right after I talked myself off the "you're a complete idiot" 
ledge. 
> 
> I'm starting to research Tomcat clustering but everything I see just
> talks about load balancing and failover.  **What about ease of 
> configuration??** I'd like to be able to set up Tomcat  
> (clusters?) to help automate what I've described above to make it 
> less tedious and reduce the chances of making stupid mistakes when 
> I'm on the 6th, 7th, 8th server.  I'm not sure if Tomcat clustering 
> is what I need, or if I should look at something else.
> 
> Can you nice folks help direct me to where I should look for 
> starters?  Will Tomcat clustering get me what I want?  or something 
> else, like Zookeeper?
> 
> Thanks,
> Mark Bramer
> 


We do somthing similar by utilizing docker containers.

At first we create a base-image consisting of:
- minified linux distro
- jvm
- tomcat

Then we have application images based on that which add:
- app specific tomcat config
- the app itself

These images can be run as multiple instances and thus becoming 
containers.

When we update tomcat it is done in the base-image and all app-images are 
rebuilt and containers restarted. So it is just one place where the change 
has to be done.

On config updates the according app-image is changed, rebuilt and 
restarted.



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: what's the Bootstrap? why when I stop it, and tomcat stop running too?

2015-09-24 Thread Christoph Nenning 
> > I tried to generate dynamic check code by struts2.  so, I used
> > buffered image class  and javax.imageio for a ByteInputstream  in
> > my Action.
> > 
> > look like the function work fine. but strange thing is:  every time
> > when I access that dynamic check code action. system will be start
> > a java application “Bootstrap”
> 
> What?
> 
> > please check the picture.
> 
> Attachments, including images, are stripped from this mailing list.
> 

hmm, i can see the picture.



> > also, when I  quit this Bootstrap java application, and my tomcat
> > is stop running too.
> 
> How do you "quit" the "Bootstral application"?
> 


At first sight it looks like the browser downloads an image from the 
tomcat app and opens a local app called bootstrap to show the image. But 
of course that would not explain why tomcat is terminated.


Regards,
Christoph


This Email was scanned by Sophos Anti Virus

Re: CsrfPreventionFilter for REST

2015-09-17 Thread Christoph Nenning 
Violeta,



> > > Hello,
> > >
> > > ** **
> > >
> > > *Background information:*
> > >
> > > We are trying to protect our RESTful
> > > APIs
> > > from
> > > CSRF attack.
> > >
> > > The current Tomcat’s CSRF protection filter provides proper 
protection
> for
> > > web resources that are supposed to be accessed via some sort of
> navigation
> > > i.e. there’s an entry point which points to them (for example 
include
> > > links/post forms to them) . With REST APIs you do not have such 
entry
> > > points as the requests are done independently from each other.  We 
are
> > > interested do you consider supporting  CSRF protection for RESTful
> APIs?
> > >
> > > ** **
> > >
> > > *Example attack:*
> > >
> > > Here is an example how to reproduce CSRF attack of RESTful APIs 
using
> the
> > > attached apps:
> > >
> > >
> > >1. Check customers initial state:
> > >http://localhost:8080/restDemo/services/customers/  + login with
> > >tomcat/tomcat
> > >2.  **In the same browser open attacker’s app:
> > >http://localhost:8080/XSRFAttackerApp/
> > >
> > > **
> > >
> > > Behind the scenes request 2. takes advantage of your credentials 
stored
> in
> > > the browser and makes attacking POST request to a state changing
> operation
> > > http://localhost:8080/restDemo/services/customers/removeFirst on 
your
> > > behalf. After that the customer list is empty.
> > >
> > > ** **
> > >
> > > The problem is that if we use the CSRF filter to protect this API
> > > /services/customers/removeFirst, this URL is then always served with
> *403
> > > Forbidden* (due to the missing csrf token).  In fact  the REST API
> becomes
> > > unusable.
> > >
> > > ** **
> > >
> > > *Research:*
> > >
> > > We’ve made some research on the topic and it seems that there is no
> > > absolutely secure and at the same time clear stateless solution. 
Since
> it
> > > is possible for an attacker to insert  custom headers in the 
attacking
> > > requests, the validation over header presence is not secure 
enough.
> > >
> >
> > The ability to insert headers (or tokens in the request string as
> > Tomcat's CSRF filter requires) is irrelevant, because  the attacker
> > has to know the exact token value and the value is random.
> >
> > If you are constantly receiving 403 on your POST requests it means
> > that you are requesting wrong URL (one that does not contain the CSRF
> > token) or your requests are not a part of the session.
> >
> >
> > > The only stable solution is again based on Synchronizer Token
> > > Pattern<
> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%
> 29_Prevention_Cheat_Sheet
> >
> > > but
> > > instead of encoded in URLs, the csrf token value can be transferred 
from
> > > and to the client through a custom csrf token header.  The rest csrf
>  token
> > > value needs to be stored in some sort of state on client and server
> side.
> > > In addition REST clients need to adopt this csrf token transfer
> mechanism.**
> > > **
> > >
> > > *Proposal:*
> > >
> > > You can find on the link
> > > https://docs.google.com/open?id=0B-HUwAvkRIKJTVViWUFkNFl6alU , the
> > > CsrfPreventionFilter extended so that it is able to successfully 
protect
> > > state changing REST requests. They are validated based on the
> > > “X-CSRF-Token” header (the header name is configurable).
> > >
> > > (...)
> > >
> >
> > The main task of Tomcat's CSRFProtectionFilter is to protect the
> > Manager application. The application does not use XMLHttpRequest so it
> > cannot set the headers.
> > So I see no point in implementing support for passing the token value
> > in a header, as there is no use for it. Is there enough API available
> > to extend the filter in a subclass to cover your specific use case?
> 
> I would like to know whether there is an interest for such filter as 
part
> of the filters that Tomcat provides by default to its users.
> 


Yes, it would be very interesting if tomcat would provide such a filter!


Regards,
Christoph







> Thanks and Regards,
> Violeta
> 
> > Note that CSRF protection has some specific task. It would not protect
> > you if an attacker is able to request the "welcome" page and parse it
> > to extract the token. It would not protect you if you are using
> > non-secured HTTP and an attacker is able to sniff network traffic.
> >
> > Best regards,
> > Konstantin Kolinko
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >


This Email was scanned by Sophos Anti Virus