Re: Any tutorials or hints about JSP using javax.script engines instead of Java?
I'm a little confused. What would one hope to gain by doing this? On 10/8/2019 9:11 AM, Rony G. Flatscher (Apache) wrote: Does anyone know of any tutorials that would demonstrate how to use any javax.script language in JSPs instead of Java (e.g. using Jython or JavaScript instead)? If not, any advice/hint how to realize/create such a functionality (for then creating such a tutorial instead) would be highly appreciated! ---rony - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: Running sudo from a servlet
A better way to do this would be to setup something like xinetd listening on a socket and use a connection to the socket to trigger the execution. You can write a configuration/parameters file in a location. Just a point: when you use runtime.exec on Linux, it does a fork of the process. That DOUBLES your process space memory. IOW, if tomcat's running with 4GB of memory, when you do a runtime.exec, that's going to double your memory usage to 8GB while the process runs. If you're not planning for this, it can be a nasty shock. On 5/21/2019 11:52 AM, Claude Brisson wrote: Hi all. I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu 19.04). Tomcat was installed by apt-get and runs as a service. If I open a shell as the tomcat8 user, I can launch a Java program which successfully executes a sudo command in a sub-process. But from a Java servlet, the code fails with this error from the sudo executable: sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? which means that somehow, the tomcat process was unable or unwilling to honor the setuid flag of the sudo command. Is it a special security measure ? If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 service packaging? In systemd config? And is there any configuration option to relax it? Thanks, Claude - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: IIS Connector Not Working
One more bit of information: if I go to : http://hostname/jakarta/ on the working machine, I get a 403-Forbidden. If I go to the same url on the non-working machine, I get a directory listing of the files in the directory that the "jakarta" application points to. On 8/6/2018 7:38 PM, George S. wrote: I'm having a rough time getting the IIS Connector working on a specific machine. I'm getting a 404 error when I request a file in my Tomcat application. I'm using version 1.2.43 of the ISAPI Redirector on Windows Server 2016 with IIS 10.0. I've carefully checked, and re-checked, and followed the directions. I can get it to work on a machine with a scratch install of Microsoft Windows Server 2016, but I can't get it to work on another machine. I'm not getting an isapi_redirect.log file in the ${catalina.base}\logs directory. I've checked and re-checked the permissions. I've tried running the "jakarta" application under an App pool that runs as "Network Service" and under "DefaultAppPool". For DefaultAppPool, I set permissions on the directory for "IIS AppPool\DefaultAppPool". In neither case do I get an ISAPI Redirect log. I know from experience that not getting an isapi_redirect.log file usually indicates a permission problem but I've beaten that silly. I've verified my URIWorkerMap.properties and Workers.properties files exist as expected. I tried enabling Windows Tracing for 404 requests, and the log files aren't getting created by IIS for the failed request. Does anyone have any ideas? Is there another way to integrate with IIS via reverse proxy? I would REALLY appreciate any ideas. -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
IIS Connector Not Working
I'm having a rough time getting the IIS Connector working on a specific machine. I'm getting a 404 error when I request a file in my Tomcat application. I'm using version 1.2.43 of the ISAPI Redirector on Windows Server 2016 with IIS 10.0. I've carefully checked, and re-checked, and followed the directions. I can get it to work on a machine with a scratch install of Microsoft Windows Server 2016, but I can't get it to work on another machine. I'm not getting an isapi_redirect.log file in the ${catalina.base}\logs directory. I've checked and re-checked the permissions. I've tried running the "jakarta" application under an App pool that runs as "Network Service" and under "DefaultAppPool". For DefaultAppPool, I set permissions on the directory for "IIS AppPool\DefaultAppPool". In neither case do I get an ISAPI Redirect log. I know from experience that not getting an isapi_redirect.log file usually indicates a permission problem but I've beaten that silly. I've verified my URIWorkerMap.properties and Workers.properties files exist as expected. I tried enabling Windows Tracing for 404 requests, and the log files aren't getting created by IIS for the failed request. Does anyone have any ideas? Is there another way to integrate with IIS via reverse proxy? I would REALLY appreciate any ideas. -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: User session validation
On 3/28/2018 5:20 PM, Alex O'Ree wrote: Does tomcat do any validation on session id's based on up addresses? I'm thinking that if some one intercepts the session token and tries to use it from another ip address, then it's feasible to detect this and invalidate the session. If you're using SSL, I don't think intercepting the session ID would be possible. -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: Granting permission to a single application-supplied JAR
Chris, One thing that has bitten me is that the entire stack/call chain is examined, not just permissions on a specific piece of code as you would expect. This comes into play when you're trying to make calls into trusted code from a JSP. My experience has been that JSPs are not trusted. So, even if you grant some code permissions to a specific codebase, the JSP making the call is untrusted and things fail. I ran into this recently using the Apache LDAP library with a JSP. A bunch of reads would fail. I see the tomcat security manager howto makes a reference to "pre-compiled jsp" but it's pretty vague (to my simple mind anyhow). I think the intention was to have pre-compiled JSPs live in a trusted codebase path. There's probably a way that you can mark all JSPs as trusted (I'm thinking a grant to $CATALINA_BASE/work/Catalina), but that kind of defeats the point. If you mark standard JSPs as trusted, then anyone that can get a file in the context path can bypass your security model. What I ended up doing on the last project was putting all of the code that made the calls into the Apache LDAP directory into a specific jar, and signing that jar with a certificate. Then I have a grant that trusts anything signed with that certificate. The security manager can be maddening to work with. Just as a tip for my specific usage, I have a skeleton policy file and the tomcat startup script merges my policy file into Tomcat's policy file. I just found there's another way of doing that, but it doesn't look any better since it requires modifying a file in $JDK/JRE_HOME. On 3/22/2018 3:39 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm working on getting my application working under a SecurityManager. It's actually been a little less painful than I thought it would be. I'm using Solr for some index searching. I'm using SolrJ for the library to communicate via HTTP to a localhost Solr server. When using this grant: grant { permission "java.util.PropertyPermission" "solr.httpclient.builder.factory", "read"; permission "java.net.SocketPermission", "localhost:8983", "resolve,connect"; } My application can can contact Solr without any errors. If I change the "grant" to include a codeBase to restrict those connections to the Solr library, I get a AccessControlException: access denied to the system property. Here is the modified grant: grant codeBase "file:${catalina.base}${file.separator}webapps${file.separator}myapp${fi le.separator}WEB-INF${file.separator}lib${file.separator}solr-solrj-7.2. 1.jar" { permission "java.util.PropertyPermission" "solr.httpclient.builder.factory", "read"; permission "java.net.SocketPermission" "localhost:8983", "resolve,connect"; }; I have verified that the file exists under the path specified above. I tried both ${file.separator} and '/' as the file separator. I also tried "jar:/path/to/jar!/-" as the codeBase. No luck. These grants are added to the end of the stock catalina.policy file that ships with Tomcat. What am I missing, here? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlq0IpkdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFj/og//dsN0nnYfal37ceL5 pEtIUtOGq87vwHRRMvTuWwxGmm5DqqfC+ZC07IWnJJt5Ap9ir8mYRiYluoCvx0yx LdmUVEesygbhOmyLm6EX3deJ7ozaO5MkFcDx0084y/dHfx+L3mg2n/ysG/qnqoxS 69RvbQNh7ByRsDOnhlSXLc0ZSSB6L9GtE9UpgGdCdyvyBXKS5X3/XOvygJ13lHZH lZH1/iXEUzatZtR7wSySfVdEXSx2JjSagClPmYVi4Lj4Fi9qugbwnpakT8Sr3mJx A/lK/KLPA3NqH/T91fzZBzlmLXqZ6L5GFz2P9iOaQ+1QfcCiMktFxJ2tXzqYDQm1 g0OtE/k2Jf3+QZtpUDJ+cDzLjWdUXs/6oa0Uo37ZXTRU1wowPeX+PHsKr9aqQB+T rx7OXTL/ZLh+bQobaQV4oyiF+mSRLZfrtI7cHoF8ZiwwsXpo4y+4CQqxzsWR6w4A 9wYV/lKecONJnwNey6JujapbcFcWmCZps5crvUyi/YNx/Rl/szdI2vWOevCJwnvQ LgyvbNF8AglERID8bL0fT9RL9Ws5/taII3egavGBMUGi+VYu/qjY2c9unP3W7UR6 42NNGkDxQlum8M3uu3FpDMmsfcRcYzQSZ1yCEharMLzKR6zn0c4odnJpUWmVzLnO brtsSvTBTsIlH3F7dlocMV63W+U= =xlk2 -END PGP SIGNATURE- --------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: HOME user folder change & tomcat HOME
Did you edit /etc/passwd and change the home directory for your user xnat? On 3/27/2018 9:27 AM, Jérôme Redouté wrote: Hello, I've installed tomcat8 on Debian 9, to run a web App (XNAT) I've a proble concerning the HOME directory of my user "xnat". Before the HOME was, as expected, in /home/xnat but now (after deploying XNAT app), it moved to /var/lib/tomcat8 and I can't reverse back the the original HOME. I suspect it is related to misconfiguration of tomcat, but I can't find wher. Can you help me? few infos concerning my tomcat install: Using CATALINA_BASE: /usr/share/tomcat8 Using CATALINA_HOME: /usr/share/tomcat8 Using CATALINA_TMPDIR: /usr/share/tomcat8/temp Using JRE_HOME: /usr Using CLASSPATH: /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar Server version: Apache Tomcat/8.5.14 (Debian) Server built: Sep 3 2017 17:51:58 UTC Server number: 8.5.14.0 OS Name: Linux OS Version: 4.9.0-6-amd64 Architecture: amd64 JVM Version: 1.8.0_162-8u162-b12-1~deb9u1-b12 JVM Vendor: Oracle Corporation Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys
I'm hitting the error: SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys The connector is configured as: I've verified the tomcat user can read the two files, and I've su'd to user tomcat and used: openssl rsa -in key.pem -text and the private key was dumped as expected. The key is not encrypted. The cert is self-signed and was generated by OpenSSL using CA.sh. I'm kind of at a loss here. The example server.xml entries show naming PEM files directly, and the connector docs seem to imply that pem files are supported. Can anyone give me a pointer on what to do here? -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: Apache Tomcat 8.5.24 SSL Configuration
On 12/21/2017 3:24 PM, Thomas Delaney wrote: Thank you for the input so far! I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still receive the same result when running the openssl s_client command I recieved this as the Cipher and SSL version Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 I also get a message saying "verify error:num=20:unable to get local issuer certificate" "Verify return code: 20 (unable to get local issuer certificate)" This may not be a meaningful error. Are you specifying the CAPath or CAFile arguments on the command line? See this page: https://stackoverflow.com/questions/11548336/openssl-verify-return-code-20-unable-to-get-local-issuer-certificate. You did double-check the path and permissions on your various certificate files right? Also, did you inspect your files using openssl? E.G.: openssl x509 -in conf/CA_server_bundle.crt -text You might try running Tomcat with: |-Djavax.net.debug=ssl | |to enable SSL Debugging. I'm not going to lie though, it can be pretty difficult to weed through the tons of content generated.| || On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter, On 12/21/17 2:38 AM, l...@kreuser.name wrote: Hi Thomas, Am 21.12.2017 um 00:56 schrieb Thomas Delaney <tdelaney@gmail.com>: Greetings, I am having trouble regarding google chrome's behavior to Apache Tomcat's SSL setup. I have been successful getting an ssl website to work with Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome. Mozilla Firefox brings me to my site with no problem. When going to https://mydomain.com:8443 I recieve a message from Google Chrome. Google Chrome Error - This site can’t provide a secure connection mydomain.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite. When checking Google Chrome's Browser console in the security tab I recieve: Page is not secure Valid certificate secure resources Here is the following background info I have for the configuration I gave Apache Tomcat when setting up the 8443 connector Chrome Version 63.0.3239.108 (Official Build) (64-bit) Linux OS: SUSE Enterprise 12 sp1 Packages installed: - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 That may be the culprit. Apparently this (old) version of Java7 will not provide in the default modern ciphers that Chrome requires. And the config is using the JSSE SSL implementation. But as you have TC Native and openssl 1.0.2 you should switch to openssl. This probably isn't the problem since Thomas is using the APR connector. TLS cipher suite support (or lack thereof) from Java 1.7 is not relevant. - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - tomcat-native-1.2.16-src Server.xml apr connector (Certificates are signed from GoDaddy and are placed in the conf directory of Apache Tomcat): This looks okay to me. If you start Tomcat and then use "openssl s_client -connect :", does openssl connect? It should report the protocol and cipher suite being used to connect. If you server is externally-accessible, consider using an external TLS capabilities scanner such as that from Qualys, https://www.ssllabs.com/ssltest/ - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+ ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1 noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e /aq7VBV+GiEaWzZweAi8/k4R3wk= =DEHk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: Apache Tomcat 8.5.24 SSL Configuration
On 12/21/2017 3:24 PM, Thomas Delaney wrote: Thank you for the input so far! I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still receive the same result when running the openssl s_client command I recieved this as the Cipher and SSL version Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 I also get a message saying "verify error:num=20:unable to get local issuer certificate" "Verify return code: 20 (unable to get local issuer certificate)" I second Chris Schultz's recommendation that you run the site through the SSL Labs testing site and see what it points out. It's going to check a lot more things right off the bat and display them in an easier format: https://www.ssllabs.com/ssltest/ On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter, On 12/21/17 2:38 AM, l...@kreuser.name wrote: Hi Thomas, Am 21.12.2017 um 00:56 schrieb Thomas Delaney <tdelaney@gmail.com>: Greetings, I am having trouble regarding google chrome's behavior to Apache Tomcat's SSL setup. I have been successful getting an ssl website to work with Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome. Mozilla Firefox brings me to my site with no problem. When going to https://mydomain.com:8443 I recieve a message from Google Chrome. Google Chrome Error - This site can’t provide a secure connection mydomain.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite. When checking Google Chrome's Browser console in the security tab I recieve: Page is not secure Valid certificate secure resources Here is the following background info I have for the configuration I gave Apache Tomcat when setting up the 8443 connector Chrome Version 63.0.3239.108 (Official Build) (64-bit) Linux OS: SUSE Enterprise 12 sp1 Packages installed: - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 That may be the culprit. Apparently this (old) version of Java7 will not provide in the default modern ciphers that Chrome requires. And the config is using the JSSE SSL implementation. But as you have TC Native and openssl 1.0.2 you should switch to openssl. This probably isn't the problem since Thomas is using the APR connector. TLS cipher suite support (or lack thereof) from Java 1.7 is not relevant. - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - tomcat-native-1.2.16-src Server.xml apr connector (Certificates are signed from GoDaddy and are placed in the conf directory of Apache Tomcat): This looks okay to me. If you start Tomcat and then use "openssl s_client -connect :", does openssl connect? It should report the protocol and cipher suite being used to connect. If you server is externally-accessible, consider using an external TLS capabilities scanner such as that from Qualys, https://www.ssllabs.com/ssltest/ - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+ ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1 noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e /aq7VBV+GiEaWzZweAi8/k4R3wk= =DEHk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: daemon.sh and multiple tomcat instances
My technique is something like this on OpenSUSE: in $CATALINA_BASE, I put bin/catalina.sh It sources the file: /etc/sysconfig/tomcat In /etc/sysconfig/tomcat I define: CATALINA_BASE CATALINA_HOME JAVA_OPTS and a few others. $CATALINA_BASE/bin/catalina.sh starts tomcat via JSVC. in my particular case, auto-startup isn't important, so I just run it by hand after a reboot. This is pretty much following OpenSUSE's configuration/methodology. Admittedly, separating out the defines from the script doesn't get me a great deal other than it makes it easier to maintain. Also, I'm unlikely to accidentally break the script. There's no "clean" way to do this. If you were running on Windows, you'd have two service entries, and the relevant information (CATALINA_BASE, etc) would be in the registry. If I liked systemd more, I'd probably try to figure it out, but it can be kind of tricky. On 12/7/2017 1:47 PM, Chris Cheshire wrote: Apologies in advance for semi-OT sysadmin question. Tomcat 8.5.24, running on Centos 6. I have built jsvc according to instructions in distribution. I have two tomcat instances under different users (sandbox1, sandbox2) that have their own CATALINA_BASE. I can start these manually from the command line without a problem. How do I set up daemon.sh to run on boot for multiple users? Do I need to (as root), make a copy of daemon.sh under /etc/init.d for each user (tc_sandbox1, tc_sandbox2) and edit those to set the environment variables in it (CATALINA_HOME, CATALINA_BASE, JAVA_HOME, TOMCAT_USER), then use chkconfig to install the scripts? This seems kind of clunky to set up. Is this the right way to go about it or am I making it more complicated than it needs to be? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Contributor on Wiki
Could someone please add me (George Sexton) to the contributor group on the Tomcat Wiki? Thanks. -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: SSL connectors
On 12/1/2017 8:44 AM, Mark Thomas wrote: On 01/12/17 14:57, Chris Cheshire wrote: I see in the changelog for 8.5.24 60762: Add the ability to make changes to the TLS configuration of a connector at runtime without having to restart the Connector. (markt) What strikes me as odd is that SSL Certificates are still coupled to connectors. It seems like certificates should be coupled to Hosts since that's what SNI does. SNI removes the coupling between an IP and a virtual host name. Pre-SNI, there was a logical reason to associate a certificate with a connector. The fact that you could only have one certificate on one IP, made the one-to-one correlation obvious. Now, with SNI, you can have many SSL Certificates with one IP. However, Tomcat's continuation of associating the SSL Certificate with the Connector, rather than the virtual host it's associated with is cumbersome because now when I configure a virtual host with an SSL certificate, I not only have to configure the host, but also the connector. As a database person, I try to follow the rule that the attributes should follow the entity. In this case, the attributes (SSLHostConfig) are facts about the virtual host, and not about the Connector (entity). I'd like to see the Connector iterate over the virtual hosts and pick up the SSLHostConfig from there. Perhaps the SSLHostConfig should have an optional attribute "ConnectorName" to identify which Connector (assuming there are multiple) the SSLHostConfig should bind to for the case of multi-homed machines. The "ConnectorName" attribute would be used in multi-homed hosts to specify which (of several) connectors the SSLHostConfig should bind to. Since I'm on wish lists, I wish that the Host XML snippet could be specified via a file in $CATALINA_BASE/conf/EngineName/Virtual.Host.Name via a magic name like _HOST.xml, or the like. I run anywhere from 600-2000 virtual hosts on a machine, and my current "work-around" is to use the inclusion hack to bring in an external file with the defined virtual hosts. Does this mean we can now update SSL certificates without bouncing the connector? Yes, via one of the following methods on the endpoint: reloadSslHostConfig(String hostName) reloadSslHostConfigs() If accessing this via JMX, they appear as operations on the ThreadPool objects. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Tomcat 8.5.23 Initialization PRNG/SSL
I'm seeing some strange ssl errors. They're not reproducible consistently, and I think they're because the PRNG is initializing after the Connector. Here's some log output: 26-Oct-2017 17:04:08.380 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 26-Oct-2017 17:04:08.429 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio-443"] 26-Oct-2017 17:04:08.459 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"] 26-Oct-2017 17:04:08.492 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 56903 ms 26-Oct-2017 17:05:16.364 WARNING [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [118,978] milliseconds. The exception is: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source) Has anyone else seen something like this? The app is making an internal SSL connection to another servlet. I don't know why they didn't use a RequestDispatcher and do .include(), but it's not my code. Anyhow, am I right that the exception is probably related to the connectors coming up before the PRNG? -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.connectdaily.com
Security Policy
I have a question about security policies. I have a jar file that I'm putting in my WEB-INF/lib directory. The jar is signed with a certificate. I've inspected the jar file using jarsigner and it is signed. There is a policy entry that basically says if a jar is signed with that key, grant all permissions. When I call a method that opens a file, I'm getting access control exception. Another jar, signed with the same certificate does work. The one huge difference is that the working example is a servlet inside the signed jar. The non-working example is a JSP that's in the application's top-level directory. IOW JSP -> calls instance method of class in signed jar. I expected that by having the JSP call into a signed jar, I would be able to open the file under the security manager. Is that wrong? -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.connectdaily.com
Re: Registering Plugins, e.g. javax.imageio...
Christopher, Thanks so much for your help. I've been digging into this and with your help, I've made some real progress. I've made additional comments below. On 9/11/13 9:36 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 9/10/13 6:34 PM, George S. wrote: On 9/10/13 3:14 PM, Christopher Schultz wrote: - Is there a way that I can specify something in the server.xml code that would register them? The only thing I can see is to create a org.apache.catalina.LifecycleListener and put the code to register the plugins in there. Is there some other way of doing it? How would you do it if you weren't running under Tomcat? I only ever run Java with tomcat (or maybe ant), so I wouldn't know. Okay. I had never heard of an imageio plugin before. Are you basically registering file-type handlers? I'm just guessing at all of this, since I've never done anything besides use ImageIO for mundane operations like loading, saving, and re-sizing images. I'm doing an auto-thumbnailer which resizes images. I've run into problems with some files. For example, some Adobe JPGs are stored with a color space of CYMK, or YCCK, which the default Java ImageIO code does not handle correctly. The TwelveMonkeys plugin registers a handler that is more complete and overrides the default behavior. Similarly, I'm using PDFBox to thumbnail PDF images. It's been having problems if the PDFs have JBIG2 encoded images in there since the Java ImageIO stuff doesn't handle JBIG2. The Levigo JBIG2 library is for that. Have you called ImageIO.scanForPlugins()? The documentation gives light detains on how the plug-ins are found: http://docs.oracle.com/javase/7/docs/api/javax/imageio/ImageIO.html#scanForPlugins%28%29 No, I wasn't calling that. I just tested it, and that does work. I'll make suggestions to the library providers that reference that. I honestly did search around a lot and found posts that referenced manually registering them which is the direction I went. I've got more comments below about why I think this works when from reading the doc strictly, it should not be necessary. What version of Java are you using? I've tried with Oracle 1.7.0 U 25 on x64 Linux. I was also using 1.6.0 U 29 on x64 Linux Perhaps you have to place youe plugins under an endorsed directory (i.e. one specified via JAVA_ENDORSED_DIRS environment variable when using Tomcat startup scripts). - -chris Well, I think this is how it's supposed to be done. However, the jar's internal getResourceAsStream() function is failing when it's trying to load properties that are built into the jar. This is being tested without a security manager. It looks like being run in java.endorsed.dirs is breaking the classloader. I did some research, and it looks like java.endorsed.dirs runs in Tomcat's Bootstrap classloader. The comments in the class loader howto don't make me optimistic that I could make this work. I think I'm just going to follow through on my original idea of using a PluginLoader as a LifecycleListener You probably don't have to do this. Just make sure that your JAR file has all the resources in the right place(s) and it should work. Testing outside of Tomcat should be easy: just write a small harness that tries to e.g. load an image of one of those exotic types that the JVM doesn't already recognize, and make sure that CLASSPATH is correct when running it. If that works, it should work in Tomcat, too, since the ClassLoader should always be the WebappClassLoader, whose resource list includes all JAR files in WEB-INF/lib and all files rooted in WEB-INF/classes I had the libraries in the $CATALINA_BASE/lib directory, and I would have expected them to work. I think in a more regular environment (only one classloader) everything would work seamlessly. WEB-INF/lib is a problem because I run hundreds of contexts all referencing the same code. From looking at the tomcat classloader howto doc, here's what I think was happening. My understanding may be wrong, but again it's based on reading the classloader howto. I'm thinking that ImageIO is scanning for plugins when the System classloader is initialized. The plugin jar files that I was attempting to use were in $CATALINA_BASE/lib, which is the common classloader. Essentially, when I make the call to scanForPlugins(), a whole new classpath (common) is online, and that's why it works. This means my whole plugin-loader strategy is not really necessary. I just have to get scanForPlugins() called once. In a way, this kind of raises a question. I've read the docs on ServiceLoader here: http://docs.oracle.com/javase/7/docs/api/java/util/ServiceLoader.html The imageio plugins are exactly a case and I'm thinking that scanForPlugins() does a ServiceLoader.reload(). I guess the question in my mind is there a way that tomcat could generically note any META-INF/services entries and ensure the proper think is done to get those
Re: (ATTN: ELI) How tomcat is handling bandwidth sharing across all request
On 9/11/13 12:17 PM, Eli wrote: Can I ask a tomcat question here. I'm trying to use Tickets.com and get error message and it says tomcat with numbers after Sure, but this is a list for people who are using Tomcat to write software and deploy it. The best thing to do would be to take a screen shot of your browser with the error and send it to tickets.com support email. It would also be helpful to them if you could include in as much detail as possible the steps you followed to make the error happen. Sent from my iPhone On Sep 11, 2013, at 2:16 PM, George S. geor...@mhsoftware.com wrote: Really, Eli, if you hadn't noticed, there are unsubscribe instructions at the bottom of the message: On 9/11/13 12:01 PM, Eli wrote: To complicated Sent from my iPhone - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re:(ATTN: ELI) How tomcat is handling bandwidth sharing across all request
Really, Eli, if you hadn't noticed, there are unsubscribe instructions at the bottom of the message: On 9/11/13 12:01 PM, Eli wrote: To complicated Sent from my iPhone - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Registering Plugins, e.g. javax.imageio...
I've got an app that I'd like to register some plugins for. Some examples of the things I'd like to register are the levigo JBIG2 decoder (for PDFBOX), and the TwelveMonkeys JPEG plugin (for CYMK/YCCK) image thumbnailing. I've tried just putting the jars in the $CATALINA_BASE/lib (6.0.37) directory but it looks like that is not enough to register them. Just out of curiosity, is that right? Should tomcat be registering them? I've looked, and there are META-INF/services entries. FWIW, I am also running under a security manager. I'd like to use the plugins if they're available, but not put a dependency in my code for them. I'm running several hundred contexts per instance, so it would be nice to move it to the container. Is there a way that I can specify something in the server.xml code that would register them? The only thing I can see is to create a org.apache.catalina.LifecycleListener and put the code to register the plugins in there. Is there some other way of doing it? Any ideas would be appreciated. -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Registering Plugins, e.g. javax.imageio...
On 9/10/13 3:14 PM, Christopher Schultz wrote: - Is there a way that I can specify something in the server.xml code that would register them? The only thing I can see is to create a org.apache.catalina.LifecycleListener and put the code to register the plugins in there. Is there some other way of doing it? How would you do it if you weren't running under Tomcat? I only ever run Java with tomcat (or maybe ant), so I wouldn't know. Perhaps you have to place youe plugins under an endorsed directory (i.e. one specified via JAVA_ENDORSED_DIRS environment variable when using Tomcat startup scripts). - -chris Well, I think this is how it's supposed to be done. However, the jar's internal getResourceAsStream() function is failing when it's trying to load properties that are built into the jar. This is being tested without a security manager. It looks like being run in java.endorsed.dirs is breaking the classloader. I did some research, and it looks like java.endorsed.dirs runs in Tomcat's Bootstrap classloader. The comments in the class loader howto don't make me optimistic that I could make this work. I think I'm just going to follow through on my original idea of using a PluginLoader as a LifecycleListener -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Accessing HREF Target from Servlet
Yes, I put some code in the page to detect the HREF anchor in the window location, and then I pass it back to the server. Nothing's ever as easy as you would like... On 6/28/13 7:55 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 6/27/13 8:56 PM, George S. wrote: OK, I'm thinking that was a dumb question. If I'm understanding things, the browser is making the request for the page, and then looking for the HREF target in the generated page. So, the reality is that tomcat never sees the part after the # sign. Rats. Correct. I suppose there's nothing stopping a browser from sending you the anchor part of the URL, but it's not really supposed to be part of the resource identifier (the resource is the page, not the particular place on the page where the user is scrolled-to) so it's pretty much never sent to the server. Javascript, on the other hand, will likely have access to this information, so you could always make an AJAX request to the server to provide/get more information. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRzZXbAAoJEBzwKT+lPKRYo34QAKyrNzDyvbKEXrSf3hVWZzuj hp6gKJn/hLqu1fsqx9ewBq/Zi7PHuTf3/e6VGc76EKXmKqiAmMSnJnFPUkbm6hqp b8z+7PENeWFYlIJfUTqzYtquWz5oqLcX8Qi2vRTEYGwmQ3EalYzULWL4Qf4FcLu5 5ofrP7Gps45x1vqgZleBofTis7y4Es6ccIBWwDZXnqbAsa3PYBivP02kQ8z3UpMP rDvyu/mUyR+DU8IQEUNEbdFmk7kYN9n4Nvqw0Co3uE2vfDQfua/gKfJ0RdhFK0D5 wrNcANX19neffF6sCEURBZcKQ9vMBnxXSIO93X+BGSaD44FGBdXaEUzeC6lq6iAu XmZyb2y9AT0sgyIPdlZaag3VI+qsgRRvPMb0sns/T1qf5DWxqn6Ts9Gz6dhfBShX Btlxr6fFm0ATWkAZZ3bnrMiSyyCUPcAlLRLoZ/Qatp5pf8YIQHPV5nwqsI/rLv1w drw4sMXayUD1O6OFzjpdO85wT3k9yS0XGSYR4mwPkSxuPyl2rsh/JwUgBN8KlIhW Im4ltb2sguDQdOTir4lNqwMZ/V/nmVs2/97NIvH5bOk1gc7cIReZEmx/El8yR38v XgLzDnMU96VHNZ9bzc+gknNE99q1nXJjKTzLQus3lQC3wEHh212xx0PAB5Gjgyd2 E++XuogeAdoaFMmQNfsj =pydj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Accessing HREF Target from Servlet
On 6/29/13 9:29 AM, André Warnier wrote: George S. wrote: I have a question. I'm doing some oAuth stuff, and the remote site is redirecting me to: my_url.html#something=blahother_thing=blah-blah I can see this is the url in the redirect of my browser bar. What I can't figure out is how to access the part of the URL after the pound sign. I've tried getRequestURI(), getPathInfo(), getServletPath(), getPathTranslated(), and nothing is working. Also, the elements are (correctly) not showing up in the parameters collection. How can I get that part of the URL from inside a servlet? Hi. Apart from the answers you already got, and because I am curious : You seem to say above that this is part of some Auth stuff, so I have 2 questions about that : 1) Why would you need to access that part after the # for Auth stuff ? Intuitively, the part after the # is inside of a page. So if access to the page is already granted/forbidden by the Auth stuff, the part inside of the page should not matter. I'm doing facebook graph api authentication. In the login cycle, you send the user to a page facebook page, and you provide that page with a redirect_url. After the user does their login through facebook, they get redirected back to the url you supplied. In a case of freakish bizarre (for a server-side developer), the access token you get is not a parameter on the request. IOW, the redirect is to your_redirect_url.html#access_token=blah, not your_redirect_url.html?access_token=blah. The whole mess is documented here: https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/ The part about the token being in the URL but not in the query string isn't documented there, but it's documented on another page. I'm guessing the reason they did this is so that the access_token would not show up in the log files of the destination server. 2) you also mention (later) that you will be using Javascript to solve the issue. That means that by the time the Javascript is executed, the page is already in the browser. From a security point of view, anything that is already in the browser can be saved by the user, modified, loaded again and submitted to the server. The token is an opaque value, that's authorized by the user, so I'm not concerned about what the user sees. In short, it's their token and they can't do anything with it that they can't do while logged into facebook. When my page loads in the redirect, I look for the anchor href and if I see it, then I set a form field, and submit the form. Tomcat doesn't log form fields for POSTS, so I don't have the log security issue to worry about. So is there not a risk here in doing something with Javascript ? Security is something I'm trying to really wrap my head around. I've been given these tokens, which may be long-lived, and the question I'm trying to come to grips with is how I can prevent them from being exposed in the event of a server compromise. Also, part of the facebook app api is an app secret that is essentially a key. I also want to figure out how to keep that from being exposed if the server were compromised. It's not that I'm paranoid, its just I know people are out to get me :) If you've got any really great solutions, I'd be interested. My current thinking is to create an encryption/decryption service as a bean, and provide access to it through JNDI. After a server re-start, I would call a page that would decrypt the private key for the encryption bean. The next part I need to understand is how to limit access to the bean. IOW, if joe user pops a JSP page into the server, he should not be able to gain access to the bean. I'm running Tomcat in a security manager, so I think I can use that as part of the solution. Again, any insights are appreciated. I'm really not an expert on the security manager, or jndi. Just being curious, and I can live without the answers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Accessing HREF Target from Servlet
I have a question. I'm doing some oAuth stuff, and the remote site is redirecting me to: my_url.html#something=blahother_thing=blah-blah I can see this is the url in the redirect of my browser bar. What I can't figure out is how to access the part of the URL after the pound sign. I've tried getRequestURI(), getPathInfo(), getServletPath(), getPathTranslated(), and nothing is working. Also, the elements are (correctly) not showing up in the parameters collection. How can I get that part of the URL from inside a servlet? -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Accessing HREF Target from Servlet
OK, I'm thinking that was a dumb question. If I'm understanding things, the browser is making the request for the page, and then looking for the HREF target in the generated page. So, the reality is that tomcat never sees the part after the # sign. Rats. On 6/27/13 6:51 PM, George S. wrote: I have a question. I'm doing some oAuth stuff, and the remote site is redirecting me to: my_url.html#something=blahother_thing=blah-blah I can see this is the url in the redirect of my browser bar. What I can't figure out is how to access the part of the URL after the pound sign. I've tried getRequestURI(), getPathInfo(), getServletPath(), getPathTranslated(), and nothing is working. Also, the elements are (correctly) not showing up in the parameters collection. How can I get that part of the URL from inside a servlet? -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
IIS 8/Windows Server 2012
I tried setting up the ISAPI redirector on Windows Server 2012. I was doing pretty good, but the Windows event log says that loading the module failed because the RegisterModule entry point was not defined. I did a quick search, and it looks like modules must define this entry point for initialization. I'm guessing there's more to making it work than just adding the entry points :) Anyhow, is there any support for IIS 8 on the horizon? Am I going about it the wrong way? -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 8/Windows Server 2012
On 11/30/12 12:45 PM, Konstantin Preißer wrote: Hi George, -Original Message- From: George S. [mailto:geor...@mhsoftware.com] Sent: Friday, November 30, 2012 6:39 PM I tried setting up the ISAPI redirector on Windows Server 2012. I was doing pretty good, but the Windows event log says that loading the module failed because the RegisterModule entry point was not defined. I did a quick search, and it looks like modules must define this entry point for initialization. I'm guessing there's more to making it work than just adding the entry points :) It would have surprised me if the ISAPI redirector was working with IIS 5, 6, 7, and 7.5, but not 8. So, I tried to install it on a Windows Server 2012 Datacenter (180 days evaluation version) machine with IIS 8. I downloaded the ISAPI redirector 1.2.37 (tomcat-connectors-1.2.37-windows-x86_64-iis.zip) and installed it on the machine with the default settings and redirecting everything to Tomcat. I also installed a local Tomcat 7.0.33 with AJP. Thanks for your response. I figured out that the issue was that when I installed IIS, I did not explicitly install support for ISAPI modules. So, when I looked at the Feature Pane in IIS Manager, ISAPI Filters wasn't showing up. I installed the ISAPI module support and it works now. Then, when testing the ISAPI redirector by visiting http://localhost/ (served by IIS), it worked perfectly fine: The default Tomcat welcome page was displayed (If you're seeing this, you've successfully installed Tomcat.), and there were no errors in the event log. The ISAPI logs show: [Fri Nov 30 20:18:07.791 2012] [3404:3400] [info] init_jk::jk_isapi_plugin.c (2690): Starting Jakarta/ISAPI/isapi_redirector/1.2.37 [Fri Nov 30 20:18:07.791 2012] [3404:3400] [info] init_jk::jk_isapi_plugin.c (2887): Jakarta/ISAPI/isapi_redirector/1.2.37 initialized Are you sure set up the ISAPI redirector correctly? I just googled for the RegisterModule function, but it seems that this is used for native IIS modules (for IIS 7 and above). Maybe you tried to set it up as a Native Module in IIS? However, The ISAPI redirector is a ISAPI filter + ISAPI extension. It should be set up by adding it in the ISAPI filters section of IIS, and by adding the virtual Jakarta directory that has the right to execute ISAPI extensions. Anyhow, is there any support for IIS 8 on the horizon? Am I going about it the wrong way? I can't say anything about the official ISAPI redirector from Apache, but if you're interested, I am currently developing an alternative IIS-Tomcat Connector that is based on the new IIS7 API for .Net applications (written in C#) and uses SPDY v3 to redirect requests to a backend server like Tomcat [1]. Costin Manolache is currently working on integrating SPDY v3 into Tomcat. That connector is, of course, in a very early stage of development, but I hope to be able to eventually support things like redirecting WebSocket connections (that are supported by IIS 8+) to Tomcat. :) Regards, Konstantin Preißer [1] http://markmail.org/message/q335rbpoylymr77q - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George Sexton MH Software, Inc. 303 438-9585 http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org