Re: Memory Leak
On Jun 28, 2016 4:57 PM, "Roman Gelfand"wrote: > > I am running a middleware application in .. tomcat... Ok. This is something you wrote and deployed or it is a third party war file? > > catalina.out.prob:SEVERE: The web application [] appears to have started a > thread named [cluster-ClusterId{value='5745ebcecdb2e06579174645', > description='null'}-devnymongodb01.meridiancapital.com:27017] but has > failed to stop it. This is very likely to create a memory leak. > Basically that says either you intentionally created a thread local variable that you did not close, or the third party war file did. If not you then ask your vendor to fix their app. > > -- > Thanks, > R. Gelfand
[OT] Authentication
Since the forum just had a question on custom authentication, I thought this would be a good time to ask. Does anyone use "micro-services" to perform authentication of web service A to web service B? This would be different than authenticating users to web service A or B as you would be authenticating a service user to another service. (Think of service user as the user running a tomcat instance.) Is anyone choosing to extract authentication into a wsdl service these days? Or is that old news. Leo
Re: Unable to update or delete Windows Service
Chris, On Mon, May 16, 2016 at 3:22 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chuck, > > On 5/16/16 4:11 PM, Caldarale, Charles R wrote: > >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > >> Subject: Unable to update or delete Windows Service > > > >> I've got a Windows service called "foo" and I'm able to edit the > >> configuration successfully by running the following command: > > > >> C:\> %CATALINA_HOME%\bin\tomcat8w.exe //ES//foo > > > >> But if I try to update the service from the command-line, or > >> update the service, I get an error "Error parsing command line" > >> with no further information. > > > > Example of the command line that's failing? > > Hah, that would have been good information, eh? > > C:\> %CATALINA_HOME%\bin\tomcat8w.exe //DS/foo > The command is just: tomcat8 //DS//foo > > I get a pop-up window with the message "Error parsing command line". > Same thing when running "//US//foo" with no additional arguments. > > - -chris >
Re: Windows Service won't launch
Chris, On Mon, May 16, 2016 at 3:25 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > I'm upgrading a client's system from Tomcat 7 to Tomcat 8 as part of a > new release of our software. I've got Tomcat 8 installed using the > 32-bit ZIP file, and the Windows Services have been re-created from > scratch using tomcat8w.exe. They are running 64-bit Windows but a > 32-bit JVM. > I just tried the following. Windows 7 64 bit OS x86 jdk1.8.0.92 I ran service.bat for Tomcat 8.0.33 32 bit. (Tomcat 32 bit, jvm 32 bit) No problems starting the service. Windows 7 64 bit OS x86 jdk1.8.0.92 I ran service.bat for Tomcat 8.0.33 64 bit. (Tomcat 64 bit, jvm 32 bit) Incorrect Function in event viewer when trying to start the service. > > When I try to launch the service, I get an error "Incorrect function" > in the event log, and the service does not start. And I'm reading your statement above which says your environment is 32 bit for both Tomcat 8 and the jvm. Interesting. I've never installed windows services using the Tomcat8w.exe directly on the command line. I've always used the service.bat, but I take all the defaults in service.bat. And off-topic speaking of defaults, in service.bat, why aren't these values the same? --JvmMs 128 --JvmMx 256 > I can launch Tomcat > from the command-line successfully, so this is not a problem with > Tomcat per se, nor my application. It's got to be a problem with my > configuration of the Windows Service. > > I'm tempted to tell them "Install a 64-bit JVM" and use the 64-bit > service-runner, but I'd prefer to get it working before I tell them > they have to change everything ;) > > Any suggestions for what to look for? > > Thanks, > - -chris > >
Re: context root with relative path
On Apr 21, 2016 10:38 AM, "David kerber" <dcker...@verizon.net> wrote: > > On 4/21/2016 11:33 AM, Leo Donahue wrote: >> >> Chris, >> >> On Apr 21, 2016 9:15 AM, "Christopher Schultz" < ch...@christopherschultz.net> >> wrote: >>> >>> >>> I don't have a Windows machine handy right this minute, but from my >>> previous experience, "C:" means "the current working directory on the C >>> drive, from this process's perspective. >>> >>> For instance: >>> >>> D:\> DIR C:\ >>> ... >>> Program Files >>> Windows >>> ... >>> >>> D:\> DIR C: >>> ... >>> Program Files >>> Windows >>> ... >>> >>> D:\> CD C:\Windows >>> D:\> DIR C: >>> ... >>> System >>> System32 >>> ... >>> >>> So I would think that using "C:" (with no trailing path) from Java would >>> behave the same way: the current working directory *on that drive* would >>> be the one used. >>> >>> I would expect it to work just like "." on *NIX. >>> >>> -chris >>> >>> -- >> >> >> On Windows 7 from a command prompt: >> >>> C:\downloads dir c: >> >> Shows contents of downloads >> >>> C:\downloads dir c:\ >> >> Shows contents of c drive > > > Yes, that's all well-known on windows. The question was, how does the Java File object handle it? Does it give the correct result as above? And going back to the original question, how should these paths be normalized? Let's hope this looks right, pasting code from Android device... *import* java.io.File; *import* java.net.URI; *import* java.net.URISyntaxException; *import* java.util.ArrayList; *import* java.util.List; *public* *class* Demo { *public* *static* *void* main(String[] args) { List paths = *new* ArrayList(2); paths.add("file:/c:"); paths.add("file:/c:/"); *for* (String x : paths) { *try* { URI uri = *new* URI(x); File f = *new* File(uri); System.*out*.println(f.getAbsolutePath()); } *catch* (URISyntaxException e) { e.printStackTrace(); } } } }
Re: context root with relative path
Chris, On Apr 21, 2016 9:15 AM, "Christopher Schultz"wrote: > > I don't have a Windows machine handy right this minute, but from my > previous experience, "C:" means "the current working directory on the C > drive, from this process's perspective. > > For instance: > > D:\> DIR C:\ > ... > Program Files > Windows > ... > > D:\> DIR C: > ... > Program Files > Windows > ... > > D:\> CD C:\Windows > D:\> DIR C: > ... > System > System32 > ... > > So I would think that using "C:" (with no trailing path) from Java would > behave the same way: the current working directory *on that drive* would > be the one used. > > I would expect it to work just like "." on *NIX. > > -chris > > -- On Windows 7 from a command prompt: >C:\downloads dir c: Shows contents of downloads >C:\downloads dir c:\ Shows contents of c drive Leo
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Feb 16, 2016 10:50 AM, "Dougherty, Gregory T., M.S." < dougherty.greg...@mayo.edu> wrote: > > On 2/16/16, 9:13 AM, "Christopher Schultz"> wrote: > > > >Gregory, > > > >On 2/15/16 11:18 AM, Dougherty, Gregory T., M.S. wrote: > >> How to trade information with a specified URL calling java code in > >> tomcat/lib: > >> > >> 1: Servlet calls Decryptor.start (String whoIAm, int validator, int xOr) > > > >What prevents the servlet from specifying whoIAm="someoneElse"? > > Absolutely nothing. That’s why the decrypt code does an HTTP get against > whoIAm, to validate that claim > > >> 2: Code calls Servlet http get with id=randomly generated int > > > >Which code calls Servlet HTTP? > > HttpURLConnection, called from within the decrypt code > > > > > >> 3: Servlet returns validator in response to the http get call. 0 is > >>not a > >> valid validator, it¹s what the Servlet returns if it doesn¹t have an > >> outstanding call to Decryptor.start > > > >But the whole point is that you don't trust the servlet, right? What is > >the servlet always returns the same value? Any servlet could impersonate > >any other one. > > I trust each servlet to act in its own best interest. > > An honest servlet will 1: Pass in real random numbers for validator and > xOr, 2: React correctly to this http get call. > An incompetently written or dishonest servlet can only give away its own > passwords by doing the wrong thing. Give them away? Are you logging the passwords used? That’s their problem, not mine. > > >> 4: Having received the random number from the http get call, Servlet > >>xors > >> it with xOr, and calls Decryptor.decrypt (String whoIAm, String > >>password, > >> int xOred) > > > >So, the servlet makes the HTTP request and manages the checking? I > >really don't get it. > > Servlet (calles Decrypt.start): Sends whoIAm, validator, xOr > Code (calls http get on whoIAm): Sends cValid > Servlet (response to HTTP get): Sends validator (same as was send in call > to Decrypt.start). This validates whoIAm > Servlet (calls Decrypt.decode): Sends whoIAm, password (encrypted), xOred > (= xOr ^ cValid) > Code (return value from Decrypt.decode): password (decrypted) > > > > >> 5: Code checks xOred against whoIAm. If gets a match decrypts the > >> password and returns it from Decryptor.decrypt. > > > >After all that, it's okay for the servlet to be able to read its own > >database password? Why not just give the servlet access to a DataSource > >with the password already set inside it? > > Because it’s the Servlet’s password? How many times do I have to save > that before you’ll believe it? > > The data belongs to the servlet. The servlet is working with the > decryption code so that the data can be safely stored with the servlet. > > Every servlet trusts itself. None of them should be required to trust any > other servlet running on that instance of Tomcat. None of them should be > required to trust that data saved in the source control system won’t be > abused, if it can be abused. > > >>But so long as I can make the following two calls from my code: > >> > >> URL theURL = new URL (urlString); > >> HttpURLConnection uc = (HttpURLConnection) theURL.openConnection (); > >> > >> I think I¹m good. > >> > >> Flaws? > > > >Let's see: > > > > Constructed dubious use case? CHECK > Wrong. This use case is my current work situation. > > > Rolled your own security code? CHECK > > Used highly-secure XOR algorithm? CHECK > > Complicated enough to seem plausible? CHECK > > Confused objective leads to trivial attacks? CHECK > > > >I think you've got all the bases covered, here. > > > >I still don't understand what's being protected from whom, here. It > >looks like the code is very complicated in order to keep the password > >from the code, but then the code is given the password anyway. If you > >trust the code but not the admin, then why bother with the complex code? > > The problem, Chris, is that you don’t understand the situation, and rather > than try to understand the situation you’re spending all your time and > effort sniping at things you don’t understand. Let’s try one more time: > > If you led with the information below in your original post, it would have helped. > My servlet is running on a Tomcat instance that is hosting 5 other Servlets > > I completely and totally trust my servlet with my data. I do not in the > least bit trust any other servlet running on that Tomcat instance > > I am willing to trust a Jar file that I’ve written / reviewed, and the > administrators have added to tomcat/lib > > I have data that my servlet needs to use. I am not going to try to go to > a page on my servlet and personally type in that data every time it runs. > Therefore I’m going to have to save that data. I’m not going to save that > data somewhere on the server hosting the Tomcat instance, because I just > don’t’ trust the administrators that much. > > This means I have to save the data
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Feb 12, 2016 2:35 PM, "Dougherty, Gregory T., M.S." < dougherty.greg...@mayo.edu> wrote: > > You are correct, I¹m trying to authorize the web app, not the user. I am going to start all the way back here and suggest that you abandon this approach of authenticating a web "app". This is unconventional by all standards and you will end up with a security hole(s). Users authenticate to web apps, nothing further. The web app itself can also authenticate to the database separate from any userBUT... the web app still has a "user name". Your problem is that someone is giving you impossible to meet security requirements, which results in you wanting to mess with application URLs and the other stuff you mentioned. Secret: even large organizations have some form of clear text passwords, but who has access to these is strictly controlled. > > Goal: I am trying to come up with a way for a Tomcat app to securely store > and retrieve the password it needs to access a DB. > We have given you some options to deal with this. It seems as though the sys admins either can't or don't want to help you establish more of an Enterprise architecture, which would solve a lot of your issues. > My definition of ³secure² includes ³there exist no files with an > unencrypted copy of the password². IIUC, JNDI fails this test. > > My requirements include that all web app components are checked in to a > source control system that malicious users can have read access to. Are you in control of the source control system? You know, you can assign roles to users for certain repositories and restrict access to your code repo. If you have developers working at Mayo who are malicious, get rid of them. > Solution: > 1: Trusted user creates public:private key pair (1), distributes public key > 2: Web app developer creates pubic:private key pair (2), distributes > public key > 3: Web app developer encrypted password with private key 2, then public > key 1, stores with web app > 4: Web app calls decryption jar that¹s in tomcat/lib, passing in the > encrypted password from step 3 > 5: Decryption code determines which app called it, pulls the public key > (3) saved for that app > 6: Decryption code decrypts with private key 1, public key 3, and returns > the unencrypted password. > > So long as 1: Trusted user can store private key where it¹s secure, but > accessible to decryption code, and 2: Can correctly determine the calling > app, I believe this setup is secure. > > We log who uploads the web apps, so if user X uploads a bogus ³User Y > App², we can deal with that. > -- Developers should never get to deploy anything to production servers. In fact, you should have different passwords for different deployment realms. >From my perspective, you (or someone else is telling you to do this) are trying to bypass as much security for the appearance of security simply because of the Tomcat environment you have to work with. I think we all want you to succeed here, but the approach you're leaning towards isn't going to work. > Gregory Dougherty > Sr. Analyst/Programmer | Information Technology > Information Technology > (507) 284-8493 | dougherty.greg...@mayo.edu > > > > > > > > On 2/12/16, 2:00 PM, "Leo Donahue" <donahu...@gmail.com> wrote: > > >On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." < > >dougherty.greg...@mayo.edu> wrote: > >> > >> I would like to have a jar file in tomcat/lib that can be called from > >>any > >of the running web apps. I need for the code in the jar to behave > >differently depending on which web app called it. > > > >I would agree with what the others are saying here. It seems you are > >trying to authorize an entire web app instead of authoring the user of the > >web app. > > > >If the jar simply needs to take action based on a role of some kind, then > >could you not tie in a ldap user with appropriate role? > > > >Leo > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." < dougherty.greg...@mayo.edu> wrote: > > I would like to have a jar file in tomcat/lib that can be called from any of the running web apps. I need for the code in the jar to behave differently depending on which web app called it. I would agree with what the others are saying here. It seems you are trying to authorize an entire web app instead of authoring the user of the web app. If the jar simply needs to take action based on a role of some kind, then could you not tie in a ldap user with appropriate role? Leo
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Feb 12, 2016 2:50 PM, "Dougherty, Gregory T., M.S." < dougherty.greg...@mayo.edu> wrote: > > How does it validate itself to that common location, without a password > A. Stop top posting. You're killing me on my Android phone backspacing to where I want to reply. B. What is "it"? The web app? The web app user? Leo
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < dougherty.greg...@mayo.edu> wrote: > > The web app needs a DB password so it can connect to the DB. I disagree that the web app needs a password. > None of the > users have direct access to the DB. Nor should they. > The web app uses LDAp to validate > users. That is fine. > > How does the Web app get access to the DB, without saving within the web > app anything that someone else could also use to get access to that DB? > Implement your own data source.
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Feb 12, 2016 2:35 PM, "Dougherty, Gregory T., M.S." < dougherty.greg...@mayo.edu> wrote: > > You are correct, I¹m trying to authorize the web app, not the user. > > Goal: I am trying to come up with a way for a Tomcat app to securely store > and retrieve the password it needs to access a DB. > > My definition of ³secure² includes ³there exist no files with an > unencrypted copy of the password². IIUC, JNDI fails this test. > > My requirements include that all web app components are checked in to a > source control system that malicious users can have read access to. > -- > Gregory Dougherty This is a secure password question? This task falls more in line with your enterprise architecture than with a simple common jar file. Think about how you could implement your own data source that reads encrypted passwords from some common location. The Tomcat "app" should not have anything to do with this. Leo
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Feb 12, 2016 3:19 PM, "Dougherty, Gregory T., M.S." < dougherty.greg...@mayo.edu> wrote: > > On 2/12/16, 3:08 PM, "Leo Donahue" <donahu...@gmail.com> wrote: > > > >On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < > >dougherty.greg...@mayo.edu> wrote: > >> > >> The web app needs a DB password so it can connect to the DB. > > > >I disagree that the web app needs a password. > The web app has to be able to read and write to the DB. That takes a > password. No, javax.sql.DataSource needs a password. Your web app just needs a user name. Your custom data source will fetch a password. > > > >> How does the Web app get access to the DB, without saving within the web > >> app anything that someone else could also use to get access to that DB? > >> > > > >Implement your own data source. > > How does the web app connect to the data source? How does the data source > know that this web app, unlike every other web app in existence, is > allowed to access the data source? > > For that matter, how do I set up the data source (whose every element is > checked into the source code control system that a malicious user may have > access to) so that it knows the passwords of interest? > > That leaves aside the issue that the web app is a production web app, > which means it can¹t rely on a non-production data source, which means I > can¹t set up my own data source. But even if I could, all the other > problems still apply. > -- A. You don't get to manage your passwords. B. The suggestion I'm giving you requires coordination with sys admins and DBA's. It is more than just a simple app trying find a way to hide passwords, none of which will "ever" be in source control. Leo
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Fri, Feb 12, 2016 at 5:46 PM, Dougherty, Gregory T., M.S. < dougherty.greg...@mayo.edu> wrote: > Chris, > > > On 2/12/16, 5:27 PM, "Christopher Schultz" <ch...@christopherschultz.net> > wrote: > > >Gregory, > > > >On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote: > >> On 2/12/16, 3:08 PM, "Leo Donahue" <donahu...@gmail.com> wrote: > >> > >> > >>> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < > >>> dougherty.greg...@mayo.edu> wrote: > >> My definition of ³secure² includes ³there exist no files with an > >> unencrypted copy of the password². > > > >Do you mean "no files at all" or "no files in revision-control"? > >Again, you have to decide whether you trust your administrators. > > No files at all. > Not even encrypted files? > > Even if I did trust my administrators, they don’t want the task of having > to update the passwords every six months. > Greaaat. > > >> How does the data source know that this web app, unlike every > >> other web app in existence, is allowed to access the data source? > > > >The container allows you to map data sources to web applications. Use > >that facility. And trust your administrators. > > This sounds like something I can use to uniquely identify which app is > running, no? > Can my code ask Tomcat for the DataSource the container assigns to the web > app, that instead of returning a password, simply returns the name of the > app? > What I was saying about the data source is that where you configure it in Tomcat doesn't need a password in plain text, if your custom data source is going to simply use the username from the Tomcat data source config file to go look up the real encrypted password. You have to implement this yourself. Precisely how is totally up to you. You are going to need a process that writes encrypted user passwords to an ENCRYPTED file, on a schedule, preferably every day. If you can't have encrypted files, then you are stuck, don't read on. You need to write something that generates long passwords, because you don't need to remember them, and writes them to the encrypted file. All you need to do is regenerate them whenever you want. If you are saying that you need to choose your own password because it is used elsewhere, then you are stuck again. This same process is going to let you read and un-encrypt (spell check not helping me here) said password. How you write this is up to you. In your custom data source, where you override the getConnection(username,password), you will obviously need to call the function that fetches the real password for said supplied user. How you do that is up to you, like I said, this is a bigger project than a quick hack. ... ... https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html#JDBC_Data_Sources https://docs.oracle.com/javase/8/docs/api/javax/sql/DataSource.html#getConnection-java.lang.String-java.lang.String- > > >> For that matter, how do I set up the data source (whose every > >> element is checked into the source code control system that a > >> malicious user may have access to) so that it knows the passwords > >> of interest? > > > >Why would you check the data source configuration into the > >revision-control system? It's not necessary to do that. Do you check > >Tomcat's server.xml into revision control? > > Are you going to have your data source configuration sitting on only one > user’s personal computer? What happens when that person is on vacation? > Sick? Has a hard drive crash? > I don't understand why that would be the case that you store this data source configuration on anyone's personal computer. Are you saying that Mayo Clinic IT lets developers run production apps from Tomcats on their personal computers? > > >If you free yourself from the idea that everything needs to be in one > >big revision-control system, it makes things easier. Everybody does > >their job: the devs write the software, the admins deploy it. The > >admins have the keys to the kingdom (they always do; don't fight it) > >and the devs have keys to nothing. > > I don’t get a vote on that one. > > >Of course, the devs are writing the software, so if you are truly > >paranoid, you need to make sure that the devs aren't stealing secrets > >from the admins when the app runs ;) > > I am truly paranoid, that’s why I want an unambiguous way to figure out > what app is running. That way the only data they can “steal” is their own > data. > > > > >- -chris > -Greg > >
Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
On Fri, Feb 12, 2016 at 5:33 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Gregory, > > > > The web app needs a DB password so it can connect to the > > DB. > > I disagree that the web app needs a password. > >>> The web app has to be able to read and write to the DB. That > >>> takes a password. > >> > >> No, javax.sql.DataSource needs a password. Your web app just > >> needs a user name. > >> > >> Your custom data source will fetch a password. > > How? > > > > What, precisely, is the exact mechanism by which this custom > > DataSource will fetch the password? > > (I think Leo's bating you, here: he's trying to get you to admit that > this is a shell game where an encrypted password requires an encrypted > password requires an encrypted password, etc. all the way down. > This thread is on fire! I am finding it hard to know where to reply. I am not baiting anyone, I will explain in a different reply. > > > And how is it that someone else, who has full access to all my > > source code, including to the source code of my custom DataSource, > > won¹t be able to retrieve the exact same password? > > > > Requirement for ³secure²: There are no files sitting anywhere on > > the server that have a plain text copy of my password. > > Is this because you don't trust your admins? > > > Requirement for secure: The sys admin does not get to know my > > password. He¹s ³trusted² in that we assume he won¹t abuse his > > private key on order to steal my password. He¹s not ³trusted² to > > know everyone¹s passwords. > > Forget about "other people's passwords" for a moment: you don't trust > your admins to peek at the super-secret database password (which is > usually something like "pr0duct!on" LOL)? > > If the admins wants the password, he (or she) is going to get it. Your > library needs the cleartext password at some point and at that point, > the admin effectively has it, too. > > (I had a conversation with Sander Temme at ApacheCon over a few beers > while he tried to explain how one of Thales's hardware key escrow > systems were capable of doing thins kind of thing. I had a hard time > understanding how it was possible. It could have been the beer.) > > > Requirement from system: password must be updated every six months. > > So I have to be able to change the password, and inform my web app > > of the changed password. > > Aah, yes. Password-rotation. That definitely keeps things secure. :( > > >> A. You don't get to manage your passwords. > >> > >> B. The suggestion I'm giving you requires coordination with sys > >> admins and DBA's. It is more than just a simple app trying find > >> a way to hide passwords, none of which will "ever" be in source > >> control. > >> > >> Leo > > > > A: I¹m the only one who knows my password, I have to manage it. I > > have to be able to use that password in contexts totally divorced > > from the web server. > > This is your LDAP password? Are we still taking about > application-level passwords for your database? Or user-level passwords > for ... what, exactly? > > > B: A solution that requires the sys admin to know, and update every > > six months, my passwords is not a viable solution. > > If the admin won't update the password, who will? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAla+a+YACgkQ9CaO5/Lv0PBRowCfTJSdScNVitc5Bq79oY+JMoZZ > PAwAoJ+85CadSDhL/BKvDjwLoOM/thuP > =symF > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: heap thrashing
On Sat, Sep 12, 2015 at 7:49 AM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 11.09.2015 18:24, Caldarale, Charles R wrote: > >> From: Leo Donahue [mailto:donahu...@gmail.com] >>> Subject: Re: heap thrashing >>> >> >> I see this topic come up from time to time on the list. Can someone point >>> me to what heap thrashing looks like? >>> >> >> Is heap thrashing a very "closely spaced" saw tooth pattern? >>> >> >> Should have mentioned that "heap thrashing" does not have a strict >> definition. Often, it's used to describe the heap itself expanding and >> contracting in a cyclic manner. This is most easily avoided by setting the >> min and max heap size limits to the same value. >> >> What you have appears to be just very rapid object creation and garbage >> collection. Using a larger heap (if you have the RAM for it) could help to >> reduce the frequency of collections. Fixing the webapp to not consume so >> much space would be better, of course. >> >> - Chuck >> > > In terms of looking at the webapp code which may generate that kind of > behaviour, while searching for an example on the www, I came across this > blog post : > > http://steve-yegge.blogspot.de/2006/03/execution-in-kingdom-of-nouns.html > > Independently of what one may think about the author's opinions and > treatment of the matter, I find the prose beautiful and witty. > The pseudo-java code example is of course tongue-in-cheek and contrived, > but I have seen similar code in the real world, and it would probably > produce the kind of phenomenon which Leo is seeing. > André, Nice article, hard to believe that was nearly 10 years ago. I also see the overuse of nouns as verbs and factory patterns that are only producing a single object and will never add additional ones. I see people using "private static" in place of a singleton pattern. I see people still catching Throwable and deferring exceptions as RuntimeExceptions instead of declaring them. I digress. Leo
Re: heap thrashing
On Fri, Sep 11, 2015 at 11:27 AM, Mark Thomas <ma...@apache.org> wrote: > On 11/09/2015 15:43, Leo Donahue wrote: > > On Fri, Sep 11, 2015 at 9:36 AM, Leo Donahue <donahu...@gmail.com> > wrote: > > (typically by pooling and re-using objects rather than > creating new ones for every request) "re-using objects" - do you mean declaring static variables or using thread locals? Or something else? Leo
Re: heap thrashing
On Fri, Sep 11, 2015 at 11:24 AM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote: > > From: Leo Donahue [mailto:donahu...@gmail.com] > > Subject: Re: heap thrashing > > What you have appears to be just very rapid object creation and garbage > collection. > > - Chuck > > Why does the jvm decide to collect garbage that fast as opposed to letting it build and taking care of it later? What do you consider to be very rapid object creation? Leo
heap thrashing
Good day, I see this topic come up from time to time on the list. Can someone point me to what heap thrashing looks like? Googled java heap thrashing and looked at the images, but there isn't much to look at. I also tried googling for ventricular tachycardia to see if I could find a similar graph - it's close to what I'm seeing in VisualVM, but not quite. Is heap thrashing a very "closely spaced" saw tooth pattern? Leo
Re: heap thrashing
On Fri, Sep 11, 2015 at 9:36 AM, Leo Donahue <donahu...@gmail.com> wrote: > Good day, > > I see this topic come up from time to time on the list. Can someone point > me to what heap thrashing looks like? > > Googled java heap thrashing and looked at the images, but there isn't much > to look at. > > I also tried googling for ventricular tachycardia to see if I could find a > similar graph - it's close to what I'm seeing in VisualVM, but not quite. > > Is heap thrashing a very "closely spaced" saw tooth pattern? > > Leo > This is about as close as I can find that is similar to what I'm seeing. On the left side of the graph, imagine the spacing so close together that it looks like a solid blue read out in the monitor. When I stop the webapp, the jvm adjusts itself back to normal. It's only during servicing requests that I see the very closely spaced pattern. http://i.stack.imgur.com/B9oPL.png
[OT] Re: Filter behaviour
On Sat, Jun 27, 2015 at 8:37 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean iAmNotAuthorized = true; if (iAmNotAuthorized) { // generate the HTTP Servlet Response for a 403 status code HttpServletResponse httpResponse = (HttpServletResponse) response; //httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN); httpResponse.setHeader(WWW-Authenticate, Basic); WWW-Authenticate header is usually used with 401 response. It is unusual to use it with 403 one, though the spec does not forbid it. (I am not sure how browsers react here, though) http://tools.ietf.org/html/rfc7235#section-4.1 Best regards, Konstantin Kolinko http://tools.ietf.org/html/rfc7231#section-6.5.3 And we may send a 404 to hide the existence of a forbidden target. It's misleading. That seems to open the door for any kind of response, or no response. I am on the fence about sending 401 or 403 responses from a web service. They both indicate something is there, you just can't get to it. The 401 alludes that something is wrong with your username/password. The 403 is more vague. You may have the right username and password (and I'm not going to bother to tell you), but your account may not have the correct role associated with using this service, so rather than say anymore, I'll just let you know you are forbidden. Users have no idea, other than there is something good at the end of this request for me to be forbidden. From the perspective of troubleshooting customer requests to your published web service, developers can log the unsuccessful attempt (Authentication or Authorization) and review the log files for answers to trouble shooting, but sending back a status code doesn't seem to always make sense depending on what types of application clients your customers are using. For example: Suppose you call a SOAP web service that takes an object as a parameter and that service returns another type of object. When customers expect an object, they may get a HTTP status code of 401 or 403 if they botched sending the correct username/password in the authentication header. And maybe, their password is merely expired. In situations like those, it seems more reasonable to send back a Soap Fault of some kind as defined in the schema. The message could be as simple as: Authorization failed. It seems easier for clients to know that a soap web service may throw a ClientAuthorizationException for example, rather than parse out a HTTP status code response? I don't know though. Leo
Re: Filter behaviour
On Fri, Jun 26, 2015 at 1:42 AM, André Warnier a...@ice-sa.com wrote: I must admit that your question above was a bit difficult to follow, in terms of if/then/else/unless, particularly late at night. Yes, you are right. Sorry about that. I was trying to walk the line between saying too much and not enough and so it came out all gibberish. And the last paragraph made me think that perhaps the Tomcat logo might lead you to personalise things a bit more than is really healthy. (Or else I want to have a look at that code, because the Tomcat developers must be even smarter that I thought). But if your question in the end boils down to : *must* a filter necessarily call the next filter/webapp in the chain, then the answer is in the Servlet Specification. E.g. Servlet Spec v 3.0 final, Chapt 6 Filtering, Section 6.2 Main concepts, item 4 : The filter *may* invoke the next entity in the filter chain.. It even adds : Alternatively, the filter chain can block the request by not making the call to invoke the next entity, leaving the filter responsible for filling out the response object. (What you need to do then still, is to insure that you do indeed generate a valid response, whether it's an error or not. That's maybe the point where different containers may react slightly differently.). If I use a return statement to break out of a filter, what should happen? Will the next filter run? Shouldn't a return statement in a filter, especially one that comes right after a sendError call, send the error and direct the user to the page configured for such errors? The scenario I'm working on is a web service. The web service has three filters, in order they are: throttle filter, authentication filter, logging filter. If a user is not authenticated, the following code should break out of the filter chain and redirect the user to a custom 403. It works nice on Tomcat. HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.sendError(HttpServletResponse.HttpServletResponse.SC_FORBIDDEN); return; What I'm seeing on other containers is that I get a NPE where the Service class is trying to do something with the authenticated user, which is null. I realize this is not an other containers forum, but I was just curious what the expected behaviour *should* be. Leo
Re: Filter behaviour
On Fri, Jun 26, 2015 at 11:09 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, If I use a return statement to break out of a filter, what should happen? Will the next filter run? No. The Filter is responsible for calling the next filter in the chain. If you don't, the target servlet will never be called. Shouldn't a return statement in a filter, especially one that comes right after a sendError call, send the error and direct the user to the page configured for such errors? Yes. The scenario I'm working on is a web service. The web service has three filters, in order they are: throttle filter, authentication filter, logging filter. If a user is not authenticated, the following code should break out of the filter chain and redirect the user to a custom 403. It works nice on Tomcat. HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.sendError(HttpServletResponse.HttpServletResponse.SC_FORB IDDEN); return; What I'm seeing on other containers is that I get a NPE where the Service class is trying to do something with the authenticated user, which is null. I realize this is not an other containers forum, but I was just curious what the expected behaviour *should* be. If you have other stuff going on -- like custom error pages -- you might find that more of your own code is running than you expect. See Konstantin's response. It's terse, but I think he's likely getting to the root of your problem. - -chris Gentlemen, Thank you for the assistance. I still don't know what was causing my issue on said other container with respect to sendError and custom error-page elements, but... This works fine and was really what I was after, a simple custom 403 message, no html: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean iAmNotAuthorized = true; if (iAmNotAuthorized) { // generate the HTTP Servlet Response for a 403 status code HttpServletResponse httpResponse = (HttpServletResponse) response; //httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN); httpResponse.setHeader(WWW-Authenticate, Basic); httpResponse.getOutputStream().print(blah, blah, blah); // return from the doFilter method return; } chain.doFilter(request, response); } leo
Filter behaviour
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException Assuming you have only a single Filter configured in web.xml Assuming you have logic in a doFilter that checks the value of a boolean. If the boolean is true, then assume you send a http status code back and use a return in the if condition. example: if (someConditionIsTrue) { HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.sendError(HttpServletResponse.WHATEVER_YOU_CHOOSE); return; } chain.doFilter(request, response); My question is: If the chain is placed inside an else, which would not run if the condition is true, does that violate the Filter in any way? In other words, if one does not call chain.doFilter within a doFilter method, should one expect something bad? What I'm really saying without saying it is, whether I call chain.doFilter in or out of an else, on Tomcat I get the sendError status that I expect, but not from other containers. I realize that statement is moot on this list, but I thought I would share it. Are there any conditions in which Tomcat will decide what to do on its own, related to sendError, when it can't figure it out from code? Leo Using CATALINA_BASE: C:\apache-tomcat\apache-tomcat-7.0.62 Using CATALINA_HOME: C:\apache-tomcat\apache-tomcat-7.0.62 Using CATALINA_TMPDIR: C:\apache-tomcat\apache-tomcat-7.0.62\temp Using JRE_HOME:C:\Program Files (x86)\Java\jdk1.7.0_67 Using CLASSPATH: C:\apache-tomcat\apache-tomcat-7.0.62\bin\bootstrap.jar;C:\apache-tomcat\apache-tomcat-7.0.62\bin\tomcat-juli.jar Server version: Apache Tomcat/7.0.62 Server built: May 7 2015 17:14:55 UTC Server number: 7.0.62.0 OS Name:Windows 7 OS Version: 6.1 Architecture: x86 JVM Version:1.7.0_67-b01 JVM Vendor: Oracle Corporation
Re: Removing ThreadLocal variables
On Mon, Apr 13, 2015 at 5:25 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, The good news is that you are thinking about this in the correct way: that requests are handled by (usually) one thread and you have to clean the ThreadLocal in the correct thread, otherwise Bad Things can happen. Unfortunately, the one-thread-per-request scheme only works for certain types of requests. If you are using WebSocket, Comet, etc. then that can fall apart on you. Back to your use-case. A ServletRequestListener itself isn't absolutely required, but it probably makes the most sense architecturally: the infrastructure is already there for you, and the behavior is orthogonal to the actual work you are trying to accomplish. It's not clear to me exactly what you are proposing above, but if it matches the semantics of the ServletRequestListener, then it sounds okay to me. - -chris The scenario I was proposing is more work than just implementing the ServletRequestListener. One thread local variable was being created in each filter. In my previous scenario, I was going to remove thread locals in the web service methods, but then realized I could remove them in the finally block of the filters on the request's way back out the chain(s). I think I prefer the Listener approach better.
Re: Removing ThreadLocal variables
On Mon, Apr 13, 2015 at 6:57 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2015-04-14 2:28 GMT+03:00 Leo Donahue donahu...@gmail.com: I think I prefer the Listener approach better. Filters are better. With Filter there is a guarantee that finally block is executed in the same thread. With RequestListener there is no guarantee that requestDestroyed() happens in the same thread. That method exists to perform cleanup of request attributes, not one of thread locals. https://bz.apache.org/bugzilla/show_bug.cgi?id=57314 Best regards, Konstantin Kolinko Konstantin, Thank you for sharing that link.
Removing ThreadLocal variables
Tomcat 7.0.61 Java 1.7.0_75 Scenario: Class1 static Type ThreadLocal variable static Type getThreadLocal(){...} static Type setThreadLocal(){...} static void destroy(){variable.remove} Class2 static Type ThreadLocal variable static Type getThreadLocal(){...} static Type setThreadLocal(){...} static void destroy(){variable.remove} user makes a request to a stateless jax-ws web service request hits filter1 filter1 - Class1.setThreadLocal filter1 - calls chain.doFilter() filter2 - calls methods on Class1 filter2 - Class2.setThreadLocal filter2 - calls chain.doFilter() web service method processes request Removing the thread local: web service method calls Class1.destroy() and Class2.destroy() (and it does this for all exception cases within said web service method) Is this an acceptable pattern or is it better to implement a ServletRequestListener to remove thread local variables?
Re: [ANN] Apache Tomcat 8.0.17 available
On Wed, Jan 21, 2015 at 9:03 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, On 1/20/15 10:29 PM, Leo Donahue wrote: On Tue, Jan 20, 2015 at 9:24 PM, Leo Donahue donahu...@gmail.com wrote: On Tue, Jan 20, 2015 at 5:09 PM, Mark Thomas ma...@apache.org wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.17. - The RemoteAddrValve and RemoteHostValve can now optionally include the port when filtering along with a new option to trigger authentication rather than denying access And if they are Valves, why do the docs still use the word Filter? Remote Address Filter? Both flavors exist: Valve and Filter. - -chris Right... but.. Everything on this page is called a Filter. http://tomcat.apache.org/tomcat-8.0-doc/config/filter.html Everything on this page is called a Valve, except for the two under Access Control. http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html
Re: [ANN] Apache Tomcat 8.0.17 available
On Tue, Jan 20, 2015 at 9:24 PM, Leo Donahue donahu...@gmail.com wrote: On Tue, Jan 20, 2015 at 5:09 PM, Mark Thomas ma...@apache.org wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.17. - The RemoteAddrValve and RemoteHostValve can now optionally include the port when filtering along with a new option to trigger authentication rather than denying access And if they are Valves, why do the docs still use the word Filter? Remote Address Filter?
Re: [ANN] Apache Tomcat 8.0.17 available
On Tue, Jan 20, 2015 at 5:09 PM, Mark Thomas ma...@apache.org wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.17. - The RemoteAddrValve and RemoteHostValve can now optionally include the port when filtering along with a new option to trigger authentication rather than denying access There are no links on the changelog page for these and I was hoping to see some details about why this option was added. Optionally trigger authentication instead of denial in RemoteAddrValve and RemoteHostValve http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_Address_Filter The behavior when a request is refused can be changed to not deny but instead set an invalid authentication header Example #3 To allow unrestricted access to port 8009, but trigger basic authentication if the application is accessed on another port: I'm trying to understand this kind of setup. If an IP has been allowed to pass through via a Filter to a restricted resource, wouldn't the user get the container configured authentication dialog anyway?
throttle filter
Has anyone ever suggested a configurable throttle filter as one of the container provided filters in Tomcat? Or are people generally using the attributes in the HTPP connector for limiting requests to the server for a given amount of time? leo
Re: throttle filter
On Tue, Dec 2, 2014 at 3:28 PM, Chris Gamache cgama...@gmail.com wrote: You could probably be more sophisticated in your throttling, letting certain IPs or requests through while tarpitting others. I was thinking about how, from my perspective, I see developers wanting to throttle back the number of requests to their web applications (and web services) based on the same ip, session, and other factors appearing in a given amount of time. I know that some frameworks (Spring) provide this mechanism, and I have seen other projects attempt to record the information in a database and produce application specific logic to restrict the number of requests in a given amount of time. I didn't know if anyone has considered a container provided filter that is configurable to provide this kind of functionality. This kind of functionality is ambiguous I know. But I would settle on even the basic ability to say: For this web service/app, allow only x many connections per sec/min/hour. Leo
Re: throttle filter
On Tue, Dec 2, 2014 at 4:08 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 12/2/14 4:28 PM, Chris Gamache wrote: Anyone ever suggested? No idea. But I'd be glad to riff on the subject in case it shakes some discussion loose. I haven't seen a filter like that, but I'm sure you could work it out. If I were implementing it I would use a Valve... Valves are easy to write- just extend org.apache.catalina.valves.ValveBase and wire it into your xml configurations. You could probably be more sophisticated in your throttling, letting certain IPs or requests through while tarpitting others. I think a Valve is more appropriate than a Filter, if only because it can be installed earlier in the pipeline. A number of considerations; these off the top of my head-- You'd have to be okay with holding the request thread open and making it sleep. If this weren't done in a Valve, but deeper in the core, Tomcat could even put the request on hold and free the thread to do other things. This happens with the NIO connectors when the request is still being sent by the client: the thread isn't tied-up waiting on IO. I guess you could serve a 503 if it were overloaded. I guess the question is whether this is a throttle intended to just smooth-out data-mass|request-counts for a particular client[1] or to avoid being overwhelmed by requests. 503 is better for avoiding an overload, but can't work well for more traditional throttling. I was thinking about a DOS situation in which I would want to restrict the number of requests submitted in a given amount of time. Or for situations where what the user submits is harmless, they just might want to submit it 10,000 times every 10 seconds. Or for situations where you may want to restrict your client from abusing your free web service, limiting them to 1,000 requests per day. The hard part is deciding whether to throttle specific users or an aggregate consumption of a service. Consider your memory usage. I've read horror stories about GC pauses wreaking havoc. If you have a farm of tomcats that would be participating you'd need to work out a way for them to communicate with one another for global counter stats. +1 [1] Identifying clients is always problematic. Yes. Proxies (AOL) and other things can make it look like a huge number of distinct users are coming from a single IP, effectively treating them as a single user for the purposes of throttling (if you use IP-based client identification). This is like 16-bit Microsoft Windows programs sharing a single time-slice per unit time while 32-bit applications get a full slice for each application: bad for business (if business is getting attention from the server!).
Re: Help! parallel deployment problem.
On Mon, Nov 24, 2014 at 5:48 PM, Chris Gamache cgama...@gmail.com wrote: Tomcat 7 ... Working with parallel deployment, tomcat servers in my farm are getting out-of-sync, not getting new versions of war files deployed to the main tomcat. What could be going wrong and how can I fix it? Pleez Help! Before anyone lectures you on your type of question and lack of specifics, re-submit a better question to get a better response.
Re: Weird (apocryphal) reference to Tomcat in Wikipedia
On Wed, Nov 5, 2014 at 9:31 AM, André Warnier a...@ice-sa.com wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I was reading the Wikipedia entry on .properties format yesterday (http://en.wikipedia.org/wiki/.properties) and I saw a mention of Apache Tomcat that doesn't make any kind of sense to me: In Apache Tomcat the exclamation mark denotes a Negation operator when used as the first non blank character in a line[citation needed]. I'm the one that added the [citation needed] with a note that I think this is false. Does anyone know if there was some kind of ancient version of Tomcat that read its own .properties files and added some kind of magic to do what the above says? I think it's a complete fabrication with no basis in reality. Any ideas? Maybe a very indirect reference to : http://tomcat.apache.org/connectors-doc/reference/uriworkermap.html (see : Exclusions and rule disabling) but, like you, I think that this reference is quite irrelevant in that Wikipedia article. Nice find André! bonus points.
Re: Security Best Practices on Windows Service
On Wed, Nov 5, 2014 at 1:34 PM, Igal @ getRailo.org i...@getrailo.org wrote: hi, what are the security best practices for running Tomcat as a Windows Service? is the local system account safe Define safe. LocalSystem has too many privs that a Tomcat service account doesn't need in my opinion. or am I better off creating a new user and giving it write permissions only to the Tomcat runtime folders and read permissions to the web contents folder? In my previous employment, we did that. Create a local user account and set permissions to the Tomcat installation directory and optional CATALINA_BASE (if you separated them). We did not use domain accounts for the Tomcat service account because the Tomcat service account did not need access to network resources in our setup. Create a strong password. Leo
Re: Moving tomcat Ver 6.0
On Wed, Nov 5, 2014 at 1:48 PM, Nick Wall nick.w...@mvtcanada.com wrote: Hi All Sorry new user to this We have a Win server 2003 running Tomcat and our software I need to move this to a new win 2008 R2 server Is there an easy way to move everything over etc. Looking at easiest way to move everything over. Or if you are familiar with this and can assist setting up and moving could look at that possibility as well Nick Wall AScT IT Manager nick.w...@mvtcanada.com You might as well consider getting the latest version of Tomcat while you're at it, and then moving your webapps to that new installation. You will want to check the customizations (if you made any) in web.xml, server.xml, tomcat-users.xml and anything under conf/Catalina/localhost that you placed there intentionally in the 2003 Tomcat installation. Don't forget to use the same service account, if you created one. You will also want to check the 2003 tomcat7w.exe for any custom options you used there, like memory settings, etc. leo
Re: Moving tomcat Ver 6.0
On Wed, Nov 5, 2014 at 2:36 PM, Nick Wall nick.w...@mvtcanada.com wrote: -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: November-05-14 12:32 PM To: Tomcat Users List Subject: Re: Moving tomcat Ver 6.0 On Wed, Nov 5, 2014 at 1:48 PM, Nick Wall nick.w...@mvtcanada.com wrote: Hi All Sorry new user to this We have a Win server 2003 running Tomcat and our software I need to move this to a new win 2008 R2 server Is there an easy way to move everything over etc. Looking at easiest way to move everything over. Or if you are familiar with this and can assist setting up and moving could look at that possibility as well Nick Wall AScT IT Manager nick.w...@mvtcanada.com You might as well consider getting the latest version of Tomcat while you're at it, and then moving your webapps to that new installation. You will want to check the customizations (if you made any) in web.xml, server.xml, tomcat-users.xml and anything under conf/Catalina/localhost that you placed there intentionally in the 2003 Tomcat installation. Don't forget to use the same service account, if you created one. You will also want to check the 2003 tomcat7w.exe for any custom options you used there, like memory settings, etc. Leo HI Leo Thanks for the reply and info :) Can I just copy the folder/files you mention and put in the new installation on the 2008 server ? If the installation was done using the Tomcat zip version and it is not running as a windows service, yes, you should be able to do that. Don't put all your eggs in this basket for the moment, you need more info. As for a service account I have no idea if one exists as this was installed about 5 yrs ago and no one is left in the company that knows anything about it - Hence why I'm on this :) lol Nick I kinda wonder though if there is a windows service associated with this Tomcat. Do you see anything called Tomcat6 in the windows services panel?
Re: Moving tomcat Ver 6.0
Nick, On Wed, Nov 5, 2014 at 2:55 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nick, On 11/5/14 2:48 PM, Nick Wall wrote: We have a Win server 2003 running Tomcat and our software I need to move this to a new win 2008 R2 server Is there an easy way to move everything over etc. Looking at easiest way to move everything over. It depends upon how you have everything set up. If you have a mostly default configuration and all your web applications are deployed into Tomcat's webapps/ directory, then you should be able to just copy the whole Tomcat directory from one machine to another. There are a few caveats: 1. If you are switching architectures (e.g. 32-bit to 64-bit, IA64 to x86_64, etc.) and you are using the tcnative library, then you'll have to make sure you place the library that matches your destination architecture into the right place (usually Tomcat's bin/ directory). 2. If you are running Tomcat as a Windows Service, then you'll have to re-register the service on the target machine once you've moved the files over. You can get a lot of mileage out of running the following on the command-line of the destination server: C:\ SET CATALINA_HOME=C:\Path\To\Tomcat C:\ SET CATALINA_BASE=C:\Path\To\Tomcat C:\ %CATALINA_HOME%\bin\service.bat install You might want to run CATALINA_HOME\bin\tomcat6w.exe on the old machine and make sure all your settings are copied-over to the new one. Yes. I think I told you to check tomcat7w.exe. Chris is correct, it would be tomcat6w.exe, since you are on version 6 something. 3. You may have net networking components of services on the destination machine, so make sure you don't have any port conflicts. The easiest way to check for this is to start Tomcat and look at the catalina.out log file in Tomcat's logs/ directory. If it doesn't say anything about not being able to bind to a port, then you should be okay. You can also run at the command prompt: netstat -ano to see what ports are being used and by what process.
Re: Moving tomcat Ver 6.0
On Wed, Nov 5, 2014 at 2:53 PM, Nick Wall nick.w...@mvtcanada.com wrote: -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] I kinda wonder though if there is a windows service associated with this Tomcat. Do you see anything called Tomcat6 in the windows services panel? Leo Yes I just checked and there is a service running called Apache Tomcat As you can tell I have no clue to this installation :) Nick Generic steps: First step would be to decide whether you want to deploy a 32bit or 64bit version of Tomcat. 1. Download the latest Tomcat (32bit or 64bit, your decision) 1.b Determine whether you want to download the zip or windows installer version of that architecture. In your case, probably the later. 2. Download the latest java sdk (same architecture as you picked above). 3. Install the java sdk, set the %JAVA_HOME% system environment variable. if you need help, ask. 4. Install Tomcat using the windows service installer. If you used a specific windows user account to run the previous service, make sure you set that in in the service properties. 5. In your previous Tomcat installation, you need to take note of all of the settings and apply them to your new install. This is the hard part. You will want to compare the following files in the old and new installs: tomcat-install-directory/conf: context.xml server.xml tomcat-users.xml web.xml tomcat-install-directory/bin run tomcat6w.exe you are looking for any custom settings for memory and other options... (trying to recall the exact names of the tabs at the moment, where I am now we block Tomcat because we use a different web server, can't even install it here.. sorry list) 6. Copy your webapps from the Tomcat6 webapps dir to Tomcat8 web apps dir. I would also investigate any custom settings to the webapps/manager/META-INF/context.xml in the previous Tomcat6. You don't know if there was a custom valve or something applied in there other than the default. 6.b (Optional) Get rid of the docs and examples directories in your new Tomcat, or move them somewhere else if you want to keep them. 7. Make sure you copy the old ROOT web app directory to the new Tomcat. 8. Hard to say, but you might also have had custom jar files in the previous tomcat6-install-directory/lib Only way to know is to compare what was in there. This sucks that you have no documentation on the previous install, makes your life a little harder. I'm sure others will chime in with things I have forgotten. leo
Re: Separation of CATALINA_HOME and CATALINA_BASE
On Tue, Nov 4, 2014 at 9:37 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neven, On 11/3/14 6:42 PM, Neven Cvetkovic wrote: Vince, the current configuration works great: SLIGHTLY-OFFTOPIC: Although, I would love to see out-of-box setup for additional shared-lib folder, something other than TOMCAT/lib with Tomcat default libraries. Essentially, I would love to separate my customer shared libraries from Tomcat default libraries. I guess - question would be where are CATALINA_HOME/lib JAR files being loaded from? Can we add another directory to scan for libraries to be loaded? Is that configurable? I'm not sure about that, but if the Windows installer could ask the user if they want a unified versus split configuration, that might be nice. The installer could then ask for the location of CATALINA_BASE and offer to create it if necessary. That way, users performing upgrades could specify their existing CATALINA_BASE during installation and not have to go back and re-configure the Windows Service. It would also allow newbies to know that there is an advanced configuration and perhaps go learn about it. - -chris The Tomcat zip file distribution could easily do this now. Add a CATALINA_BASE directory pre-configured with a read-me file that explains to users they can move this directory elsewhere, and update a property that points back to the CATALINA_HOME directory wherever they unzipped that. This would be an easy optional configuration to include for a split configuration.
Re: Separation of CATALINA_HOME and CATALINA_BASE
On Tue, Nov 4, 2014 at 10:36 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, On 11/4/14 10:46 AM, Leo Donahue wrote: On Tue, Nov 4, 2014 at 9:37 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neven, On 11/3/14 6:42 PM, Neven Cvetkovic wrote: Vince, the current configuration works great: SLIGHTLY-OFFTOPIC: Although, I would love to see out-of-box setup for additional shared-lib folder, something other than TOMCAT/lib with Tomcat default libraries. Essentially, I would love to separate my customer shared libraries from Tomcat default libraries. I guess - question would be where are CATALINA_HOME/lib JAR files being loaded from? Can we add another directory to scan for libraries to be loaded? Is that configurable? I'm not sure about that, but if the Windows installer could ask the user if they want a unified versus split configuration, that might be nice. The installer could then ask for the location of CATALINA_BASE and offer to create it if necessary. That way, users performing upgrades could specify their existing CATALINA_BASE during installation and not have to go back and re-configure the Windows Service. It would also allow newbies to know that there is an advanced configuration and perhaps go learn about it. - -chris The Tomcat zip file distribution could easily do this now. Add a CATALINA_BASE directory pre-configured with a read-me file that explains to users they can move this directory elsewhere, and update a property that points back to the CATALINA_HOME directory wherever they unzipped that. This would be an easy optional configuration to include for a split configuration. It already does that, now: The CATALINA_BASE directory is preconfigured to be set to CATALINA_HOME, which is auto-detected by catalina.sh (.bat). CATALINA_BASE contains a readme file (RUNNING.txt) that explains how to change that default. I say that with all due snark, but it's really true: what you are talking about basically exists exactly as you describe. - -chris You are correct (something muffled). If the Tomcat community wants to promote the concept of running multiple instances, then what about: A. A description of that functionality kind of starts on line 68 in RUNNING.txt ((3) Configure Environment Variables). In other words, it's buried. B. That description is aimed at using SCRIPTS not SERVICES to get it working. C. Under Advanced Configuration in RUNNING.txt all newbies really need to know is the In CATALINA_BASE part, because they will read the In CATALINA_HOME part and get confused. D. Are newbies after this kind of configuration for the thrill of being able to run multiple instances or for easier upgrades? My guess is most Tomcat users on Windows don't start their Tomcats with the scripts, a few do and those few are the ones who benefit from this ability, in their web app development. I haven't seen or heard of anyone who has a shared CATALINA_HOME sitting on a Windows file share where developers are free to create their own CATALINA_BASE, but I have only worked a few places in my life. And, I would wonder how coordinating the conflicting ports would be resolved as a group. leo
[OT] jaxws 2.2 spec
I know this isn't really a Tomcat specific question, but there are alot of web service people on the list who may want to provide their two cents. http://download.oracle.com/otndocs/jcp/jaxws-2_2a-mrel4-eval-spec/ Page 10 indicates the following: In the absence of customizations, the name of an SEI MUST be the value of the name attribute of the corresponding wsdl:portType element mapped according to the rules described in section 2.8. In bottom up web service development, you can annotate your SEI with an @WebService property for name which indicates the name of the wsdl:portType However, I don't see a way to provide that using the wsgen utility. wsgen provides a wsdl:port option but that one is part of the wsdl:service. So while I can name my port in a sub element of wsdl:service, I don't see how I can tell wsgen to use that name for wsdl:portType. And I don't see a way to set the soap:address location via wsgen either (although you can with the wsconsume toolkit) In top down web service development, you can specify everything up front, as long as you remember to name your SEI according to the name used in the wsdl:portType, and as long as you remember to annotate your SEI with the same serviceName property used in wsd:service in the .wsdl file. In bottom up web service development, there is a fear of a changing contract if there are POJOs laying around that can be used in a build to regenerate the wsdl. But it seems like this is the favored approach for two reasons: 1. Annotations exist to make creating the wsdl easier 2. Toolkit utilities exist to make creating the wsdl easier I don't want to start an argument, but where do most of you find yourselves? Are you creating your wsdls from scratch or from a set of Java classes? leo
Re: Separation of CATALINA_HOME and CATALINA_BASE
On Mon, Nov 3, 2014 at 3:33 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vince, On 11/3/14 4:12 PM, vince.w...@thomsonreuters.com wrote: How much easier it would be if the Tomcat distribution had the correct separation build in. It would be harder for newbies and no real benefit to experts. Let me show you the difference in complexity between deploying Tomcat with a unified versus split configuration: Unified - --- $ wget http://host/path/to/tomcat-x.y.z.tar.gz $ tar xzf http://host/path/to/tomcat-x.y.z.tar.gz $ tomcat-x.y.z/bin/startup.sh You can do that in linux. not so well in windows. scripts work differently. you log out of the windows session, and the script stops, hence why every windows user wants to install Tomcat as a service, whichever way they do that. Separated - - $ wget http://host/path/to/tomcat-x.y.z.tar.gz $ tar xzf http://host/path/to/tomcat-x.y.z.tar.gz $ mkdir -p my-tomcat-base/conf $ mkdir -p my-tomcat-base/log $ mkdir -p my-tomcat-base/work $ mkdir -p my-tomcat-base/temp $ mkdir -p my-tomcat-base/webapps $ cp tomcat-x.y.z/conf/server.xml my-tomcat-base/conf $ cp tomcat-x.y.z/conf/web.xml my-tomcat-base/conf (the above step may not actually be necessary) $ cp tomcat-x.y.z/webapps/ROOT my-tomcat-base/webapps $ export CATALINA_HOME=`pwd`/tomcat-x.y.z $ export CATALINA_BASE=`pwd`/my-tomcat-base $ $CATALINA_HOME/bin/startup.sh Done. So, that's not all that complicated when you think about it, but to ask someone who knows nothing about a command-line, working effectively in an operating system, etc. and only knows about programming in Java -- maybe only servlet programming in Java -- to configure the server in the split case is confusing as all hell. Anyone downloading a ZIP or tar archive containing a Tomcat installation would be confused if the archive contained not one but two top-level directories. Also, it would overwrite your split-configuration if you unpacked that archive in the same directory as when you first started. An installer program would have to explain what in the world the split configuration was. Have you ever tried to tell someone how to set up their email? POP versus IMAP? Most users have absolutely no idea what that is, and mail programs give no clue as to which one to choose. The same would be true of CATALINA_HOME versus CATALINA_BASE. Everything has some degree of learning. New people are trying to learn two things at once, how something works as well as the why do it this way conventions that experienced users have implemented. New users don't understand the convention and want to learn it the hard way first before they can appreciate or even understand the convention. (Besides, I truly doubt that any expert system administrators are using the Tomcat Windows Installer to install/upgrade their systems. Maybe I'm wrong, You had qualify that with 'expert'... now I have nothing more to add. but then again I can't imagine running a Windows server in production. This too shall pass... I value my sleep and prefer to build new things instead of holding together configurations with chewing gum and duct tape. Oh, and rebooting all the time.) Anyhow, we can debate this all you want, but I will be -0 or even -1 to a default split-configuration of Tomcat unless someone has a really good idea for how to make it make sense to anyone on their first-touch. - -chris I would rather just point (windows) people to an example of a split configuration or any other configuration and let them implement it if they choose to do so, instead of getting Tomcat pre-configured. Part of the draw to Tomcat is that you have flexibility with how you choose to run it (script, service, windows installer, etc)
Re: need information of tomcat support
On Tue, Oct 28, 2014 at 8:00 AM, Hareshbhai Desai,Vinaykumar (Vinaykumar) desa...@avaya.com wrote: Hi team, I need some information about the tomcat support. We are using tomcat 3.2.2 and tomcat 6.0.37 in our product. If we are not upgrade the tomcat latest version then shall we get the support from apache for both tomcat release 3.3.2 /6.0.37? If yes is it free or paid support? How quickly we get response? It would be great if you will share the information on this area, so we can take decision quicker. Thanking You , Vinay 7.3 Security vulnerabilities fixed in Tomcat 3.2.3 Non-normalized URIs, for example /examples/jsp/security//protected/index.jsp or /examples/jsp/../jsp/security/protected/index.jsp would bypass the security constraints specified in web.xml. We have come a long way since then...
Re: JAX-WS Web Services
On Sun, Oct 12, 2014 at 9:16 AM, Meeraj Kunnumpurath mee...@servicesymphony.com wrote: Hi, I am porting an application from Weblogic 12 to Tomcat 8. The application has a set of web services that implement javax.xml.ws.ProviderSOAPMessage exposed by declaring them as servlets in web.xml. However, it doesn't seem to be working in Tomcat, when access the WSDL URL, I get a 404. Regards -- *Meeraj Kunnumpurath* I posted something similar to this a few months back, maybe this link will help? https://www.mail-archive.com/users%40tomcat.apache.org/msg113562.html I can't really answer your question directly because I can't help you troubleshoot a 404 without more info. leo
Question on Thread Local
I've been reading about using Thread Local in web applications and the general use case is to generate a transaction id in a filter so that the rest of the web application running in the thread local will have access to that transaction id. Thread Local is essentially a way to create a global variable so that you don't have to create a bean that generates said global data and pass that bean around to other classes, or inject it into the other classes? I am not sure I understand the difference between per-thread requests and servlet requests that already run in their own thread. In other words, what is the difference between using a Thread Local variable vs any other variable that is created inside a filter, or during a normal servlet request?
Re: Question on Thread Local
On Tue, Sep 2, 2014 at 3:00 PM, Leon Rosenberg rosenberg.l...@gmail.com wrote: From practical point of view ThreadLocal is a huge hashmap directly in the ThreadClass where you can store a map of variables. Something like Thread.MapThreadId, MapString, Object, in which you can access variables that are 'attached' logically to the current Thread. In practice its a nice way to pass information through layers of code without adding it explicitly as parameter to every function on the way. regards Leon At some point in the web application, a ThreadLocal is instantiated and its properties are set and then retrieved in a Filter. Am I on track here? How is that different or more helpful than instantiating any other POJO with property setters? A POJO will be instantiated on every servlet request whereas the ThreadLocal is only created once?
Re: Restricting SSL access within webapp
On Fri, Aug 1, 2014 at 1:55 PM, John Smith tomcat.ran...@gmail.com wrote: In my webapp there's a directory '/admin' that's protected under SSL. Users are forced to use SSL via a security constraint in web.xml. It works great. I would also agree with Chuck and James. Can you not move this admin app to another instance of Tomcat? Why dangle it out there on the same server that has all your other non-SSL required webapps? Just asking. leo
Re: Windows performance issue
On Jul 21, 2014 4:03 AM, Omar Orzenini omar.orzen...@gmail.com wrote: Hello everyone, I apologize for my poor english but I'll try to explain. I have a strange performance problem only under Windows (via NFS on Linux everything works fine). Tested operating system (Windows Server 2008 R2 64, WIndows Server 2012 R2): Second step: share the webapps folder (eg. c:\webapps) and change in the server.xml AppBase from webapps to \\servername\webapps. And now you have a dns query to lookup that server name each time. Does fully qualified domain name of the server help improve performance? Leo
Re: jax-ws
On Sun, Jul 13, 2014 at 10:23 PM, Leo Donahue donahu...@gmail.com wrote: I found a link on the web that mentioned something about picking and choosing about 7 different jar files Essentially that information is wrong. Reading the manual here: https://jax-ws.java.net/2.2.8/docs/ch02.html#installation-instructions I needed all of them apparently. Why does technology suffer from such poor documentation? Are medical books wrong? - errata... oh wait, I meant cut here! on page 1291 (that's going to leave a scar) Are mystery novel endings wrong? - errata... oh wait that person was supposed to live, not die on page 674 Why so much junky documentation in technology? This was a rhetorical question section.
Re: jax-ws
On Mon, Jul 14, 2014 at 8:04 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, On 7/13/14, 11:23 PM, Leo Donahue wrote: I'm here: http://tomcat.apache.org/tomcat-7.0-doc/extras.html#Web_Services_support_%28JSR_109%29 And I'm looking for the other two jar files mentioned in the help. Going back to the main download page for 7.0.54 and clicking on Browse/bin/extras, I see no said jar files mentioned in the help document. I'm following along in the Java 6EE tutorial here: http://docs.oracle.com/javaee/6/tutorial/doc/bnayn.html#bnayq ... and I don't use NetBeans or Glassfish (yet) If you want Java EE on Tomcat, you might as well save yourself a huge headache and switch to TomEE. - -chris As I am finding out. INFO: Starting Servlet Engine: Apache Tomcat/7.0.54 Jul 14, 2014 9:58:51 AM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive C:\apache_tomcat\apache-tomcat-7.0.54\webapps\HelloTest.war Jul 14, 2014 9:58:52 AM org.apache.catalina.core.ContainerBase addChildInternal SEVERE: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/HelloTest]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1083) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1880) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NoClassDefFoundError: com/sun/istack/localization/Localizable at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:800) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:800) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at java.lang.Class.getDeclaredFields0(Native Method) at java.lang.Class.privateGetDeclaredFields(Class.java:2436) at java.lang.Class.getDeclaredFields(Class.java:1806) at org.apache.catalina.util.Introspection.getDeclaredFields(Introspection.java:106) at org.apache.catalina.startup.WebAnnotationSet.loadFieldsAnnotation(WebAnnotationSet.java:261) at org.apache.catalina.startup.WebAnnotationSet.loadApplicationListenerAnnotations(WebAnnotationSet.java:90) at org.apache.catalina.startup.WebAnnotationSet.loadApplicationAnnotations(WebAnnotationSet.java:63) at org.apache.catalina.startup.ContextConfig.applicationAnnotationsConfig(ContextConfig.java:403) at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:879) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:374) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5355) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ... 10 more Caused by: java.lang.ClassNotFoundException: com.sun.istack.localization.Localizable at java.net.URLClassLoader$1
jax-ws
I'm here: http://tomcat.apache.org/tomcat-7.0-doc/extras.html#Web_Services_support_%28JSR_109%29 And I'm looking for the other two jar files mentioned in the help. Going back to the main download page for 7.0.54 and clicking on Browse/bin/extras, I see no said jar files mentioned in the help document. I'm following along in the Java 6EE tutorial here: http://docs.oracle.com/javaee/6/tutorial/doc/bnayn.html#bnayq ... and I don't use NetBeans or Glassfish (yet) I found a link on the web that mentioned something about picking and choosing about 7 different jar files from the metro download here: https://jax-ws.java.net/ What do I need to create a simple jax-ws sample and deploy in Tomcat 7.0.54? leo
[OT] Apache Tomcat7 service start randomly after the installation of McAfee antivirus
On Thu, Jul 3, 2014 at 4:22 AM, André Warnier a...@ice-sa.com wrote: Leo Donahue wrote: On Wed, Jul 2, 2014 at 2:33 AM, André Warnier a...@ice-sa.com wrote: Blachon, Philippe wrote: Why would one run a virus scanner permanently on a Tomcat server ? Does the OP work in the government? My former employer had virus scanning software on every server. You couldn't get a server image without it. The answer to that question is really based on policy, if he works in government. Eventually, that server has the potential for getting a virus somehow from something or someone, and someone has to answer the question: why wasn't there virus scanning software on the server? Leo, I understand what you're saying above. But if one extrapolates that logic, then at some point the whole IT infrastructure and the whole Internet would grind to a halt, as only the POTUS would be allowed to upload anything onto a computer. All sarcasm aside, I agree with you. Some LAN administrators I've worked with would applaud your statement though. And I'll go one step further and add that not only in some local government agencies you get virus scanners on servers, but you also get those system scanners that monitor every single thing that happens on the server (something related to the sun and wind) It really bogs things down. And it gets worse than that. Sometimes you have eager admins who say: I see that this vm is only utilizing x % of the system resources, I'll either degrade the existing resources provisioned on that server or maybe I'll install something on it not related to the intent of that server. All of that stuff makes troubleshooting problems so much harder. At least his scheduled tasks are working. leo
Re: Interface default methods
On Thu, Jul 3, 2014 at 1:05 AM, Mark Thomas ma...@apache.org wrote: On 3 July 2014 04:11:32 GMT+01:00, Leo Donahue donahu...@gmail.com wrote: I don't want to start a war, but just curious if the Tomcat developers see any use case for adding default methods to any of the Interfaces in the API? Which API? Mark Well, for example, this Interface? http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/catalina/Valve.java I was just curious if the Tomcat developers have any intent on creating default methods in Interfaces such as this one as opposed to using the abstract class ValveBase. Just wanted to know how people felt about Interface default methods in general. leo
Interface default methods
I don't want to start a war, but just curious if the Tomcat developers see any use case for adding default methods to any of the Interfaces in the API? Leo
Re: [somewhat OT] Apache Tomcat7 service start randomly after the installation of McAfee antivirus.
On Wed, Jul 2, 2014 at 2:33 AM, André Warnier a...@ice-sa.com wrote: Blachon, Philippe wrote: Good morning, We have 4 identical servers with a scheduled task running every night on each of them. This task Stop Tomcat - Update some data - Start Tomcat. This worked fine for months. We have installed a new antivirus McAfee 3 weeks ago. Now the Tomcat7 service starts randomly. At least 1 of the 4 server needs a manual start of the Tomcat7 service every morning. Do you know if there is specifics problems between Tomcat and Mc Afee ? We have already tried to exclude Tomcat.exe from McAfee scanning. Is there other thing we could exclude without compromising the security ? Configuration: Windows server 2008 R2 Standard - SP1 Apache Tomcat 7.0.29 Server McAffee Agent 4.8.0.1500 Mcafee VirusScan Enterprise 8.8.04001 Thanks, have a nice day, Philippe Blachon. Not a direct answer to your question, but maybe a bit of lateral and logical thinking here : Why would one run a virus scanner permanently on a Tomcat server ? Does the OP work in the government? My former employer had virus scanning software on every server. You couldn't get a server image without it. The answer to that question is really based on policy, if he works in government. Eventually, that server has the potential for getting a virus somehow from something or someone, and someone has to answer the question: why wasn't there virus scanning software on the server? Leo
Re: Stateless application is very slow using LDAP authentication
On Tue, Apr 22, 2014 at 8:48 AM, André Warnier a...@ice-sa.com wrote: Frédéric Poliquin wrote: What if you disable authentication entirely as a test... do things speed-up? Answer is YES Do you have a problem only under load or also when you are testing a single-user? Single user What I did is to put Tomcat behind an Apache Server which solved my problem. Maybe it could be a good new feature to add in future releases... Can you explain how this solved your problem ? If you are using Basic Authentication, without sessions, even httpd would need to re-authenticate to AD/LDAP with every request, no ? I'm somewhat more concerned for the OP if he is using Basic Authentication and LDAP. Passwords going over the network unprotected. Am I the only one seeing this? Leo
sudo apt-get install Tomcat7
About two weeks into learning linux on Ubuntu 12.04 LTS Issuing that command, where does that Tomcat7 come from? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: sudo apt-get install Tomcat7
On 04/20/2014 08:29 PM, Everton H. P. Custódio wrote: Hi, 2014-04-20 23:43 GMT-03:00 Leo Donahue donahu...@gmail.com: About two weeks into learning linux on Ubuntu 12.04 LTS Issuing that command, where does that Tomcat7 come from? It comes from Ubuntu's repository. You can check the repositories in 'Software and Updates' options in Ubuntu. I'm not sure I see the same thing you are describing. Under Ubuntu Software Center, and then from the Edit/Software Sources menu there is a dialog showing Download from on the Ubuntu Software tab which just says Server for United States. I have an option to pick from several US mirrors. Tomcat7 could be coming from any one of those mirror sites? I think I will just stick with using the tar.gz file from the tomcat.apache.org site for now until I can get a better feel for this OS. Thanks, Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Maximum number of JSP ?
On Fri, Apr 11, 2014 at 6:46 AM, Dutta, Abhishek abhishek.du...@capgemini.com wrote: Hi, I am not very sure . But I guess If we consider the servlet lifecycle the servlet is not supposed to get instantiated until requested for . The question is, do the JSP pages contain static text or JSP elements? Either way, a JSP will be converted to a servlet in the container. When a request for the JSP is made, the container will check to see if the JSP page's servlet is older than the JSP page, and if it is, then the JSP page gets re-compiled. http://docs.oracle.com/javaee/5/tutorial/doc/bnahe.html Now you are going through the servlet life cycle for each JSP page that is newer than it's servlet. And you also have spawned 16,000 threads in this application. One for each init() method of those servlets. Is this performance problem something you didn't have before today?
Re: Maximum number of JSP ?
On Fri, Apr 11, 2014 at 8:52 AM, Sylvain Goulmy sygou...@gmail.com wrote: 4. Here is the behaviour that i observed : i request the URL of a jsp in a loop. The content of this JSP is always the same but it's name is different in each URL so that it is considered as a new one. Can you post the contents of your JSP? Is this performance problem something you didn't have before today? No indeed, we were on a different technology (Websphere). So what is your point? You originally asked this: I'd like to know if there are known limitations regarding the max number of JSP loaded in an application that could be used without facing performance issue ? Why would there be a number? You can have the same and/or worse performance problems with just one JSP.
Re: Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x
On Thu, Apr 10, 2014 at 2:10 PM, Ji Song s...@glimmerglass.com wrote: Hi, Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x ? I noticed that Tomcat native connector version 1.1.22 uses : OpenSSL 0.9.8 which doesn't have the heartbleeding bug, but 1.1.24 and 1.1.29 also include the buggy openssl. How can I find which version of Tomcat uses which version of Tomcat native connector ? For example, how can I figure out which version of Tomcat native connector is used by Tomcat 7.0 build 47. Look here: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_47/build.properties.default Scroll to the # - Tomcat native library - section
Re: grab hostname from tomcat manager
On Wed, Apr 2, 2014 at 6:07 AM, bjoern.bec...@easycash.de wrote: Hello, I need to grab the hostname from the tomcat manager somehow. Unfortunately this URL manager/text/serverinfo doesn't contain the hostname. Is there any other smart way to receive the hostname via tomcat manager app? Best Regards, Bjoern - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Programmatically grab? or just see it? There is a link on the manager homepage for server status which will show the host name to you.
Re: SSL Certificates
On Mon, Mar 31, 2014 at 7:19 AM, Bomma, Nithun nithun.bo...@amtrak.comwrote: Hello, We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it uses Apache Tomcat (v7.0.37) We are trying to import the certificates (Verisign) including the chain certificates from WebSphere to Tomcat. Have any of you did this before? If yes, could you help us out? Thanks, Nithun It's all right here: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority Where do you need help specifically?
Re: Connection pooling issue on Tomcat
On Fri, Mar 28, 2014 at 12:31 PM, Propes, Barry L barry.l.pro...@citi.comwrote: -Original Message- From: Mark Shifman [mailto:mark.shif...@yale.edu] Sent: Friday, March 28, 2014 12:34 PM To: Tomcat Users List Subject: Re: Connection pooling issue on Tomcat = Thanks, Mark, I got it figured out. I had changed it a couple of weeks back to point to our COB region, which is up only during a specified time, and didn't realize I hadn't changed it back. But I also thought that stopping and starting the app in the manager console would overwrite the app xml file in the conf folder, and that didn't happen. I checked it there and discovered the problem. I know this thread is closed, but I just wanted to ask you a follow up question Barry. You said that the app xml in the conf folder wasn't being overwritten. Are you placing that xml file there manually? Or did you set copyXML in your Host element to true to make it copy that file there? Because by default, copyXML is set to false, that attribute is not even named in the default Tomcat server.xml if you are using the zip version. And per the docs, that app xml file will be used in place of the one in your web app, even if the web app one is newer. [quote] Set to true if you want a context XML descriptor embedded inside the application (located at /META-INF/context.xml) to be copied to xmlBase when the application is deployed. On subsequent starts, the copied context XML descriptor will be used in preference to any context XML descriptor embedded inside the application *** even if the descriptor embedded inside the application is more recent ***. The flag's value defaults to false. Note if *deployXML* is false, this attribute will have no effect. [/quote] If you place the contents of your app xml file in a file called context.xml in /META-INF/, you won't have to worry about updating the one in the conf folder. I only place xml files in conf when I want something static, like mapping an output directory for GIS applications to write images.
Re: Realm ldaps
On Thu, Mar 27, 2014 at 8:45 AM, bjoern.bec...@easycash.de wrote: Hello, I like to change my ldap jndirealm to ldaps. Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC=de How do you get away with an empty domainComponent? DC= ? This doesn't say you can't have an empty name, but why would you. Just curious. http://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx
Re: Realm ldaps
On Thu, Mar 27, 2014 at 10:20 AM, bjoern.bec...@easycash.de wrote: -Ursprüngliche Nachricht- Von: Leo Donahue [mailto:donahu...@gmail.com] Gesendet: Donnerstag, 27. März 2014 17:54 An: Tomcat Users List Betreff: Re: Realm ldaps On Thu, Mar 27, 2014 at 8:45 AM, bjoern.bec...@easycash.de wrote: Hello, I like to change my ldap jndirealm to ldaps. Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC=de How do you get away with an empty domainComponent? DC= ? Sorry for confusing, this seems to be a mistake. In my orginal config I of course got DC=DOM,DC=de. Does fixing that solve the issue? Does Tomcat start with this configuration? Anything in the logs?
Re: Scripting Tomcat installation versus multiple instances
On Wed, Mar 26, 2014 at 11:32 AM, Sebastien Tardif sebastien.tardif.contrac...@gmo.com wrote: I'm confused by the commands given by Tomcat documentation about creating different instances, it says: service install instance1 but service is not a command provided by Tomcat or Windows, see http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html#Multiple_Instances Almost everything I'm trying to automate using that page is not working, maybe it's rare people automate installation on Windows? The service command is located here: \apache-tomcat-7.0.52\bin change directories to this location and run that command.
Re: Scripting Tomcat installation versus multiple instances
On Wed, Mar 26, 2014 at 12:35 PM, André Warnier a...@ice-sa.com wrote: Despite your name, you are too quick (and not lazy enough). You could have waited an hour, to get that solution right here. ;-) Sebastien Tardif wrote: Oh no you didn't, just top post. ?
Re: jax-ws and tomcat 7 with ssl
On Tue, Mar 18, 2014 at 2:58 PM, Maria Cristina Siena mariacristinasi...@sourcecable.net wrote: Hi, I developed a web service using jax-ws and configured Tomcat to support SSL connection. Here are my steps: ** Step 1 - Generate a self-signed server certificate Use JDK 1.7 keytool: keytool -genkey -alias trackerdev -keypass changeit -storepass changeit -keystore D:\Tomcat7\htdkeystore\trackerdev.ks -ext san=ip:xx.x.x.xxx Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, ST=provincenamehere, C=ca correct? [no]: yes They claim that the certificate is not properly signed. Well, I don't know. It is a self-signed certificate. How do they access your web service? Using the fully qualified machine name in the URL? Does CN=xx.x.x.xxx represent your server name? If the cert is created for your server name, and your other team is on the same network, all they need to do is place the cert in their trusted store and it should be fine. The name of the cert should be the same name your team would use to access your server. In other words, when your team views the certificate from their end, it should say something like: Issued to: your fully qualified server name Issued by: your fully qualified server name You are essentially issuing your server a cert by your server. Did this help or make it worse?
Re: Tomcat 7 : Configure redirect url for session timeout
On 3/14/2014 4:18 PM, Akash Jain wrote: I want to redirect user to / with a query parameter to indicate that session has timed out. I don't follow you. What do you mean by use a query parameter? You want to display a notification to the user in the URL? Do you mean like this: http://www.myhomepage.com/?notice=sessiontimeout - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm - Active Directory Roles
On Fri, Mar 14, 2014 at 2:12 AM, bjoern.bec...@easycash.de wrote: Hello, thanks for your reply. It doesn't make any difference. I don't understand how the authenticated user receive permissions for one of these roles: role rolename=manager/ role rolename=tomcat/ role rolename=admin/ role rolename=manager-gui/ role rolename=manager-jmx/ That is a UserDatabaseRealm: org.apache.catalina.realm.UserDatabaseRealm Those roles are different than what would be in your ldap, which is a: org.apache.catalina.realm.JNDIRealm Which realm do you want to use?
Re: Tomcat-user versus StackOverflow
On Fri, Mar 14, 2014 at 6:10 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm finding a lot of questions lately posted simultaneously to both tomcat-user and to StackOverflow. How does the Tomcat community feel about that? Any opinions? - -chris I don't prefer sites that require I have an account to log in. I don't see a benefit to it nor do I care about badges either. There are too many sites to remember all those log ins. I prefer the list, or things like lists. Or like Mr. Wood, I comb through those sites if I have to. However, this kind of thing happens on other sites in which I participate. A user wants an answer to their question and casts a net in several different forums on the same site. It doesn't help them and it makes searching for the answer harder because the keywords are now in several different forum areas and maybe the answer came in only one of those forum areas.
Re: Tomcat-user versus StackOverflow
On Fri, Mar 14, 2014 at 8:02 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, On 3/14/14, 10:58 AM, Leo Donahue wrote: On Fri, Mar 14, 2014 at 6:10 AM, Christopher Schultz ch...@christopherschultz.net wrote: I was happy to see SO demolish the Experts Exchange overnight. Their site got great Google rankings but never gave you any actual answers unless you paid them. - -chris I think the SO and Experts Exchange sites partly contribute to the idea that new users think they can post questions and expect to get vending machine answers. It's a hard culture to change.
Re: Tomcat 7 : Configure redirect url for session timeout
On Fri, Mar 14, 2014 at 3:04 PM, Akash Jain akash.delh...@gmail.com wrote: I have following configuration in `web.xml` in tomcat 7. I am wondering if I can add any configurable parameter here, so that if user tries to do any operation post 30 minutes, I redirect the user to our home page. session-config session-timeout30/session-timeout cookie-config domainmydomain.mycompany.com/domain http-onlytrue/http-only securefalse/secure /cookie-config tracking-modeCOOKIE/tracking-mode /session-config My first thought is you could catch the error in web.xml using an error-page and error-code 408, and then use a location to redirect? http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServletResponse.html
Re: Tomcat 7 : Configure redirect url for session timeout
On Fri, Mar 14, 2014 at 3:48 PM, Akash Jain akash.delh...@gmail.comwrote: Leo, If any request comes after session timeout interval ... why would it go into error ? Perhaps because the request/response that was created with a session is no longer valid after the session timeout. What other option would you have if not an error-page?
Re: JNDIRealm - Active Directory Roles
On Thu, Mar 13, 2014 at 10:15 AM, bjoern.bec...@easycash.de wrote: Hello, server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- Lines that are different in my context: connectionURL=ldap://fully.qualified.server.name:389; userSearch=(amp;(objectCategory=person)(sAMAccountName={0})) roleSearch=(member={0}) userRoleName=memberOf I don't know if it makes a difference for you or not.
Re: Site down for maintenance senario
On Wed, Mar 12, 2014 at 11:28 AM, John Smith tomcat.ran...@gmail.comwrote: Is there a straightforward way to toggle or add something in Tomcat, in the event a webapp is intentionally taken 'offline for maintenance? The user would receive the same single notification page saying as much, for any and all requests. Tomcat 7.0.42 What would respond to the user's request if the web app they asked for is down? All you are going to get is a not found error which will be handled by your ROOT web application.
Re: Site down for maintenance senario
On Wed, Mar 12, 2014 at 11:51 AM, Leo Donahue donahu...@gmail.com wrote: On Wed, Mar 12, 2014 at 11:28 AM, John Smith tomcat.ran...@gmail.comwrote: Is there a straightforward way to toggle or add something in Tomcat, in the event a webapp is intentionally taken 'offline for maintenance? The user would receive the same single notification page saying as much, for any and all requests. Tomcat 7.0.42 What would respond to the user's request if the web app they asked for is down? All you are going to get is a not found error which will be handled by your ROOT web application. I wonder if parallel deployment is an option for you? Maybe someone else will have a better idea. webapp#1.war could be your notice web app, while webapp#2.war could be your normal site. Deleting webapp#2.war would make requests fall back to your web app that notifies the user the site is down. Redeploying an updated webapp#2 would then override the the other one.
Re: Site down for maintenance senario
On Wed, Mar 12, 2014 at 11:58 AM, Leo Donahue donahu...@gmail.com wrote: On Wed, Mar 12, 2014 at 11:51 AM, Leo Donahue donahu...@gmail.com wrote: On Wed, Mar 12, 2014 at 11:28 AM, John Smith tomcat.ran...@gmail.comwrote: Is there a straightforward way to toggle or add something in Tomcat, in the event a webapp is intentionally taken 'offline for maintenance? The user would receive the same single notification page saying as much, for any and all requests. Tomcat 7.0.42 What would respond to the user's request if the web app they asked for is down? All you are going to get is a not found error which will be handled by your ROOT web application. I wonder if parallel deployment is an option for you? Maybe someone else will have a better idea. webapp#1.war could be your notice web app, while webapp#2.war could be your normal site. Deleting webapp#2.war would make requests fall back to your web app that notifies the user the site is down. Redeploying an updated webapp#2 would then override the the other one. Redeeming myself Use two # symbols. webapp.war would be an earlier version of webapp##1.war Read this: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Parallel_deployment
Re: Site down for maintenance senario
On Mar 12, 2014 2:15 PM, André Warnier a...@ice-sa.com wrote: I was going to suggest to replace the normal myApp.war by one named similarly, but returning a on maintenance page. But the solution above is cleverer. Bonus points. Thanks. I've never had bonus points before. ;)
Re: Tomcat and Spring Framework
On Mon, Mar 10, 2014 at 12:58 PM, Mark H. Wood mw...@iupui.edu wrote: It's probably worth asking what full-fledged enterprise applications means. I'm not aware of any specification with that title. That was a Spring term from the page I was reading, and the reason I asked the question. Tomcat itself is not a J(2)EE application server. I have been under the impression that one could successfully could implement *some* of the J(2)EE stack carefully on Tomcat through other means. Spring is one of those means? From what I've been reading about Spring in the last three days is it is essentially a bunch of design patterns turned into objects. Dependency Injection through patterns - I get that. The AOP part of Spring is basically a mechanism for applying object behavior to other objects without composition. I know i have that wording wrong, but essentially, AOP though the use of point-cuts lets me applying object behavior of logging to other objects without those objects being composed of my logging objects. I don't know how I would do that with a pattern, unless it is some kind of front controller pattern - but I don't know. So, Spring allows Tomcat to host full-fledged enterprise applications that would normally require a J(2)EE application server like Glassfish? That is what I was asking, without saying it specifically.
Re: The Service Component
On Mon, Mar 10, 2014 at 10:15 AM, André Warnier a...@ice-sa.com wrote: It is particularly nice to know that it works, and that the Service element really (apparently) corresponds to something real at the Tomcat level. So it is apparently not just an element of order allowing to group Connectors with Engine. Which is contrary to what I imagined, and which I believe definitely answers the original OP's question (at least the first part). Yes, question answered. So some use the multiple Service in server.xml for app isolation or in place of virtual hosting. Mr. Janner indicates he has to modify 7 values in his server.xml I guess I have that many as well. I also find this is needed if running multiple instances of Tomcat but I don't want to change the subject of this thread. I have to change the following in server.xml when I add more Tomcat instances or upgrade: server shutdown port connector port for HTTP connector port for AJP realm org.apache.catalina.realm.UserDatabaseRealm if digesting passwords in tomcat-users.xml host appbase (optional depending on config) valve org.apache.catalina.valves.AccessLogValve (optional depending where you like the root log to go) cleaning up all the comments... My down time is minimal, but I find I do some prep work before I remove the old windows service and install the new. My down time consists of the time it takes to take one instance down and start the new one, and maybe 20 min of prep work glarring at the server.xml to make sure I didn't miss some configuration.
Re: The Service Component
On Mon, Mar 10, 2014 at 7:26 AM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: Friday, March 07, 2014 9:44 AM To: users@tomcat.apache.org Subject: The Service Component Who uses more than one Service in their server.xml and why? I get that you can have multiple Connectors if you have multiple Service components but why use multiple connectors? Are there any docs on the use cases for these features? Hi Leo, I may be the only person on this list who does this consistently. I use it as an alternative method of virtual hosting, i.e. each host gets its own Service and related sub-structure. You are lucky you have control over that. I have no luck asking our data center to add another host entry to our web server. I always ask them, isn't it easier than asking you for another vm? :)
Re: Tomcat7w.exe
On Fri, Mar 7, 2014 at 12:43 PM, Howard W. Smith, Jr. smithh032...@gmail.com wrote: Actually, i hate clicking on things... I use Windows keyboard shortcuts as much as possible. Even when you run the following command, you still get a GUI. Tomcat7w //ES/Tomcat7 Do you Ctrl + Tab your way through that dialog? Plus, I don't know what this is supposed to edit, but it doesn't change the values in the Tomcat7w.exe dialog: Tomcat7 //ES//Tomcat7 --Startup=Auto (or Automatic) Running that command still shows Manual in the Startup type on the General tab.
The Service Component
Who uses more than one Service in their server.xml and why? I get that you can have multiple Connectors if you have multiple Service components but why use multiple connectors? Are there any docs on the use cases for these features? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: The Service Component
On Fri, Mar 7, 2014 at 9:01 AM, Leon Rosenberg rosenberg.l...@gmail.com wrote: Hello, I do use multiple connectors but one service. Multiple connectors to separate user traffic from admin/management traffic. For example if due to overload no threads are available to server http request on the 'main' connector, I still can look into the app, to see what is going on, over my administrative connector. Leon You are just changing the port number then in your administrative connector, in the same Service element? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: The Service Component
On Fri, Mar 7, 2014 at 9:37 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, On 3/7/14, 10:44 AM, Leo Donahue wrote: Who uses more than one Service in their server.xml and why? I get that you can have multiple Connectors if you have multiple Service components but why use multiple connectors? You can already have multiple Connectors per Service but the difference is that all Connectors in Service can access all web applications in that Service. Are there any docs on the use cases for these features? Let's say that you wanted to deploy a non-secure webapp (/open) and a secure webapp (/secure). And let's say that you were terribly paranoid about proper setup: you want to make sure that nobody can access your /secure webapp without going through HTTPS. If you were to simply do this: Service Connector port=80 /!-- let's just be brief -- Connector port=443 / Host appBase=webapps / /Service ... then anyone could access either web application via http:// and https://. (Of course, you'd set CONFIDENTIAL in your web.xml, but remember, we're being paranoid, here). Instead, you can do this: Service Connector port=80 /!-- let's just be brief -- Host appBase=insecure-webapps / /Service Service Connector port=443 / Host appBase=secure-webapps / /Service This way, anyone requesting http:///secure would get a 404. I'm sure you could come up with a real-world use-case for the above, snip It's good enough to get the wheels turning... Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat7w.exe
Did I miss something in the documentation about renaming this if one is running multiple windows services of Tomcat? ex: #Prod port 80 c:\apache-tomcat c:\apache-tomcat\apache-tomcat-7.0.52 service install Tomcat7 (from bin directory here) #Dev port 8080 c:\apache-tomcat-dev c:\apache-tomcat-dev\apache-tomcat-7.0.52 service install Tomcat7dev (from bin directory here) If I run the Tomcat7w.exe from #Dev, all of those settings point to #Prod. Unless I change the name of Tomcat7w.exe in #Dev to Tomcat7devw.exe, then everything is fine. Was that listed in the docs somewhere and I missed it?
Re: Tomcat7w.exe
On Fri, Mar 7, 2014 at 10:58 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Leo Donahue [mailto:donahu...@gmail.com] Subject: Tomcat7w.exe Did I miss something in the documentation about renaming this if one is running multiple windows services of Tomcat? Besides the doc André pointed out, it's discussed briefly at the end of RUNNING.txt in the Tomcat installation directory. I re-read that article André listed, again. I blame my lack of command line upbringing for not catching that. Windows people click on things. Bad habits. As for RUNNING.txt, I missed that. And, it is a good idea to rename those files, BEFORE, you issue: service install Tomcat7(whatever) Otherwise, you just need to rename the 'w binary.
Tomcat and Spring Framework
Any Spring developers on the list? http://docs.spring.io/spring/docs/4.0.2.RELEASE/spring-framework-reference/htmlsingle/#overview-usagescenarios Is that saying that you can use a regular Tomcat for all of that? full-fledged enterprise applications on Tomcat?
Re: Tomcat and Spring Framework
On Fri, Mar 7, 2014 at 3:41 PM, Konstantin Kolinko knst.koli...@gmail.comwrote: 2014-03-08 2:30 GMT+04:00 Leo Donahue donahu...@gmail.com: Any Spring developers on the list? http://docs.spring.io/spring/docs/4.0.2.RELEASE/spring-framework-reference/htmlsingle/#overview-usagescenarios A link to htmlsingle page?? That takes a while to load. Yes, sorry. That is the link to the reference on the quick start page here: http://projects.spring.io/spring-framework/#quick-start Here is a quicker one to that chapter 2.3: http://docs.spring.io/spring/docs/4.0.2.RELEASE/spring-framework-reference/html/overview.html#overview-usagescenarios Is that saying that you can use a regular Tomcat for all of that? full-fledged enterprise applications on Tomcat? Yes. Why not? I'm good with that, just asking. New to Spring.
Re: Installing the OWF webapp to an existing Tomcat Instance
On Tue, Feb 25, 2014 at 7:17 AM, J. Brian Hall jbrianhall...@me.com wrote: Chuck, you are THE MAN! +1 One other kink I tried to work-out. When I go to https://localhost:8443/owf, I get the following common message: There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority. Bla, bla, bla, ... There is some important stuff in the bla bla part. If you created your certificate with a domain name, you can't expect to not get warned when you access your site with the name localhost. Did you try putting in the server name or domain name in the URL? Same error? What exactly is the error? Just because the cert wasn't issued by a trusted source doesn't mean you can't self sign one yourself and use it. If you created the cert correctly, and install it in the Trusted Root Certification Authorities store, you shouldn't get that error message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing the OWF webapp to an existing Tomcat Instance
On Tue, Feb 25, 2014 at 10:57 AM, J. Brian Hall jbrianhall...@me.com wrote: Leo, -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: Tuesday, February 25, 2014 9:44 AM To: Tomcat Users List Subject: Re: Installing the OWF webapp to an existing Tomcat Instance What exactly is the error? Response: No problem. I didn't create the cert, it came with the owf webapp. I'm working in a development/test environment so maybe the untrusted certificate message is unavoidable? No, it doesn't matter about your dev environment. But if the cert came from someone else, the reason you're getting the Certificate error in your browser is because the cert wasn't issued to your domain and wasn't issued by anyone that is a trusted authority to issue certs in the first place. Just because the cert wasn't issued by a trusted source doesn't mean you can't self sign one yourself and use it. If you created the cert correctly, and install it in the Trusted Root Certification Authorities store, you shouldn't get that error message. Response: Assuming the webapp developer created the certs correctly, how do I install them in the Trusted Root Authorities store? In your browser, I'm assuming IE, click on the Certificate Error next to the address bar, then View Certificate, then Install Certificate. Using that import wizard, choose the radio option to place the cert in the following place. Click browse, then click Trusted Root Certification Authorities and finish out the wizard. I probably wouldn't do this if I were you. I would generate my own self signed certificate instead and install that the way I just described. If you forget that OWF cert is installed and happen to browse to a site that requires that cert and the site is really unsafe, you won't be happy later. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
linux vs windows responses on the list
In general, is it assumed that all responses given to the list assume the OP is running a version of Linux, if they don't state the OS? For example, I read the post about Tomcat upgrades/security patching best practices and the advice given is to modify init.d script. I don't recall seeing the OP indicate they run Linux and the list usually gently bashes people for not being specific about their environment. Since I run Tomcat on Windows, I don't know what the init.d script is, but reading that response I get the feeling the that Tomcat on Linux is alot easier to manage than Tomcat on Windows, especially if you are running Tomcat as a Windows service. I would have thought that another option to that post would be to use the appBase attribute of a Host element and just move your webapps out of the traditional location located within the Tomcat installation directory. But I guess I didn't understand the OP. Is it time for us to go to Linux? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Test to display an empty form by servlet.
On Wed, Feb 12, 2014 at 2:23 PM, JB MORLA jbmo...@gmail.com wrote: The purpose of this manual is to demonstrate MVC. In that case, the first component that runs is the Controller, that is the servlet. If I display an html form that redirects to the jsp, it's the html form that has the control. You are missing some parts to this. Start here: http://simple.souther.us/ar01s05.html Either deploy the .war file to Tomcat or change it to a .zip and explore the contents. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Test to display an empty form by servlet.
On Wed, Feb 12, 2014 at 1:10 PM, JB MORLA jbmo...@gmail.com wrote: If there is a field called username, in a form with url registration , how can I display the form the first time in Tomcat 7? (When the field is empty) initialize the username property? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] question regarding tomcat source code and dependencies
On Fri, Feb 7, 2014 at 1:50 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, So... what does this all have to do with the recent security announcement? Hope that helps, - -chris I thought I was black listed there for a day, or maybe it wasn't Tomcat-list-worthy. That thread never showed up in my inbox, but it was in MarkMail.. Maybe gmail is having problems lately.. To answer your question, what it has to do with the announcement: nothing. I read the announcement, looked at the source code for that class and started applying what I saw to what I had been reading about lately. that is all, personal interest. I appreciate the comments. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
question regarding tomcat source code and dependencies
This question was spawned by two things: I'm reading a book on Dependency Injection The latest security announcement - reading the source for FileUploadBase.java Some reading material suggests that one use a simple factory pattern to move object creation dependencies to a different class. I see where the object dependencies that FileUploadBase.java has, like FileItemIteratorImpl, just simply place those dependent classes in the same java source file. I don't see a problem with that approach, should I? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org