Re: Memory Leak

[Leo Donahue]

On Jun 28, 2016 4:57 PM, "Roman Gelfand"  wrote:
>
> I am running a middleware application in .. tomcat...

Ok.  This is something you wrote and deployed or it is a third party war
file?

>
> catalina.out.prob:SEVERE: The web application [] appears to have started a
> thread named [cluster-ClusterId{value='5745ebcecdb2e06579174645',
> description='null'}-devnymongodb01.meridiancapital.com:27017] but has
> failed to stop it. This is very likely to create a memory leak.
>

Basically that says either you intentionally created a thread local
variable that you did not close, or the third party war file did.

If not you then ask your vendor to fix their app.

>
> --
> Thanks,
> R. Gelfand

[OT] Authentication

[Leo Donahue]

Since the forum just had a question on custom authentication, I thought
this would be a good time to ask.

Does anyone use "micro-services" to perform authentication of web service A
to web service B?

This would be different than authenticating users to web service A or B as
you would be authenticating a service user to another service.  (Think of
service user as the user running a tomcat instance.)

Is anyone choosing to extract authentication into a wsdl service these
days?  Or is that old news.

Leo

Re: Unable to update or delete Windows Service

[Leo Donahue]

Chris,

On Mon, May 16, 2016 at 3:22 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chuck,
>
> On 5/16/16 4:11 PM, Caldarale, Charles R wrote:
> >> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> >> Subject: Unable to update or delete Windows Service
> >
> >> I've got a Windows service called "foo" and I'm able to edit the
> >> configuration successfully by running the following command:
> >
> >> C:\> %CATALINA_HOME%\bin\tomcat8w.exe //ES//foo
> >
> >> But if I try to update the service from the command-line, or
> >> update the service, I get an error "Error parsing command line"
> >> with no further information.
> >
> > Example of the command line that's failing?
>
> Hah, that would have been good information, eh?
>
> C:\> %CATALINA_HOME%\bin\tomcat8w.exe //DS/foo
>

The command is just:  tomcat8 //DS//foo


>
> I get a pop-up window with the message "Error parsing command line".
> Same thing when running "//US//foo" with no additional arguments.
>
> - -chris
>

Re: Windows Service won't launch

[Leo Donahue]

Chris,

On Mon, May 16, 2016 at 3:25 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> All,
>
> I'm upgrading a client's system from Tomcat 7 to Tomcat 8 as part of a
> new release of our software. I've got Tomcat 8 installed using the
> 32-bit ZIP file, and the Windows Services have been re-created from
> scratch using tomcat8w.exe. They are running 64-bit Windows but a
> 32-bit JVM.
>

I just tried the following.

Windows 7 64 bit OS
x86 jdk1.8.0.92
I ran service.bat for Tomcat 8.0.33 32 bit.  (Tomcat 32 bit, jvm 32 bit)
No problems starting the service.

Windows 7 64 bit OS
x86 jdk1.8.0.92
I ran service.bat for Tomcat 8.0.33 64 bit. (Tomcat 64 bit, jvm 32 bit)
Incorrect Function in event viewer when trying to start the service.


>
> When I try to launch the service, I get an error "Incorrect function"
> in the event log, and the service does not start.


And I'm reading your statement above which says your environment is 32 bit
for both Tomcat 8 and the jvm.  Interesting.

I've never installed windows services using the Tomcat8w.exe directly on
the command line.  I've always used the service.bat, but I take all the
defaults in service.bat.

And off-topic speaking of defaults, in service.bat, why aren't these values
the same?
--JvmMs 128
--JvmMx 256


> I can launch Tomcat
> from the command-line successfully, so this is not a problem with
> Tomcat per se, nor my application. It's got to be a problem with my
> configuration of the Windows Service.
>
> I'm tempted to tell them "Install a 64-bit JVM" and use the 64-bit
> service-runner, but I'd prefer to get it working before I tell them
> they have to change everything ;)
>
> Any suggestions for what to look for?
>
> Thanks,
> - -chris
>
>

Re: context root with relative path

[Leo Donahue]

On Apr 21, 2016 10:38 AM, "David kerber" <dcker...@verizon.net> wrote:
>
> On 4/21/2016 11:33 AM, Leo Donahue wrote:
>>
>> Chris,
>>
>> On Apr 21, 2016 9:15 AM, "Christopher Schultz" <
ch...@christopherschultz.net>
>> wrote:
>>>
>>>
>>> I don't have a Windows machine handy right this minute, but from my
>>> previous experience, "C:" means "the current working directory on the C
>>> drive, from this process's perspective.
>>>
>>> For instance:
>>>
>>> D:\> DIR C:\
>>> ...
>>> Program Files
>>> Windows
>>> ...
>>>
>>> D:\> DIR C:
>>> ...
>>> Program Files
>>> Windows
>>> ...
>>>
>>> D:\> CD C:\Windows
>>> D:\> DIR C:
>>> ...
>>> System
>>> System32
>>> ...
>>>
>>> So I would think that using "C:" (with no trailing path) from Java would
>>> behave the same way: the current working directory *on that drive* would
>>> be the one used.
>>>
>>> I would expect it to work just like "." on *NIX.
>>>
>>> -chris
>>>
>>> --
>>
>>
>> On Windows 7 from a command prompt:
>>
>>> C:\downloads dir c:
>>
>> Shows contents of downloads
>>
>>> C:\downloads dir c:\
>>
>> Shows contents of c drive
>
>
> Yes, that's all well-known on windows.  The question was, how does the
Java File object handle it?   Does it give the correct result as above?
And going back to the original question, how should these paths be
normalized?

Let's hope this looks right, pasting code from Android device...

*import* java.io.File;

*import* java.net.URI;

*import* java.net.URISyntaxException;

*import* java.util.ArrayList;

*import* java.util.List;



*public* *class* Demo

{

*public* *static* *void* main(String[] args)

{

List paths = *new* ArrayList(2);

paths.add("file:/c:");

paths.add("file:/c:/");



*for* (String x : paths)

{

*try*

{

URI uri = *new* URI(x);

File f = *new* File(uri);

System.*out*.println(f.getAbsolutePath());

}

*catch* (URISyntaxException e)

{

e.printStackTrace();

}

   }

}

}

Re: context root with relative path

[Leo Donahue]

Chris,

On Apr 21, 2016 9:15 AM, "Christopher Schultz" 
wrote:
>
> I don't have a Windows machine handy right this minute, but from my
> previous experience, "C:" means "the current working directory on the C
> drive, from this process's perspective.
>
> For instance:
>
> D:\> DIR C:\
> ...
> Program Files
> Windows
> ...
>
> D:\> DIR C:
> ...
> Program Files
> Windows
> ...
>
> D:\> CD C:\Windows
> D:\> DIR C:
> ...
> System
> System32
> ...
>
> So I would think that using "C:" (with no trailing path) from Java would
> behave the same way: the current working directory *on that drive* would
> be the one used.
>
> I would expect it to work just like "." on *NIX.
>
> -chris
>
> --

On Windows 7 from a command prompt:

>C:\downloads dir c:
Shows contents of downloads

>C:\downloads dir c:\
Shows contents of c drive

Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 16, 2016 10:50 AM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> On 2/16/16, 9:13 AM, "Christopher Schultz" 
> wrote:
>
>
> >Gregory,
> >
> >On 2/15/16 11:18 AM, Dougherty, Gregory T., M.S. wrote:
> >> How to trade information with a specified URL calling java code in
> >> tomcat/lib:
> >>
> >> 1: Servlet calls Decryptor.start (String whoIAm, int validator, int
xOr)
> >
> >What prevents the servlet from specifying whoIAm="someoneElse"?
>
> Absolutely nothing.  That’s why the decrypt code does an HTTP get against
> whoIAm, to validate that claim
>
> >> 2: Code calls Servlet http get with id=randomly generated int
> >
> >Which code calls Servlet HTTP?
>
> HttpURLConnection, called from within the decrypt code
>
>
> >
> >> 3: Servlet returns validator in response to the http get call.  0 is
> >>not a
> >> valid validator, it¹s what the Servlet returns if it doesn¹t have an
> >> outstanding call to Decryptor.start
> >
> >But the whole point is that you don't trust the servlet, right? What is
> >the servlet always returns the same value? Any servlet could impersonate
> >any other one.
>
> I trust each servlet to act in its own best interest.
>
> An honest servlet will 1: Pass in real random numbers for validator and
> xOr, 2: React correctly to this http get call.
> An incompetently written or dishonest servlet can only give away its own
> passwords by doing the wrong thing.

Give them away?  Are you logging the passwords used?

That’s their problem, not mine.
>
> >> 4: Having received the random number from the http get call, Servlet
> >>xors
> >> it with xOr, and calls Decryptor.decrypt (String whoIAm, String
> >>password,
> >> int xOred)
> >
> >So, the servlet makes the HTTP request and manages the checking? I
> >really don't get it.
>
> Servlet (calles Decrypt.start): Sends whoIAm, validator, xOr
> Code (calls http get on whoIAm): Sends cValid
> Servlet (response to HTTP get): Sends validator (same as was send in call
> to Decrypt.start). This validates whoIAm
> Servlet (calls Decrypt.decode): Sends whoIAm, password (encrypted), xOred
> (= xOr ^ cValid)
> Code (return value from Decrypt.decode): password (decrypted)
>
> >
> >> 5: Code checks xOred against whoIAm.  If gets a match decrypts the
> >> password and returns it from Decryptor.decrypt.
> >
> >After all that, it's okay for the servlet to be able to read its own
> >database password? Why not just give the servlet access to a DataSource
> >with the password already set inside it?
>
> Because it’s the Servlet’s password?  How many times do I have to save
> that before you’ll believe it?
>
> The data belongs to the servlet.  The servlet is working with the
> decryption code so that the data can be safely stored with the servlet.
>
> Every servlet trusts itself.  None of them should be required to trust any
> other servlet running on that instance of Tomcat.  None of them should be
> required to trust that data saved in the source control system won’t be
> abused, if it can be abused.
>
> >>But so long as I can make the following two calls from my code:
> >>
> >> URL theURL = new URL (urlString);
> >>  HttpURLConnection   uc = (HttpURLConnection) theURL.openConnection ();
> >>
> >> I think I¹m good.
> >>
> >> Flaws?
> >
> >Let's see:
> >
> >  Constructed dubious use case? CHECK
> Wrong.  This use case is my current work situation.
>
> >  Rolled your own security code? CHECK
> >  Used highly-secure XOR algorithm? CHECK
> >  Complicated enough to seem plausible? CHECK
> >  Confused objective leads to trivial attacks? CHECK
> >
> >I think you've got all the bases covered, here.
> >
> >I still don't understand what's being protected from whom, here. It
> >looks like the code is very complicated in order to keep the password
> >from the code, but then the code is given the password anyway. If you
> >trust the code but not the admin, then why bother with the complex code?
>
> The problem, Chris, is that you don’t understand the situation, and rather
> than try to understand the situation you’re spending all your time and
> effort sniping at things you don’t understand.  Let’s try one more time:
>
>

If you led with the information below in your original post, it would have
helped.

> My servlet is running on a Tomcat instance that is hosting 5 other
Servlets
>
> I completely and totally trust my servlet with my data.  I do not in the
> least bit trust any  other servlet running on that Tomcat instance
>
> I am willing to trust a Jar file that I’ve written / reviewed, and the
> administrators have added to tomcat/lib
>
> I have data that my servlet needs to use.  I am not going to try to go to
> a page on my servlet and personally type in that data every time it runs.
> Therefore I’m going to have to save that data.  I’m not going to save that
> data somewhere on the server hosting the Tomcat instance, because I just
> don’t’ trust the administrators that much.
>
> This means I have to save the data 

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 2:35 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> You are correct, I¹m trying to authorize the web app, not the user.

I am going to start all the way back here and suggest that you abandon this
approach of authenticating a web "app".

This is unconventional by all standards and you will end up with a security
hole(s).

Users authenticate to web apps, nothing further.

The web app itself can also authenticate to the database separate from any
userBUT... the web app still has a "user name".

Your problem is that someone is giving you impossible to meet security
requirements, which results in you wanting to mess with application URLs
and the other stuff you mentioned.

Secret:  even large organizations have some form of clear text passwords,
but who has access to these is strictly controlled.

>
> Goal: I am trying to come up with a way for a Tomcat app to securely store
> and retrieve the password it needs to access a DB.
>

We have given you some options to deal with this.

It seems as though the sys admins either can't or don't want to help you
establish more of an Enterprise architecture, which would solve a lot of
your issues.

> My definition of ³secure² includes ³there exist no files with an
> unencrypted copy of the password².  IIUC, JNDI fails this test.
>
> My requirements include that all web app components are checked in to a
> source control system that malicious users can have read access to.

Are you in control of the source control system?  You know, you can assign
roles to users for certain repositories and restrict access to your code
repo.

If you have developers working at Mayo who are malicious, get rid of them.

> Solution:
> 1: Trusted user creates public:private key pair (1), distributes public
key
> 2: Web app developer creates pubic:private key pair (2), distributes
> public key
> 3: Web app developer encrypted password with private key 2, then public
> key 1, stores with web app
> 4: Web app calls decryption jar that¹s in tomcat/lib, passing in the
> encrypted password from step 3
> 5: Decryption code determines which app called it, pulls the public key
> (3) saved for that app
> 6: Decryption code decrypts with private key 1, public key 3, and returns
> the unencrypted password.
>
> So long as 1: Trusted user can store private key where it¹s secure, but
> accessible to decryption code, and 2: Can correctly determine the calling
> app, I believe this setup is secure.
>
> We log who uploads the web apps, so if user X uploads a bogus ³User Y
> App², we can deal with that.
> --

Developers should never get to deploy anything to production servers.  In
fact, you should have different passwords for different deployment realms.

>From my perspective, you (or someone else is telling you to do this) are
trying to bypass as much security for the appearance of security simply
because of the Tomcat environment you have to work with.

I think we all want you to succeed here, but the approach you're leaning
towards isn't going to work.

> Gregory Dougherty
> Sr. Analyst/Programmer | Information Technology
> Information Technology
> (507) 284-8493 | dougherty.greg...@mayo.edu
>
>
>
>
>
>
>
> On 2/12/16, 2:00 PM, "Leo Donahue" <donahu...@gmail.com> wrote:
>
> >On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." <
> >dougherty.greg...@mayo.edu> wrote:
> >>
> >> I would like to have a jar file in tomcat/lib that can be called from
> >>any
> >of the running web apps.  I need for the code in the jar to behave
> >differently depending on which web app called it.
> >
> >I would agree with what the others are saying here.  It seems you are
> >trying to authorize an entire web app instead of authoring the user of
the
> >web app.
> >
> >If the jar simply needs to take action based on a role of some kind, then
> >could you not tie in a ldap user with appropriate role?
> >
> >Leo
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> I would like to have a jar file in tomcat/lib that can be called from any
of the running web apps.  I need for the code in the jar to behave
differently depending on which web app called it.

I would agree with what the others are saying here.  It seems you are
trying to authorize an entire web app instead of authoring the user of the
web app.

If the jar simply needs to take action based on a role of some kind, then
could you not tie in a ldap user with appropriate role?

Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 2:50 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> How does it validate itself to that common location, without a password
>

A.  Stop top posting.  You're killing me on my Android phone backspacing to
where I want to reply.

B.  What is "it"?  The web app?  The web app user?

Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> The web app needs a DB password so it can connect to the DB.

I disagree that the web app needs a password.

> None of the
> users have direct access to the DB.

Nor should they.

> The web app uses LDAp to validate
> users.

That is fine.

>
> How does the Web app get access to the DB, without saving within the web
> app anything that someone else could also use to get access to that DB?
>

Implement your own data source.

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 2:35 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> You are correct, I¹m trying to authorize the web app, not the user.
>
> Goal: I am trying to come up with a way for a Tomcat app to securely store
> and retrieve the password it needs to access a DB.
>
> My definition of ³secure² includes ³there exist no files with an
> unencrypted copy of the password².  IIUC, JNDI fails this test.
>
> My requirements include that all web app components are checked in to a
> source control system that malicious users can have read access to.
> --
> Gregory Dougherty

This is a secure password question?

This task falls more in line with your enterprise architecture than with a
simple common jar file.

Think about how you could implement your own data source that reads
encrypted passwords from some common location.

The Tomcat "app" should not have anything to do with this.

Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 3:19 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> On 2/12/16, 3:08 PM, "Leo Donahue" <donahu...@gmail.com> wrote:
>
>
> >On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
> >dougherty.greg...@mayo.edu> wrote:
> >>
> >> The web app needs a DB password so it can connect to the DB.
> >
> >I disagree that the web app needs a password.
> The web app has to be able to read and write to the DB.  That takes a
> password.

No, javax.sql.DataSource needs a password.  Your web app just needs a user
name.

Your custom data source will fetch a password.

> >
> >> How does the Web app get access to the DB, without saving within the
web
> >> app anything that someone else could also use to get access to that DB?
> >>
> >
> >Implement your own data source.
>
> How does the web app connect to the data source?  How does the data source
> know that this web app, unlike every other web app in existence, is
> allowed to access the data source?
>
> For that matter, how do I set up the data source (whose every element is
> checked into the source code control system that a malicious user may have
> access to) so that it knows the passwords of interest?
>
> That leaves aside the issue that the web app is a production web app,
> which means it can¹t rely on a non-production data source, which means I
> can¹t set up my own data source.  But even if I could, all the other
> problems still apply.
> --

A.  You don't get to manage your passwords.

B.  The suggestion I'm giving you requires coordination with sys admins and
DBA's.  It is more than just a simple app trying find a way to hide
passwords, none of which will "ever" be in source control.

Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Fri, Feb 12, 2016 at 5:46 PM, Dougherty, Gregory T., M.S. <
dougherty.greg...@mayo.edu> wrote:

> Chris,
>
>
> On 2/12/16, 5:27 PM, "Christopher Schultz" <ch...@christopherschultz.net>
> wrote:
>
> >Gregory,
> >
> >On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote:
> >> On 2/12/16, 3:08 PM, "Leo Donahue" <donahu...@gmail.com> wrote:
> >>
> >>
> >>> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
> >>> dougherty.greg...@mayo.edu> wrote:
> >> My definition of ³secure² includes ³there exist no files with an
> >> unencrypted copy of the password².
> >
> >Do you mean "no files at all" or "no files in revision-control"?
> >Again, you have to decide whether you trust your administrators.
>
> No files at all.
>

Not even encrypted files?


>
> Even if I did trust my administrators, they don’t want the task of having
> to update the passwords every six months.
>

Greaaat.


>
> >> How does the data source know that this web app, unlike every
> >> other web app in existence, is allowed to access the data source?
> >
> >The container allows you to map data sources to web applications. Use
> >that facility. And trust your administrators.
>
> This sounds like something I can use to uniquely identify which app is
> running, no?
> Can my code ask Tomcat for the DataSource the container assigns to the web
> app, that instead of returning a password, simply returns the name of the
> app?
>

What I was saying about the data source is that where you configure it in
Tomcat doesn't need a password in plain text, if your custom data source is
going to simply use the username from the Tomcat data source config file to
go look up the real encrypted password.  You have to implement this
yourself.  Precisely how is totally up to you.

You are going to need a process that writes encrypted user passwords to an
ENCRYPTED file, on a schedule, preferably every day.  If you can't have
encrypted files, then you are stuck, don't read on.

You need to write something that generates long passwords, because you
don't need to remember them, and writes them to the encrypted file.  All
you need to do is regenerate them whenever you want.  If you are saying
that you need to choose your own password because it is used elsewhere,
then you are stuck again.

This same process is going to let you read and un-encrypt (spell check not
helping me here) said password.  How you write this is up to you.

In your custom data source, where you override the
getConnection(username,password), you will obviously need to call the
function that fetches the real password for said supplied user.  How you do
that is up to you, like I said, this is a bigger project than a quick hack.


  ...
  
  ...


https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html#JDBC_Data_Sources
https://docs.oracle.com/javase/8/docs/api/javax/sql/DataSource.html#getConnection-java.lang.String-java.lang.String-



>
> >> For that matter, how do I set up the data source (whose every
> >> element is checked into the source code control system that a
> >> malicious user may have access to) so that it knows the passwords
> >> of interest?
> >
> >Why would you check the data source configuration into the
> >revision-control system? It's not necessary to do that. Do you check
> >Tomcat's server.xml into revision control?
>
> Are you going to have your data source configuration sitting on only one
> user’s personal computer?  What happens when that person is on vacation?
> Sick?  Has a hard drive crash?
>

I don't understand why that would be the case that you store this data
source configuration on anyone's personal computer.  Are you saying that
Mayo Clinic IT lets developers run production apps from Tomcats on their
personal computers?


>
> >If you free yourself from the idea that everything needs to be in one
> >big revision-control system, it makes things easier. Everybody does
> >their job: the devs write the software, the admins deploy it. The
> >admins have the keys to the kingdom (they always do; don't fight it)
> >and the devs have keys to nothing.
>
> I don’t get a vote on that one.
>
> >Of course, the devs are writing the software, so if you are truly
> >paranoid, you need to make sure that the devs aren't stealing secrets
> >from the admins when the app runs ;)
>
> I am truly paranoid, that’s why I want an unambiguous way to figure out
> what app is running.  That way the only data they can “steal” is their own
> data.
>
> >
> >- -chris
> -Greg
>
>

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Fri, Feb 12, 2016 at 5:33 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Gregory,
> >
> > The web app needs a DB password so it can connect to the
> > DB.
> 
>  I disagree that the web app needs a password.
> >>> The web app has to be able to read and write to the DB.  That
> >>> takes a password.
> >>
> >> No, javax.sql.DataSource needs a password.  Your web app just
> >> needs a user name.
> >>
> >> Your custom data source will fetch a password.
> > How?
> >
> > What, precisely, is the exact mechanism by which this custom
> > DataSource will fetch the password?
>
> (I think Leo's bating you, here: he's trying to get you to admit that
> this is a shell game where an encrypted password requires an encrypted
> password requires an encrypted password, etc. all the way down.
>


This thread is on fire!  I am finding it hard to know where to reply.

I am not baiting anyone, I will explain in a different reply.



>
> > And how is it that someone else, who has full access to all my
> > source code, including to the source code of my custom DataSource,
> > won¹t be able to retrieve the exact same password?
> >
> > Requirement for ³secure²: There are no files sitting anywhere on
> > the server that have a plain text copy of my password.
>
> Is this because you don't trust your admins?
>
> > Requirement for secure: The sys admin does not get to know my
> > password. He¹s ³trusted² in that we assume he won¹t abuse his
> > private key on order to steal my password.  He¹s not ³trusted² to
> > know everyone¹s passwords.
>
> Forget about "other people's passwords" for a moment: you don't trust
> your admins to peek at the super-secret database password (which is
> usually something like "pr0duct!on" LOL)?
>
> If the admins wants the password, he (or she) is going to get it. Your
> library needs the cleartext password at some point and at that point,
> the admin effectively has it, too.
>
> (I had a conversation with Sander Temme at ApacheCon over a few beers
> while he tried to explain how one of Thales's hardware key escrow
> systems were capable of doing thins kind of thing. I had a hard time
> understanding how it was possible. It could have been the beer.)
>
> > Requirement from system: password must be updated every six months.
> > So I have to be able to change the password, and inform my web app
> > of the changed password.
>
> Aah, yes. Password-rotation. That definitely keeps things secure. :(
>
> >> A.  You don't get to manage your passwords.
> >>
> >> B.  The suggestion I'm giving you requires coordination with sys
> >> admins and DBA's.  It is more than just a simple app trying find
> >> a way to hide passwords, none of which will "ever" be in source
> >> control.
> >>
> >> Leo
> >
> > A: I¹m the only one who knows my password, I have to manage it.  I
> > have to be able to use that password in contexts totally divorced
> > from the web server.
>
> This is your LDAP password? Are we still taking about
> application-level passwords for your database? Or user-level passwords
> for ... what, exactly?
>
> > B: A solution that requires the sys admin to know, and update every
> > six months, my passwords is not a viable solution.
>
> If the admin won't update the password, who will?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla+a+YACgkQ9CaO5/Lv0PBRowCfTJSdScNVitc5Bq79oY+JMoZZ
> PAwAoJ+85CadSDhL/BKvDjwLoOM/thuP
> =symF
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: heap thrashing

[Leo Donahue]

On Sat, Sep 12, 2015 at 7:49 AM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:

> On 11.09.2015 18:24, Caldarale, Charles R wrote:
>
>> From: Leo Donahue [mailto:donahu...@gmail.com]
>>> Subject: Re: heap thrashing
>>>
>>
>> I see this topic come up from time to time on the list.  Can someone point
>>> me to what heap thrashing looks like?
>>>
>>
>> Is heap thrashing a very "closely spaced" saw tooth pattern?
>>>
>>
>> Should have mentioned that "heap thrashing" does not have a strict
>> definition.  Often, it's used to describe the heap itself expanding and
>> contracting in a cyclic manner.  This is most easily avoided by setting the
>> min and max heap size limits to the same value.
>>
>> What you have appears to be just very rapid object creation and garbage
>> collection.  Using a larger heap (if you have the RAM for it) could help to
>> reduce the frequency of collections.  Fixing the webapp to not consume so
>> much space would be better, of course.
>>
>>   - Chuck
>>
>
> In terms of looking at the webapp code which may generate that kind of
> behaviour, while searching for an example on the www, I came across this
> blog post :
>
> http://steve-yegge.blogspot.de/2006/03/execution-in-kingdom-of-nouns.html
>
> Independently of what one may think about the author's opinions and
> treatment of the matter, I find the prose beautiful and witty.
> The pseudo-java code example is of course tongue-in-cheek and contrived,
> but I have seen similar code in the real world, and it would probably
> produce the kind of phenomenon which Leo is seeing.
>

André,

Nice article, hard to believe that was nearly 10 years ago.  I also see the
overuse of nouns as verbs and factory patterns that are only producing a
single object and will never add additional ones. I see people using
"private static" in place of a singleton pattern.  I see people still
catching Throwable and deferring exceptions as RuntimeExceptions instead of
declaring them.  I digress.

Leo

Re: heap thrashing

[Leo Donahue]

On Fri, Sep 11, 2015 at 11:27 AM, Mark Thomas <ma...@apache.org> wrote:

> On 11/09/2015 15:43, Leo Donahue wrote:
> > On Fri, Sep 11, 2015 at 9:36 AM, Leo Donahue <donahu...@gmail.com>
> wrote:
>
>  (typically by pooling and re-using objects rather than
> creating new ones for every request)


"re-using objects" - do you mean declaring static variables or using thread
locals?  Or something else?

Leo

Re: heap thrashing

[Leo Donahue]

On Fri, Sep 11, 2015 at 11:24 AM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:

> > From: Leo Donahue [mailto:donahu...@gmail.com]
> > Subject: Re: heap thrashing
>
> What you have appears to be just very rapid object creation and garbage
> collection.
>
>  - Chuck
>
>
Why does the jvm decide to collect garbage that fast as opposed to letting
it build and taking care of it later?

What do you consider to be very rapid object creation?

Leo

heap thrashing

[Leo Donahue]

Good day,

I see this topic come up from time to time on the list.  Can someone point
me to what heap thrashing looks like?

Googled java heap thrashing and looked at the images, but there isn't much
to look at.

I also tried googling for ventricular tachycardia to see if I could find a
similar graph - it's close to what I'm seeing in VisualVM, but not quite.

Is heap thrashing a very "closely spaced" saw tooth pattern?

Leo

Re: heap thrashing

[Leo Donahue]

On Fri, Sep 11, 2015 at 9:36 AM, Leo Donahue <donahu...@gmail.com> wrote:

> Good day,
>
> I see this topic come up from time to time on the list.  Can someone point
> me to what heap thrashing looks like?
>
> Googled java heap thrashing and looked at the images, but there isn't much
> to look at.
>
> I also tried googling for ventricular tachycardia to see if I could find a
> similar graph - it's close to what I'm seeing in VisualVM, but not quite.
>
> Is heap thrashing a very "closely spaced" saw tooth pattern?
>
> Leo
>

This is about as close as I can find that is similar to what I'm seeing.
On the left side of the graph, imagine the spacing so close together that
it looks like a solid blue read out in the monitor.  When I stop the
webapp, the jvm adjusts itself back to normal.  It's only during servicing
requests that I see the very closely spaced pattern.

http://i.stack.imgur.com/B9oPL.png

[OT] Re: Filter behaviour

[Leo Donahue]

On Sat, Jun 27, 2015 at 8:37 AM, Konstantin Kolinko knst.koli...@gmail.com
wrote:

 
  public void doFilter(ServletRequest request, ServletResponse
 response,
  FilterChain chain) throws IOException, ServletException
  {
  boolean iAmNotAuthorized = true;
 
  if (iAmNotAuthorized)
  {
  // generate the HTTP Servlet Response for a 403 status code
  HttpServletResponse httpResponse = (HttpServletResponse)
  response;
  //httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
  httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
  httpResponse.setHeader(WWW-Authenticate, Basic);

 WWW-Authenticate header is usually used with 401 response.

 It is unusual to use it with 403 one, though the spec does not forbid
 it. (I am not sure how browsers react here, though)

 http://tools.ietf.org/html/rfc7235#section-4.1


 Best regards,
 Konstantin Kolinko


http://tools.ietf.org/html/rfc7231#section-6.5.3

And we may send a 404 to hide the existence of a forbidden target.  It's
misleading.  That seems to open the door for any kind of response, or no
response.

I am on the fence about sending 401 or 403 responses from a web service.
They both indicate something is there, you just can't get to it.

The 401 alludes that something is wrong with your username/password.

The 403 is more vague.  You may have the right username and password (and
I'm not going to bother to tell you), but your account may not have the
correct role associated with using this service, so rather than say
anymore, I'll just let you know you are forbidden.  Users have no idea,
other than there is something good at the end of this request for me to be
forbidden.

From the perspective of troubleshooting customer requests to your published
web service, developers can log the unsuccessful attempt (Authentication or
Authorization) and review the log files for answers to trouble shooting,
but sending back a status code doesn't seem to always make sense depending
on what types of application clients your customers are using.

For example:

Suppose you call a SOAP web service that takes an object as a parameter and
that service returns another type of object.  When customers expect an
object, they may get a HTTP status code of 401 or 403 if they botched
sending the correct username/password in the authentication header.  And
maybe, their password is merely expired.  In situations like those, it
seems more reasonable to send back a Soap Fault of some kind as defined in
the schema.  The message could be as simple as: Authorization failed.

It seems easier for clients to know that a soap web service may throw a
ClientAuthorizationException for example, rather than parse out a HTTP
status code response?

I don't know though.

Leo

Re: Filter behaviour

[Leo Donahue]

On Fri, Jun 26, 2015 at 1:42 AM, André Warnier a...@ice-sa.com wrote:


 I must admit that your question above was a bit difficult to follow, in
 terms of if/then/else/unless, particularly late at night.


Yes, you are right.  Sorry about that.  I was trying to walk the line
between saying too much and not enough and so it came out all gibberish.


 And the last paragraph made me think that perhaps the Tomcat logo might
 lead you to personalise things a bit more than is really healthy.
 (Or else I want to have a look at that code, because the Tomcat developers
 must be even smarter that I thought).

 But if your question in the end boils down to : *must* a filter
 necessarily call the next filter/webapp in the chain, then the answer is in
 the Servlet Specification.
 E.g. Servlet Spec v 3.0 final, Chapt 6 Filtering, Section 6.2 Main
 concepts, item 4 :
 The filter *may* invoke the next entity in the filter chain..
 It even adds : Alternatively, the filter chain can block the request by
 not making the call to invoke the next entity, leaving the filter
 responsible for filling out the response object.

 (What you need to do then still, is to insure that you do indeed generate
 a valid response, whether it's an error or not.  That's maybe the point
 where different containers may react slightly differently.).


If I use a return statement to break out of a filter, what should happen?
Will the next filter run?  Shouldn't a return statement in a filter,
especially one that comes right after a sendError call, send the error and
direct the user to the page configured for such errors?

The scenario I'm working on is a web service.  The web service has three
filters, in order they are:  throttle filter, authentication filter,
logging filter.

If a user is not authenticated, the following code should break out of
the filter chain and redirect the user to a custom 403.  It works nice on
Tomcat.

HttpServletResponse httpResponse = (HttpServletResponse)
response;

httpResponse.sendError(HttpServletResponse.HttpServletResponse.SC_FORBIDDEN);
return;

What I'm seeing on other containers is that I get a NPE where the Service
class is trying to do something with the authenticated user, which is null.
I realize this is not an other containers forum, but I was just curious
what the expected behaviour *should* be.

Leo

Re: Filter behaviour

[Leo Donahue]

On Fri, Jun 26, 2015 at 11:09 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leo,

 
  If I use a return statement to break out of a filter, what should
  happen? Will the next filter run?

 No. The Filter is responsible for calling the next filter in the
 chain. If you don't, the target servlet will never be called.

  Shouldn't a return statement in a filter, especially one that
  comes right after a sendError call, send the error and direct the
  user to the page configured for such errors?

 Yes.

  The scenario I'm working on is a web service.  The web service has
  three filters, in order they are:  throttle filter, authentication
  filter, logging filter.
 
  If a user is not authenticated, the following code should break
  out of the filter chain and redirect the user to a custom 403.  It
  works nice on Tomcat.
 
  HttpServletResponse httpResponse = (HttpServletResponse) response;
 
  httpResponse.sendError(HttpServletResponse.HttpServletResponse.SC_FORB
 IDDEN);
 
 
 return;
 
  What I'm seeing on other containers is that I get a NPE where the
  Service class is trying to do something with the authenticated
  user, which is null. I realize this is not an other containers
  forum, but I was just curious what the expected behaviour *should*
  be.

 If you have other stuff going on -- like custom error pages -- you
 might find that more of your own code is running than you expect. See
 Konstantin's response. It's terse, but I think he's likely getting to
 the root of your problem.

 - -chris


Gentlemen,

Thank you for the assistance.

I still don't know what was causing my issue on said other container with
respect to sendError and custom error-page elements, but...

This works fine and was really what I was after, a simple custom 403
message, no html:

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException
{
boolean iAmNotAuthorized = true;

if (iAmNotAuthorized)
{
// generate the HTTP Servlet Response for a 403 status code
HttpServletResponse httpResponse = (HttpServletResponse)
response;
//httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setHeader(WWW-Authenticate, Basic);
httpResponse.getOutputStream().print(blah, blah, blah);

// return from the doFilter method
return;
}

chain.doFilter(request, response);

}

leo

Filter behaviour

[Leo Donahue]

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException

Assuming you have only a single Filter configured in web.xml

Assuming you have logic in a doFilter that checks the value of a boolean.
If the boolean is true, then assume you send a http status code back and
use a return in the if condition.

example:

if (someConditionIsTrue)
{
HttpServletResponse httpResponse = (HttpServletResponse)
response;
httpResponse.sendError(HttpServletResponse.WHATEVER_YOU_CHOOSE);
return;
}

chain.doFilter(request, response);


My question is:

If the chain is placed inside an else, which would not run if the condition
is true, does that violate the Filter in any way?  In other words, if one
does not call chain.doFilter within a doFilter method, should one expect
something bad?

What I'm really saying without saying it is, whether I call chain.doFilter
in or out of an else, on Tomcat I get the sendError status that I expect,
but not from other containers.  I realize that statement is moot on this
list, but I thought I would share it.

Are there any conditions in which Tomcat will decide what to do on its own,
related to sendError, when it can't figure it out from code?

Leo


Using CATALINA_BASE:   C:\apache-tomcat\apache-tomcat-7.0.62
Using CATALINA_HOME:   C:\apache-tomcat\apache-tomcat-7.0.62
Using CATALINA_TMPDIR: C:\apache-tomcat\apache-tomcat-7.0.62\temp
Using JRE_HOME:C:\Program Files (x86)\Java\jdk1.7.0_67
Using CLASSPATH:
C:\apache-tomcat\apache-tomcat-7.0.62\bin\bootstrap.jar;C:\apache-tomcat\apache-tomcat-7.0.62\bin\tomcat-juli.jar
Server version: Apache Tomcat/7.0.62
Server built:   May 7 2015 17:14:55 UTC
Server number:  7.0.62.0
OS Name:Windows 7
OS Version: 6.1
Architecture:   x86
JVM Version:1.7.0_67-b01
JVM Vendor: Oracle Corporation

Re: Removing ThreadLocal variables

[Leo Donahue]

On Mon, Apr 13, 2015 at 5:25 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leo,

 The good news is that you are thinking about this in the correct way:
 that requests are handled by (usually) one thread and you have to
 clean the ThreadLocal in the correct thread, otherwise Bad Things can
 happen.

 Unfortunately, the one-thread-per-request scheme only works for
 certain types of requests. If you are using WebSocket, Comet, etc.
 then that can fall apart on you.

 Back to your use-case. A ServletRequestListener itself isn't
 absolutely required, but it probably makes the most sense
 architecturally: the infrastructure is already there for you, and the
 behavior is orthogonal to the actual work you are trying to accomplish.

 It's not clear to me exactly what you are proposing above, but if it
 matches the semantics of the ServletRequestListener, then it sounds
 okay to me.

 - -chris


The scenario I was proposing is more work than just implementing the
ServletRequestListener.

One thread local variable was being created in each filter.

In my previous scenario, I was going to remove thread locals in the web
service methods, but then realized I could remove them in the finally block
of the filters on the request's way back out the chain(s).

I think I prefer the Listener approach better.

Re: Removing ThreadLocal variables

[Leo Donahue]

On Mon, Apr 13, 2015 at 6:57 PM, Konstantin Kolinko knst.koli...@gmail.com
wrote:

 2015-04-14 2:28 GMT+03:00 Leo Donahue donahu...@gmail.com:
 
  I think I prefer the Listener approach better.

 Filters are better.

 With Filter there is a guarantee that finally block is executed in the
 same thread.

 With RequestListener there is no guarantee that requestDestroyed()
 happens in the same thread.  That method exists to perform cleanup of
 request attributes, not one of thread locals.

 https://bz.apache.org/bugzilla/show_bug.cgi?id=57314

 Best regards,
 Konstantin Kolinko


Konstantin,

Thank you for sharing that link.

Removing ThreadLocal variables

[Leo Donahue]

Tomcat 7.0.61
Java 1.7.0_75

Scenario:

Class1
  static Type ThreadLocal variable
  static Type getThreadLocal(){...}
  static Type setThreadLocal(){...}
  static void destroy(){variable.remove}

Class2
  static Type ThreadLocal variable
  static Type getThreadLocal(){...}
  static Type setThreadLocal(){...}
  static void destroy(){variable.remove}

user makes a request to a stateless jax-ws web service
request hits filter1
filter1 - Class1.setThreadLocal
filter1 - calls chain.doFilter()
filter2 - calls methods on Class1
filter2 - Class2.setThreadLocal
filter2 - calls chain.doFilter()
web service method processes request

Removing the thread local:

web service method calls Class1.destroy() and Class2.destroy()
 (and it does this for all exception cases within said web service method)

Is this an acceptable pattern or is it better to implement a
ServletRequestListener to remove thread local variables?

Re: [ANN] Apache Tomcat 8.0.17 available

[Leo Donahue]

On Wed, Jan 21, 2015 at 9:03 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leo,

 On 1/20/15 10:29 PM, Leo Donahue wrote:
  On Tue, Jan 20, 2015 at 9:24 PM, Leo Donahue donahu...@gmail.com
  wrote:
 
  On Tue, Jan 20, 2015 at 5:09 PM, Mark Thomas ma...@apache.org
  wrote:
 
  The Apache Tomcat team announces the immediate availability of
  Apache Tomcat 8.0.17.
 
  - The RemoteAddrValve and RemoteHostValve can now optionally
  include the port when filtering along with a new option to
  trigger authentication rather than denying access
 
 
  And if they are Valves, why do the docs still use the word
  Filter? Remote Address Filter?

 Both flavors exist: Valve and Filter.

 - -chris


Right... but..

Everything on this page is called a Filter.
http://tomcat.apache.org/tomcat-8.0-doc/config/filter.html

Everything on this page is called a Valve, except for the two under Access
Control.
http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html

Re: [ANN] Apache Tomcat 8.0.17 available

[Leo Donahue]

On Tue, Jan 20, 2015 at 9:24 PM, Leo Donahue donahu...@gmail.com wrote:

 On Tue, Jan 20, 2015 at 5:09 PM, Mark Thomas ma...@apache.org wrote:

 The Apache Tomcat team announces the immediate availability of Apache
 Tomcat 8.0.17.

 - The RemoteAddrValve and RemoteHostValve can now optionally include
   the port when filtering along with a new option to trigger
   authentication rather than denying access


And if they are Valves, why do the docs still use the word Filter?
Remote Address Filter?

Re: [ANN] Apache Tomcat 8.0.17 available

[Leo Donahue]

On Tue, Jan 20, 2015 at 5:09 PM, Mark Thomas ma...@apache.org wrote:

 The Apache Tomcat team announces the immediate availability of Apache
 Tomcat 8.0.17.

 - The RemoteAddrValve and RemoteHostValve can now optionally include
   the port when filtering along with a new option to trigger
   authentication rather than denying access


There are no links on the changelog page for these and I was hoping to see
some details about why this option was added.
Optionally trigger authentication instead of denial in RemoteAddrValve and
RemoteHostValve

http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_Address_Filter
The behavior when a request is refused can be changed to not deny but
instead set an invalid authentication header

Example #3
To allow unrestricted access to port 8009, but trigger basic
authentication if the application is accessed on another port:

I'm trying to understand this kind of setup.

If an IP has been allowed to pass through via a Filter to a restricted
resource, wouldn't the user get the container configured authentication
dialog anyway?

throttle filter

[Leo Donahue]

Has anyone ever suggested a configurable throttle filter as one of the
container provided filters in Tomcat?

Or are people generally using the attributes in the HTPP connector for
limiting requests to the server for a given amount of time?

leo

Re: throttle filter

[Leo Donahue]

On Tue, Dec 2, 2014 at 3:28 PM, Chris Gamache cgama...@gmail.com wrote:

 You could probably be more sophisticated in your
 throttling, letting certain IPs or requests through while tarpitting
 others.

 I was thinking about how, from my perspective, I see developers wanting to
throttle back the number of requests to their web applications (and web
services) based on the same ip, session, and other factors appearing in a
given amount of time.

I know that some frameworks (Spring) provide this mechanism, and I have
seen other projects attempt to record the information in a database and
produce application specific logic to restrict the number of requests in a
given amount of time.

I didn't know if anyone has considered a container provided filter that is
configurable to provide this kind of functionality.  This kind of
functionality is ambiguous I know.  But I would settle on even the basic
ability to say:  For this web service/app, allow only x many connections
per sec/min/hour.

Leo

Re: throttle filter

[Leo Donahue]

On Tue, Dec 2, 2014 at 4:08 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Chris,

 On 12/2/14 4:28 PM, Chris Gamache wrote:
  Anyone ever suggested? No idea. But I'd be glad to riff on the
  subject in case it shakes some discussion loose.
 
  I haven't seen a filter like that, but I'm sure you could work it
  out. If I were implementing it I would use a Valve... Valves are
  easy to write- just extend org.apache.catalina.valves.ValveBase and
  wire it into your xml configurations. You could probably be more
  sophisticated in your throttling, letting certain IPs or requests
  through while tarpitting others.

 I think a Valve is more appropriate than a Filter, if only because it
 can be installed earlier in the pipeline.

  A number of considerations; these off the top of my head--
 
  You'd have to be okay with holding the request thread open and
  making it sleep.

 If this weren't done in a Valve, but deeper in the core, Tomcat could
 even put the request on hold and free the thread to do other things.
 This happens with the NIO connectors when the request is still being
 sent by the client: the thread isn't tied-up waiting on IO.

  I guess you could serve a 503 if it were overloaded.

 I guess the question is whether this is a throttle intended to just
 smooth-out data-mass|request-counts for a particular client[1] or to
 avoid being overwhelmed by requests. 503 is better for avoiding an
 overload, but can't work well for more traditional throttling.


I was thinking about a DOS situation in which I would want to restrict the
number of requests submitted in a given amount of time.

Or for situations where what the user submits is harmless, they just might
want to submit it 10,000 times every 10 seconds.

Or for situations where you may want to restrict your client from abusing
your free web service, limiting them to 1,000 requests per day.

The hard part is deciding whether to throttle specific users or an
aggregate consumption of a service.



  Consider your memory usage. I've read horror stories about GC
  pauses wreaking havoc. If you have a farm of tomcats that would be
  participating you'd need to work out a way for them to communicate
  with one another for global counter stats.

 +1

 [1] Identifying clients is always problematic.


Yes.



 Proxies (AOL) and other
 things can make it look like a huge number of distinct users are
 coming from a single IP, effectively treating them as a single user
 for the purposes of throttling (if you use IP-based client
 identification). This is like 16-bit Microsoft Windows programs
 sharing a single time-slice per unit time while 32-bit applications
 get a full slice for each application: bad for business (if business
 is getting attention from the server!).

Re: Help! parallel deployment problem.

[Leo Donahue]

On Mon, Nov 24, 2014 at 5:48 PM, Chris Gamache cgama...@gmail.com wrote:

 Tomcat 7 ... Working with parallel deployment, tomcat servers in my farm
 are getting out-of-sync, not getting new versions of war files deployed to
 the main tomcat. What could be going wrong and how can I fix it?

 Pleez Help!

Before anyone lectures you on your type of question and lack of specifics,
re-submit a better question to get a better response.

Re: Weird (apocryphal) reference to Tomcat in Wikipedia

[Leo Donahue]

On Wed, Nov 5, 2014 at 9:31 AM, André Warnier a...@ice-sa.com wrote:

 Christopher Schultz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 All,

 I was reading the Wikipedia entry on .properties format yesterday
 (http://en.wikipedia.org/wiki/.properties) and I saw a mention of
 Apache Tomcat that doesn't make any kind of sense to me:

 
 In Apache Tomcat the exclamation mark denotes a Negation operator when
 used as the first non blank character in a line[citation needed].
 

 I'm the one that added the [citation needed] with a note that I
 think this is false.

 Does anyone know if there was some kind of ancient version of Tomcat
 that read its own .properties files and added some kind of magic to do
 what the above says? I think it's a complete fabrication with no basis
 in reality.

 Any ideas?


 Maybe a very indirect reference to :
 http://tomcat.apache.org/connectors-doc/reference/uriworkermap.html
 (see : Exclusions and rule disabling)

 but, like you, I think that this reference is quite irrelevant in that
 Wikipedia article.


 Nice find André!  bonus points.

Re: Security Best Practices on Windows Service

[Leo Donahue]

On Wed, Nov 5, 2014 at 1:34 PM, Igal @ getRailo.org i...@getrailo.org
wrote:

 hi,

 what are the security best practices for running Tomcat as a Windows
 Service?

 is the local system account safe


Define safe.  LocalSystem has too many privs that a Tomcat service account
doesn't need in my opinion.

or am I better off creating a new user
 and giving it write permissions only to the Tomcat runtime folders and
 read permissions to the web contents folder?


In my previous employment, we did that.  Create a local user account and
set permissions to the Tomcat installation directory and optional
CATALINA_BASE (if you separated them).  We did not use domain accounts for
the Tomcat service account because the Tomcat service account did not need
access to network resources in our setup.  Create a strong password.

Leo

Re: Moving tomcat Ver 6.0

[Leo Donahue]

On Wed, Nov 5, 2014 at 1:48 PM, Nick Wall nick.w...@mvtcanada.com wrote:

 Hi All
 Sorry new user to this
 We have a Win server 2003 running Tomcat and our software I need to move
 this to a new win 2008 R2 server
 Is there an easy way to move everything over etc.
 Looking at easiest way to move everything over.

 Or if you are familiar with this and can assist setting up and moving
 could look at that possibility as well

 Nick Wall  AScT
 IT Manager
 nick.w...@mvtcanada.com


You might as well consider getting the latest version of Tomcat while
you're at it, and then moving your webapps to that new installation.

You will want to check the customizations (if you made any) in web.xml,
server.xml, tomcat-users.xml and anything under conf/Catalina/localhost
that you placed there intentionally in the 2003 Tomcat installation.

Don't forget to use the same service account, if you created one.

You will also want to check the 2003 tomcat7w.exe for any custom options
you used there, like memory settings, etc.

leo

Re: Moving tomcat Ver 6.0

[Leo Donahue]

On Wed, Nov 5, 2014 at 2:36 PM, Nick Wall nick.w...@mvtcanada.com wrote:

 -Original Message-
 From: Leo Donahue [mailto:donahu...@gmail.com]
 Sent: November-05-14 12:32 PM
 To: Tomcat Users List
 Subject: Re: Moving tomcat Ver 6.0

 On Wed, Nov 5, 2014 at 1:48 PM, Nick Wall nick.w...@mvtcanada.com wrote:

  Hi All
  Sorry new user to this
  We have a Win server 2003 running Tomcat and our software I need to
  move this to a new win 2008 R2 server Is there an easy way to move
  everything over etc.
  Looking at easiest way to move everything over.
 
  Or if you are familiar with this and can assist setting up and moving
  could look at that possibility as well
 
  Nick Wall  AScT
  IT Manager
  nick.w...@mvtcanada.com
 
 
 You might as well consider getting the latest version of Tomcat while
 you're at it, and then moving your webapps to that new installation.

 You will want to check the customizations (if you made any) in web.xml,
 server.xml, tomcat-users.xml and anything under conf/Catalina/localhost
 that you placed there intentionally in the 2003 Tomcat installation.

 Don't forget to use the same service account, if you created one.

 You will also want to check the 2003 tomcat7w.exe for any custom options
 you used there, like memory settings, etc.

 Leo

 
 HI Leo
 Thanks for the reply and info :)

 Can I just copy the folder/files you mention and put in the new
 installation on the 2008 server ?


If the installation was done using the Tomcat zip version and it is not
running as a windows service, yes, you should be able to do that.  Don't
put all your eggs in this basket for the moment, you need more info.



 As for a service account I have no idea if one exists  as this was
 installed about 5 yrs ago and no one is left in the company that knows
 anything about it - Hence why I'm on this :) lol

 Nick


I kinda wonder though if there is a windows service associated with this
Tomcat.  Do you see anything called Tomcat6 in the windows services panel?

Re: Moving tomcat Ver 6.0

[Leo Donahue]

Nick,

On Wed, Nov 5, 2014 at 2:55 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Nick,

 On 11/5/14 2:48 PM, Nick Wall wrote:
  We have a Win server 2003 running Tomcat and our software I need
  to move this to a new win 2008 R2 server
 
  Is there an easy way to move everything over etc.
 
  Looking at easiest way to move everything over.

 It depends upon how you have everything set up. If you have a mostly
 default configuration and all your web applications are deployed into
 Tomcat's webapps/ directory, then you should be able to just copy the
 whole Tomcat directory from one machine to another.

 There are a few caveats:

 1. If you are switching architectures (e.g. 32-bit to 64-bit, IA64 to
 x86_64, etc.) and you are using the tcnative library, then you'll have
 to make sure you place the library that matches your destination
 architecture into the right place (usually Tomcat's bin/ directory).

 2. If you are running Tomcat as a Windows Service, then you'll have to
 re-register the service on the target machine once you've moved the
 files over. You can get a lot of mileage out of running the following
 on the command-line of the destination server:

   C:\ SET CATALINA_HOME=C:\Path\To\Tomcat
   C:\ SET CATALINA_BASE=C:\Path\To\Tomcat
   C:\ %CATALINA_HOME%\bin\service.bat install

 You might want to run CATALINA_HOME\bin\tomcat6w.exe on the old
 machine and make sure all your settings are copied-over to the new one.


Yes.  I think I told you to check tomcat7w.exe.  Chris is correct, it would
be tomcat6w.exe, since you are on version 6 something.



 3. You may have net networking components of services on the
 destination machine, so make sure you don't have any port conflicts.
 The easiest way to check for this is to start Tomcat and look at the
 catalina.out log file in Tomcat's logs/ directory. If it doesn't say
 anything about not being able to bind to a port, then you should be okay.


You can also run at the command prompt:  netstat -ano
to see what ports are being used and by what process.

Re: Moving tomcat Ver 6.0

[Leo Donahue]

On Wed, Nov 5, 2014 at 2:53 PM, Nick Wall nick.w...@mvtcanada.com wrote:

 -Original Message-
 From: Leo Donahue [mailto:donahu...@gmail.com]

 
 I kinda wonder though if there is a windows service associated with this
 Tomcat.  Do you see anything called Tomcat6 in the windows services panel?


 
 Leo
 Yes I just  checked and there is a service running called Apache Tomcat
 As you can tell I have no clue to this installation :)

 Nick


Generic steps:

First step would be to decide whether you want to deploy a 32bit or 64bit
version of Tomcat.

1.  Download the latest Tomcat (32bit or 64bit, your decision)
1.b  Determine whether you want to download the zip or windows installer
version of that architecture.  In your case, probably the later.
2.  Download the latest java sdk (same architecture as you picked above).
3.  Install the java sdk, set the %JAVA_HOME% system environment variable.
if you need help, ask.
4.  Install Tomcat using the windows service installer.  If you used a
specific windows user account to run the previous service, make sure you
set that in in the service properties.
5.  In your previous Tomcat installation, you need to take note of all of
the settings and apply them to your new install.  This is the hard part.
You will want to compare the following files in the old and new installs:

tomcat-install-directory/conf:

context.xml
server.xml
tomcat-users.xml
web.xml

tomcat-install-directory/bin  run tomcat6w.exe
you are looking for any custom settings for memory and other options...
(trying to recall the exact names of the tabs at the moment, where I am now
we block Tomcat because we use a different web server, can't even install
it here.. sorry list)

6.  Copy your webapps from the Tomcat6 webapps dir to Tomcat8 web apps
dir.  I would also investigate any custom settings to the
webapps/manager/META-INF/context.xml in the previous Tomcat6.  You don't
know if there was a custom valve or something applied in there other than
the default.

6.b  (Optional) Get rid of the docs and examples directories in your new
Tomcat, or move them somewhere else if you want to keep them.

7.  Make sure you copy the old ROOT web app directory to the new Tomcat.

8.  Hard to say, but you might also have had custom jar files in the
previous tomcat6-install-directory/lib   Only way to know is to compare
what was in there.

This sucks that you have no documentation on the previous install, makes
your life a little harder.  I'm sure others will chime in with things I
have forgotten.

leo

Re: Separation of CATALINA_HOME and CATALINA_BASE

[Leo Donahue]

On Tue, Nov 4, 2014 at 9:37 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Neven,

 On 11/3/14 6:42 PM, Neven Cvetkovic wrote:
  Vince, the current configuration works great:
 
  SLIGHTLY-OFFTOPIC:
 
  Although, I would love to see out-of-box setup for additional
  shared-lib folder, something other than TOMCAT/lib with Tomcat
  default libraries. Essentially, I would love to separate my
  customer shared libraries from Tomcat default libraries. I guess -
  question would be where are CATALINA_HOME/lib JAR files being
  loaded from? Can we add another directory to scan for libraries to
  be loaded? Is that configurable?

 I'm not sure about that, but if the Windows installer could ask the
 user if they want a unified versus split configuration, that might
 be nice. The installer could then ask for the location of
 CATALINA_BASE and offer to create it if necessary. That way, users
 performing upgrades could specify their existing CATALINA_BASE
 during installation and not have to go back and re-configure the
 Windows Service. It would also allow newbies to know that there is an
 advanced configuration and perhaps go learn about it.

 - -chris


The Tomcat zip file distribution could easily do this now. Add a
CATALINA_BASE directory pre-configured with a read-me file that explains to
users they can move this directory elsewhere, and update a property that
points back to the CATALINA_HOME directory wherever they unzipped that.
This would be an easy optional configuration to include for a split
configuration.

Re: Separation of CATALINA_HOME and CATALINA_BASE

[Leo Donahue]

On Tue, Nov 4, 2014 at 10:36 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leo,

 On 11/4/14 10:46 AM, Leo Donahue wrote:
  On Tue, Nov 4, 2014 at 9:37 AM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
 
  Neven,
 
  On 11/3/14 6:42 PM, Neven Cvetkovic wrote:
  Vince, the current configuration works great:
 
  SLIGHTLY-OFFTOPIC:
 
  Although, I would love to see out-of-box setup for additional
  shared-lib folder, something other than TOMCAT/lib with Tomcat
   default libraries. Essentially, I would love to separate my
  customer shared libraries from Tomcat default libraries. I
  guess - question would be where are CATALINA_HOME/lib JAR
  files being loaded from? Can we add another directory to scan
  for libraries to be loaded? Is that configurable?
 
  I'm not sure about that, but if the Windows installer could ask
  the user if they want a unified versus split configuration,
  that might be nice. The installer could then ask for the
  location of CATALINA_BASE and offer to create it if necessary.
  That way, users performing upgrades could specify their
  existing CATALINA_BASE during installation and not have to go
  back and re-configure the Windows Service. It would also allow
  newbies to know that there is an advanced configuration and
  perhaps go learn about it.
 
  - -chris
 
 
  The Tomcat zip file distribution could easily do this now. Add a
  CATALINA_BASE directory pre-configured with a read-me file that
  explains to users they can move this directory elsewhere, and
  update a property that points back to the CATALINA_HOME directory
  wherever they unzipped that. This would be an easy optional
  configuration to include for a split configuration.

 It already does that, now:

 The CATALINA_BASE directory is preconfigured to be set to
 CATALINA_HOME, which is auto-detected by catalina.sh (.bat).
 CATALINA_BASE contains a readme file (RUNNING.txt) that explains how
 to change that default.

 I say that with all due snark, but it's really true: what you are
 talking about basically exists exactly as you describe.

 - -chris


You are correct (something muffled).

If the Tomcat community wants to promote the concept of running multiple
instances, then what about:

A.  A description of that functionality kind of starts on line 68 in
RUNNING.txt ((3) Configure Environment Variables).  In other words, it's
buried.
B.  That description is aimed at using SCRIPTS not SERVICES to get it
working.
C.  Under Advanced Configuration in RUNNING.txt all newbies really need to
know is the In CATALINA_BASE part, because they will read the In
CATALINA_HOME part and get confused.
D.  Are newbies after this kind of configuration for the thrill of being
able to run multiple instances or for easier upgrades?

My guess is most Tomcat users on Windows don't start their Tomcats with the
scripts, a few do and those few are the ones who benefit from this ability,
in their web app development.  I haven't seen or heard of anyone who has a
shared CATALINA_HOME sitting on a Windows file share where developers are
free to create their own CATALINA_BASE, but I have only worked a few places
in my life.  And, I would wonder how coordinating the conflicting ports
would be resolved as a group.

leo

[OT] jaxws 2.2 spec

[Leo Donahue]

I know this isn't really a Tomcat specific question, but there are alot of
web service people on the list who may want to provide their two cents.

http://download.oracle.com/otndocs/jcp/jaxws-2_2a-mrel4-eval-spec/
Page 10 indicates the following:

In the absence of customizations, the name of an SEI MUST be the value of
the name attribute of the corresponding wsdl:portType element mapped
according to the rules described in section 2.8.

In bottom up web service development, you can annotate your SEI with an
@WebService property for name which indicates the name of the
wsdl:portType

However, I don't see a way to provide that using the wsgen utility.  wsgen
provides a wsdl:port option but that one is part of the wsdl:service. So
while I can name my port in a sub element of wsdl:service, I don't see how
I can tell wsgen to use that name for wsdl:portType.  And I don't see a way
to set the soap:address location via wsgen either (although you can with
the wsconsume toolkit)

In top down web service development, you can specify everything up front,
as long as you remember to name your SEI according to the name used in the
wsdl:portType, and as long as you remember to annotate your SEI with the
same serviceName property used in wsd:service in the .wsdl file.

In bottom up web service development, there is a fear of a changing
contract if there are POJOs laying around that can be used in a build to
regenerate the wsdl.  But it seems like this is the favored approach for
two reasons:

1.  Annotations exist to make creating the wsdl easier
2.  Toolkit utilities exist to make creating the wsdl easier

I don't want to start an argument, but where do most of you find
yourselves?  Are you creating your wsdls from scratch or from a set of Java
classes?

leo

Re: Separation of CATALINA_HOME and CATALINA_BASE

[Leo Donahue]

On Mon, Nov 3, 2014 at 3:33 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Vince,

 On 11/3/14 4:12 PM, vince.w...@thomsonreuters.com wrote:
 
  How much easier it would be if the Tomcat distribution had the
  correct separation build in.

 It would be harder for newbies and no real benefit to experts.

 Let me show you the difference in complexity between deploying Tomcat
 with a unified versus split configuration:

 Unified
 - ---

 $ wget http://host/path/to/tomcat-x.y.z.tar.gz
 $ tar xzf http://host/path/to/tomcat-x.y.z.tar.gz
 $ tomcat-x.y.z/bin/startup.sh


You can do that in linux. not so well in windows.  scripts work
differently.  you log out of the windows session, and the script stops,
hence why every windows user wants to install Tomcat as a service,
whichever way they do that.



 Separated
 - -
 $ wget http://host/path/to/tomcat-x.y.z.tar.gz
 $ tar xzf http://host/path/to/tomcat-x.y.z.tar.gz
 $ mkdir -p my-tomcat-base/conf
 $ mkdir -p my-tomcat-base/log
 $ mkdir -p my-tomcat-base/work
 $ mkdir -p my-tomcat-base/temp
 $ mkdir -p my-tomcat-base/webapps
 $ cp tomcat-x.y.z/conf/server.xml my-tomcat-base/conf
 $ cp tomcat-x.y.z/conf/web.xml my-tomcat-base/conf
   (the above step may not actually be necessary)
 $ cp tomcat-x.y.z/webapps/ROOT my-tomcat-base/webapps
 $ export CATALINA_HOME=`pwd`/tomcat-x.y.z
 $ export CATALINA_BASE=`pwd`/my-tomcat-base
 $ $CATALINA_HOME/bin/startup.sh

 Done.

 So, that's not all that complicated when you think about it, but to
 ask someone who knows nothing about a command-line, working
 effectively in an operating system, etc. and only knows about
 programming in Java -- maybe only servlet programming in Java -- to
 configure the server in the split case is confusing as all hell.

 Anyone downloading a ZIP or tar archive containing a Tomcat
 installation would be confused if the archive contained not one but
 two top-level directories. Also, it would overwrite your
 split-configuration if you unpacked that archive in the same directory
 as when you first started.

 An installer program would have to explain what in the world the split
 configuration was. Have you ever tried to tell someone how to set up
 their email? POP versus IMAP? Most users have absolutely no idea what
 that is, and mail programs give no clue as to which one to choose. The
 same would be true of CATALINA_HOME versus CATALINA_BASE.


Everything has some degree of learning.  New people are trying to learn two
things at once, how something works as well as the why do it this way
conventions that experienced users have implemented.  New users don't
understand the convention and want to learn it the hard way first before
they can appreciate or even understand the convention.


 (Besides, I
 truly doubt that any expert system administrators are using the Tomcat
 Windows Installer to install/upgrade their systems. Maybe I'm wrong,


You had qualify that with 'expert'... now I have nothing more to add.


 but then again I can't imagine running a Windows server in production.


This too shall pass...


 I value my sleep and prefer to build new things instead of holding
 together configurations with chewing gum and duct tape. Oh, and
 rebooting all the time.)

 Anyhow, we can debate this all you want, but I will be -0 or even -1
 to a default split-configuration of Tomcat unless someone has a really
 good idea for how to make it make sense to anyone on their first-touch.

 - -chris


I would rather just point (windows) people to an example of a split
configuration or any other configuration and let them implement it if they
choose to do so, instead of getting Tomcat pre-configured. Part of the draw
to Tomcat is that you have flexibility with how you choose to run it
(script, service, windows installer, etc)

Re: need information of tomcat support

[Leo Donahue]

On Tue, Oct 28, 2014 at 8:00 AM, Hareshbhai Desai,Vinaykumar (Vinaykumar) 
desa...@avaya.com wrote:

 Hi team,

 I need some information about the tomcat support. We are using tomcat
 3.2.2 and tomcat 6.0.37 in our product. If we are not upgrade the tomcat
 latest version then shall we get the support from apache for both tomcat
 release 3.3.2 /6.0.37? If yes is it free or paid support? How quickly we
 get response?

 It would be great if you will share the information on this area, so we
 can take decision quicker.

 Thanking You ,
 Vinay


7.3 Security vulnerabilities fixed in Tomcat 3.2.3

Non-normalized URIs, for example /examples/jsp/security//protected/index.jsp or
/examples/jsp/../jsp/security/protected/index.jsp would bypass the security
constraints specified in web.xml.

We have come a long way since then...

Re: JAX-WS Web Services

[Leo Donahue]

On Sun, Oct 12, 2014 at 9:16 AM, Meeraj Kunnumpurath 
mee...@servicesymphony.com wrote:

 Hi,

 I am porting an application from Weblogic 12 to Tomcat 8. The application
 has a set of web services that implement javax.xml.ws.ProviderSOAPMessage
 exposed by declaring them as servlets in web.xml. However, it doesn't seem
 to be working in Tomcat, when access the WSDL URL, I get a 404.

 Regards

 --
 *Meeraj Kunnumpurath*


I posted something similar to this a few months back, maybe this link will
help?  https://www.mail-archive.com/users%40tomcat.apache.org/msg113562.html

I can't really answer your question directly because I can't help you
troubleshoot a 404 without more info.

leo

Question on Thread Local

[Leo Donahue]

I've been reading about using Thread Local in web applications and the
general use case is to generate a transaction id in a filter so that the
rest of the web application running in the thread local will have access to
that transaction id.

Thread Local is essentially a way to create a global variable so that you
don't have to create a bean that generates said global data and pass that
bean around to other classes, or inject it into the other classes?

I am not sure I understand the difference between per-thread requests and
servlet requests that already run in their own thread.

In other words, what is the difference between using a Thread Local
variable vs any other variable that is created inside a filter, or during a
normal servlet request?

Re: Question on Thread Local

[Leo Donahue]

On Tue, Sep 2, 2014 at 3:00 PM, Leon Rosenberg rosenberg.l...@gmail.com
wrote:

 From practical point of view ThreadLocal is a huge hashmap directly in the
 ThreadClass where you can store a map of variables.
 Something like Thread.MapThreadId, MapString, Object, in which you can
 access variables that are 'attached' logically to the current Thread.
 In practice its a nice way to pass information through layers of code
 without adding it explicitly as parameter to every function on the way.
 regards
 Leon


At some point in the web application, a ThreadLocal is instantiated and its
properties are set and then retrieved in a Filter.  Am I on track here?

How is that different or more helpful than instantiating any other POJO
with property setters?

A POJO will be instantiated on every servlet request whereas the
ThreadLocal is only created once?

Re: Restricting SSL access within webapp

[Leo Donahue]

On Fri, Aug 1, 2014 at 1:55 PM, John Smith tomcat.ran...@gmail.com wrote:

 In my webapp there's a directory '/admin' that's protected under SSL. Users
 are forced to use SSL via a security constraint in web.xml. It works great.

 I would also agree with Chuck and James.

Can you not move this admin app to another instance of Tomcat?  Why dangle
it out there on the same server that has all your other non-SSL required
webapps?

Just asking.

leo

Re: Windows performance issue

[Leo Donahue]

On Jul 21, 2014 4:03 AM, Omar Orzenini omar.orzen...@gmail.com wrote:

 Hello everyone, I apologize for my poor english but I'll try to explain.
 I have a strange performance problem only under Windows (via NFS on
 Linux everything
 works fine).
 Tested operating system (Windows Server 2008 R2 64, WIndows Server 2012
R2):

 Second step: share the webapps folder (eg. c:\webapps) and change in the
 server.xml AppBase from webapps to \\servername\webapps.

And now you have a dns query to lookup that server name each time.

Does fully qualified domain name of the server help improve performance?

Leo

Re: jax-ws

[Leo Donahue]

On Sun, Jul 13, 2014 at 10:23 PM, Leo Donahue donahu...@gmail.com wrote:


 I found a link on the web that mentioned something about picking and
 choosing about 7 different jar files


Essentially that information is wrong.

Reading the manual here:
https://jax-ws.java.net/2.2.8/docs/ch02.html#installation-instructions

I needed all of them apparently.

Why does technology suffer from such poor documentation?
Are medical books wrong? - errata... oh wait, I meant cut here! on page
1291  (that's going to leave a scar)
Are mystery novel endings wrong? - errata... oh wait that person was
supposed to live, not die on page 674
Why so much junky documentation in technology?
This was a rhetorical question section.

Re: jax-ws

[Leo Donahue]

On Mon, Jul 14, 2014 at 8:04 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leo,

 On 7/13/14, 11:23 PM, Leo Donahue wrote:
  I'm here:
 
 http://tomcat.apache.org/tomcat-7.0-doc/extras.html#Web_Services_support_%28JSR_109%29
 
   And I'm looking for the other two jar files mentioned in the help.
  Going back to the main download page for 7.0.54 and clicking on
  Browse/bin/extras, I see no said jar files mentioned in the help
  document.
 
  I'm following along in the Java 6EE tutorial here:
  http://docs.oracle.com/javaee/6/tutorial/doc/bnayn.html#bnayq ...
  and I don't use NetBeans or Glassfish (yet)

 If you want Java EE on Tomcat, you might as well save yourself a huge
 headache and switch to TomEE.

 - -chris


As I am finding out.

INFO: Starting Servlet Engine: Apache Tomcat/7.0.54
Jul 14, 2014 9:58:51 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive
C:\apache_tomcat\apache-tomcat-7.0.54\webapps\HelloTest.war
Jul 14, 2014 9:58:52 AM org.apache.catalina.core.ContainerBase
addChildInternal
SEVERE: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/HelloTest]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1083)
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1880)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NoClassDefFoundError:
com/sun/istack/localization/Localizable
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at java.lang.Class.getDeclaredFields0(Native Method)
at java.lang.Class.privateGetDeclaredFields(Class.java:2436)
at java.lang.Class.getDeclaredFields(Class.java:1806)
at
org.apache.catalina.util.Introspection.getDeclaredFields(Introspection.java:106)
at
org.apache.catalina.startup.WebAnnotationSet.loadFieldsAnnotation(WebAnnotationSet.java:261)
at
org.apache.catalina.startup.WebAnnotationSet.loadApplicationListenerAnnotations(WebAnnotationSet.java:90)
at
org.apache.catalina.startup.WebAnnotationSet.loadApplicationAnnotations(WebAnnotationSet.java:63)
at
org.apache.catalina.startup.ContextConfig.applicationAnnotationsConfig(ContextConfig.java:403)
at
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:879)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:374)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5355)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 10 more
Caused by: java.lang.ClassNotFoundException:
com.sun.istack.localization.Localizable
at java.net.URLClassLoader$1

jax-ws

[Leo Donahue]

I'm here:
http://tomcat.apache.org/tomcat-7.0-doc/extras.html#Web_Services_support_%28JSR_109%29

And I'm looking for the other two jar files mentioned in the help.  Going
back to the main download page for 7.0.54 and clicking on
Browse/bin/extras, I see no said jar files mentioned in the help document.

I'm following along in the Java 6EE tutorial here:
http://docs.oracle.com/javaee/6/tutorial/doc/bnayn.html#bnayq
... and I don't use NetBeans or Glassfish (yet)

I found a link on the web that mentioned something about picking and
choosing about 7 different jar files from the metro download here:
https://jax-ws.java.net/

What do I need to create a simple jax-ws sample and deploy in Tomcat 7.0.54?

leo

[OT] Apache Tomcat7 service start randomly after the installation of McAfee antivirus

[Leo Donahue]

On Thu, Jul 3, 2014 at 4:22 AM, André Warnier a...@ice-sa.com wrote:

 Leo Donahue wrote:

 On Wed, Jul 2, 2014 at 2:33 AM, André Warnier a...@ice-sa.com wrote:

  Blachon, Philippe wrote:


 Why would one run a virus scanner permanently on a Tomcat server ?


 Does the OP work in the government?  My former employer had virus scanning
 software on every server.  You couldn't get a server image without it.

 The answer to that question is really based on policy, if he works in
 government.  Eventually, that server has the potential for getting a virus
 somehow from something or someone, and someone has to answer the question:
 why wasn't there virus scanning software on the server?


 Leo, I understand what you're saying above.
 But if one extrapolates that logic, then at some point the whole IT
 infrastructure and the whole Internet would grind to a halt, as only the
 POTUS would be allowed to upload anything onto a computer.


All sarcasm aside, I agree with you.  Some LAN administrators I've worked
with would applaud your statement though.

And I'll go one step further and add that not only in some local government
agencies you get virus scanners on servers, but you also get those system
scanners that monitor every single thing that happens on the server
(something related to the sun and wind)  It really bogs things down.

And it gets worse than that.  Sometimes you have eager admins who say:  I
see that this vm is only utilizing x % of the system resources, I'll either
degrade the existing resources provisioned on that server or maybe I'll
install something on it not related to the intent of that server.

All of that stuff makes troubleshooting problems so much harder.

At least his scheduled tasks are working.

leo

Re: Interface default methods

[Leo Donahue]

On Thu, Jul 3, 2014 at 1:05 AM, Mark Thomas ma...@apache.org wrote:

 On 3 July 2014 04:11:32 GMT+01:00, Leo Donahue donahu...@gmail.com
 wrote:
 I don't want to start a war, but just curious if the Tomcat developers
 see
 any use case for adding default methods to any of the Interfaces in the
 API?

 Which API?

 Mark


Well, for example, this Interface?
http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/catalina/Valve.java

I was just curious if the Tomcat developers have any intent on creating
default methods in Interfaces such as this one as opposed to using the
abstract class ValveBase.

Just wanted to know how people felt about Interface default methods in
general.

leo

Interface default methods

[Leo Donahue]

I don't want to start a war, but just curious if the Tomcat developers see
any use case for adding default methods to any of the Interfaces in the API?

Leo

Re: [somewhat OT] Apache Tomcat7 service start randomly after the installation of McAfee antivirus.

[Leo Donahue]

On Wed, Jul 2, 2014 at 2:33 AM, André Warnier a...@ice-sa.com wrote:

 Blachon, Philippe wrote:

 Good morning,

 We have 4 identical servers with a scheduled task running every night on
 each of them. This task Stop Tomcat - Update some data - Start Tomcat.
 This worked fine for months.
 We have installed a new antivirus McAfee 3 weeks ago. Now the Tomcat7
 service starts randomly. At least 1 of the 4 server needs a manual start of
 the Tomcat7 service every morning.

 Do you know if there is specifics problems between Tomcat and Mc Afee ?
 We have already tried to exclude Tomcat.exe from McAfee scanning. Is
 there other thing we could exclude without compromising the security ?

 Configuration:
 Windows server 2008 R2 Standard - SP1
 Apache Tomcat 7.0.29 Server
 McAffee Agent 4.8.0.1500
 Mcafee VirusScan Enterprise 8.8.04001

 Thanks, have a nice day,
 Philippe Blachon.


 Not a direct answer to your question, but maybe a bit of lateral and
 logical thinking here :

 Why would one run a virus scanner permanently on a Tomcat server ?


Does the OP work in the government?  My former employer had virus scanning
software on every server.  You couldn't get a server image without it.

The answer to that question is really based on policy, if he works in
government.  Eventually, that server has the potential for getting a virus
somehow from something or someone, and someone has to answer the question:
why wasn't there virus scanning software on the server?

Leo

Re: Stateless application is very slow using LDAP authentication

[Leo Donahue]

On Tue, Apr 22, 2014 at 8:48 AM, André Warnier a...@ice-sa.com wrote:

 Frédéric Poliquin wrote:

  What if you disable authentication entirely as a test... do things
 speed-up? Answer is YES
  Do you have a problem only under load or also when you are testing a
 single-user? Single user

 What I did is to put Tomcat behind an Apache Server which solved my
 problem. Maybe it could be a good new feature to add in future releases...


 Can you explain how this solved your problem ?

 If you are using Basic Authentication, without sessions, even httpd would
 need to re-authenticate to AD/LDAP with every request, no ?



I'm somewhat more concerned for the OP if he is using Basic Authentication
and LDAP.  Passwords going over the network unprotected.  Am I the only one
seeing this?

Leo

sudo apt-get install Tomcat7

[Leo Donahue]

About two weeks into learning linux on Ubuntu 12.04 LTS

Issuing that command, where does that Tomcat7 come from?

Leo



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: sudo apt-get install Tomcat7

[Leo Donahue]

On 04/20/2014 08:29 PM, Everton H. P. Custódio wrote:

Hi,


2014-04-20 23:43 GMT-03:00 Leo Donahue donahu...@gmail.com:


About two weeks into learning linux on Ubuntu 12.04 LTS

Issuing that command, where does that Tomcat7 come from?



It comes from Ubuntu's repository. You can check the repositories in
'Software and Updates' options in Ubuntu.


I'm not sure I see the same thing you are describing.

Under Ubuntu Software Center, and then from the Edit/Software Sources 
menu there is a dialog showing Download from on the Ubuntu Software 
tab which just says Server for United States.  I have an option to 
pick from several US mirrors.  Tomcat7 could be coming from any one of 
those mirror sites?


I think I will just stick with using the tar.gz file from the 
tomcat.apache.org site for now until I can get a better feel for this OS.


Thanks,
Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Maximum number of JSP ?

[Leo Donahue]

On Fri, Apr 11, 2014 at 6:46 AM, Dutta, Abhishek 
abhishek.du...@capgemini.com wrote:

 Hi,

 I am not very sure . But I guess If we consider the servlet lifecycle the
 servlet is not supposed to get instantiated until requested for .


The question is, do the JSP pages contain static text or JSP elements?

Either way, a JSP will be converted to a servlet in the container.

When a request for the JSP is made, the container will check to see if the
JSP page's servlet is older than the JSP page, and if it is, then the JSP
page gets re-compiled.
http://docs.oracle.com/javaee/5/tutorial/doc/bnahe.html

Now you are going through the servlet life cycle for each JSP page that is
newer than it's servlet.  And you also have spawned 16,000 threads in this
application.  One for each init() method of those servlets.

Is this performance problem something you didn't have before today?

Re: Maximum number of JSP ?

[Leo Donahue]

On Fri, Apr 11, 2014 at 8:52 AM, Sylvain Goulmy sygou...@gmail.com wrote:


 4. Here is the behaviour that i observed : i request the URL of a jsp in a
 loop. The content of this JSP is always the same but it's name is different
 in each URL so that it is considered as a new one.


Can you post the contents of your JSP?



 Is this performance problem something you didn't have before today?

 No indeed, we were on a different technology (Websphere).


So what is your point?

You originally asked this:

I'd like to know if there are known limitations regarding the max number of
JSP loaded in an application that could be used without facing performance
issue ?

Why would there be a number?  You can have the same and/or worse
performance problems with just one JSP.

Re: Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x

[Leo Donahue]

On Thu, Apr 10, 2014 at 2:10 PM, Ji Song s...@glimmerglass.com wrote:



 Hi,



 Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x ?  I noticed that
 Tomcat native connector version 1.1.22 uses : OpenSSL 0.9.8 which doesn't
 have the heartbleeding bug, but 1.1.24 and 1.1.29 also include the buggy
 openssl.



 How can I find  which version of Tomcat uses which version of Tomcat
 native connector ?  For example, how can I figure out which version of
 Tomcat native connector is used by Tomcat 7.0 build 47.


 Look here:
http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_47/build.properties.default

Scroll to the # - Tomcat native library -   section

Re: grab hostname from tomcat manager

[Leo Donahue]

On Wed, Apr 2, 2014 at 6:07 AM, bjoern.bec...@easycash.de wrote:

 Hello,

 I need to grab the hostname from the tomcat manager somehow.
 Unfortunately this URL manager/text/serverinfo doesn't contain the
 hostname.

 Is there any other smart way to receive the hostname via tomcat manager
 app?

 Best Regards,
 Bjoern


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


Programmatically grab? or just see it?

There is a link on the manager homepage for server status which will show
the host name to you.

Re: SSL Certificates

[Leo Donahue]

On Mon, Mar 31, 2014 at 7:19 AM, Bomma, Nithun nithun.bo...@amtrak.comwrote:

 Hello,

 We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it
 uses Apache Tomcat (v7.0.37)

 We are trying to import the certificates (Verisign) including the chain
 certificates from WebSphere to Tomcat.

 Have any of you did this before? If yes, could you help us out?

 Thanks,
 Nithun


It's all right here:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

Where do you need help specifically?

Re: Connection pooling issue on Tomcat

[Leo Donahue]

On Fri, Mar 28, 2014 at 12:31 PM, Propes, Barry L
barry.l.pro...@citi.comwrote:



 -Original Message-
 From: Mark Shifman [mailto:mark.shif...@yale.edu]
 Sent: Friday, March 28, 2014 12:34 PM
 To: Tomcat Users List
 Subject: Re: Connection pooling issue on Tomcat

 =
 Thanks, Mark, I got it figured out.

 I had changed it a couple of weeks back to point to our COB region, which
 is up only during a specified time, and didn't realize I hadn't changed it
 back. But I also thought that stopping and starting the app in the manager
 console would overwrite the app xml file in the conf folder, and that
 didn't happen.
 I checked it there and discovered the problem.


I know this thread is closed, but I just wanted to ask you a follow up
question Barry.

You said that the app xml in the conf folder wasn't being overwritten.

Are you placing that xml file there manually?

Or did you set copyXML in your Host element to true to make it copy that
file there?  Because by default, copyXML is set to false, that attribute is
not even named in the default Tomcat server.xml if you are using the zip
version.  And per the docs, that app xml file will be used in place of the
one in your web app, even if the web app one is newer.

[quote]
Set to true if you want a context XML descriptor embedded inside the
application (located at /META-INF/context.xml) to be copied to xmlBase when
the application is deployed. On subsequent starts, the copied context XML
descriptor will be used in preference to any context XML descriptor
embedded inside the application *** even if the descriptor embedded inside
the application is more recent ***. The flag's value defaults to false.
Note if *deployXML* is false, this attribute will have no effect.
[/quote]

If you place the contents of your app xml file in a file called context.xml
in /META-INF/, you won't have to worry about updating the one in the conf
folder.

I only place xml files in conf when I want something static, like mapping
an output directory for GIS applications to write images.

Re: Realm ldaps

[Leo Donahue]

On Thu, Mar 27, 2014 at 8:45 AM, bjoern.bec...@easycash.de wrote:

 Hello,

 I like to change my ldap jndirealm to ldaps.

   Realm className=org.apache.catalina.realm.LockOutRealm
 Realm
 className=org.apache.catalina.realm.UserDatabaseRealm
 resourceName=UserDatabase/
 Realm className=org.apache.catalina.realm.JNDIRealm
 connectionName=CN=SVC_TomcatLdapQuery,OU=Service
 Accounts,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC=de

 How do you get away with an empty domainComponent?  DC= ?

This doesn't say you can't have an empty name, but why would you.  Just
curious.
http://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx

Re: Realm ldaps

[Leo Donahue]

On Thu, Mar 27, 2014 at 10:20 AM, bjoern.bec...@easycash.de wrote:

  -Ursprüngliche Nachricht-
  Von: Leo Donahue [mailto:donahu...@gmail.com]
  Gesendet: Donnerstag, 27. März 2014 17:54
  An: Tomcat Users List
  Betreff: Re: Realm ldaps
 
  On Thu, Mar 27, 2014 at 8:45 AM, bjoern.bec...@easycash.de wrote:
 
   Hello,
  
   I like to change my ldap jndirealm to ldaps.
  
 Realm className=org.apache.catalina.realm.LockOutRealm
   Realm
   className=org.apache.catalina.realm.UserDatabaseRealm
   resourceName=UserDatabase/
   Realm
  className=org.apache.catalina.realm.JNDIRealm
  
   connectionName=CN=SVC_TomcatLdapQuery,OU=Service
   Accounts,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC=de
  
   How do you get away with an empty domainComponent?  DC= ?

 Sorry for confusing, this seems to be a mistake. In my orginal config I of
 course got DC=DOM,DC=de.

 Does fixing that solve the issue?  Does Tomcat start with this
configuration?  Anything in the logs?

Re: Scripting Tomcat installation versus multiple instances

[Leo Donahue]

On Wed, Mar 26, 2014 at 11:32 AM, Sebastien Tardif 
sebastien.tardif.contrac...@gmo.com wrote:

 I'm confused by the commands given by Tomcat documentation about creating
 different instances, it says: service install instance1 but service is
 not a command provided by Tomcat or Windows, see
 http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html#Multiple_Instances

 Almost everything I'm trying to automate using that page is not working,
 maybe it's rare people automate installation on Windows?


The service command is located here:  \apache-tomcat-7.0.52\bin

change directories to this location and run that command.

Re: Scripting Tomcat installation versus multiple instances

[Leo Donahue]

On Wed, Mar 26, 2014 at 12:35 PM, André Warnier a...@ice-sa.com wrote:

 Despite your name, you are too quick (and not lazy enough).
 You could have waited an hour, to get that solution right here.
 ;-)


 Sebastien Tardif wrote:


 Oh no you didn't, just top post. ?

Re: jax-ws and tomcat 7 with ssl

[Leo Donahue]

On Tue, Mar 18, 2014 at 2:58 PM, Maria Cristina Siena 
mariacristinasi...@sourcecable.net wrote:

 Hi,

 I developed a web service using jax-ws and configured Tomcat to support
 SSL connection. Here are my steps:

 ** Step 1 - Generate a self-signed server certificate

 Use JDK 1.7 keytool:

 keytool -genkey -alias trackerdev -keypass changeit -storepass changeit
 -keystore D:\Tomcat7\htdkeystore\trackerdev.ks -ext san=ip:xx.x.x.xxx

 Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere,
 ST=provincenamehere, C=ca correct?
   [no]:  yes

 They claim that the certificate is not properly signed. Well, I don't
 know. It is a self-signed certificate.



How do they access your web service?  Using the fully qualified machine
name in the URL?

Does CN=xx.x.x.xxx represent your server name?

If the cert is created for your server name, and your other team is on the
same network, all they need to do is place the cert in their trusted store
and it should be fine.

The name of the cert should be the same name your team would use to access
your server.

In other words, when your team views the certificate from their end, it
should say something like:

Issued to:  your fully qualified server name
Issued by:  your fully qualified server name

You are essentially issuing your server a cert by your server.

Did this help or make it worse?

Re: Tomcat 7 : Configure redirect url for session timeout

[Leo Donahue]

On 3/14/2014 4:18 PM, Akash Jain wrote:

I want to redirect user to / with a query parameter to indicate that
session has timed out.

I don't follow you.  What do you mean by use a query parameter?  You 
want to display a notification to the user in the URL?


Do you mean like this: http://www.myhomepage.com/?notice=sessiontimeout

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JNDIRealm - Active Directory Roles

[Leo Donahue]

On Fri, Mar 14, 2014 at 2:12 AM, bjoern.bec...@easycash.de wrote:

 Hello,

 thanks for your reply. It doesn't make any difference.

 I don't understand how the authenticated user receive permissions for one
 of these roles:

 role rolename=manager/
 role rolename=tomcat/
 role rolename=admin/
 role rolename=manager-gui/
 role rolename=manager-jmx/


That is a UserDatabaseRealm: org.apache.catalina.realm.UserDatabaseRealm

Those roles are different than what would be in your ldap, which is a:
org.apache.catalina.realm.JNDIRealm

Which realm do you want to use?

Re: Tomcat-user versus StackOverflow

[Leo Donahue]

On Fri, Mar 14, 2014 at 6:10 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 All,

 I'm finding a lot of questions lately posted simultaneously to both
 tomcat-user and to StackOverflow. How does the Tomcat community feel
 about that?

 Any opinions?

 - -chris

 I don't prefer sites that require I have an account to log in.  I don't
see a benefit to it nor do I care about badges either.

There are too many sites to remember all those log ins. I prefer the list,
or things like lists.  Or like Mr. Wood, I comb through those sites if I
have to.

However, this kind of thing happens on other sites in which I participate.
A user wants an answer to their question and casts a net in several
different forums on the same site.  It doesn't help them and it makes
searching for the answer harder because the keywords are now in several
different forum areas and maybe the answer came in only one of those forum
areas.

Re: Tomcat-user versus StackOverflow

[Leo Donahue]

On Fri, Mar 14, 2014 at 8:02 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leo,

 On 3/14/14, 10:58 AM, Leo Donahue wrote:
  On Fri, Mar 14, 2014 at 6:10 AM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 I was happy to see SO demolish the Experts Exchange overnight. Their
 site got great Google rankings but never gave you any actual answers
 unless you paid them.

 - -chris


I think the SO and Experts Exchange sites partly contribute to the idea
that new users think they can post questions and expect to get vending
machine answers. It's a hard culture to change.

Re: Tomcat 7 : Configure redirect url for session timeout

[Leo Donahue]

On Fri, Mar 14, 2014 at 3:04 PM, Akash Jain akash.delh...@gmail.com wrote:

  I have following configuration in `web.xml` in tomcat 7. I am wondering if
 I can add any configurable parameter here, so that if user tries to do any
 operation post 30 minutes, I redirect the user to our home page.

 session-config
   session-timeout30/session-timeout
   cookie-config
   domainmydomain.mycompany.com/domain
   http-onlytrue/http-only
   securefalse/secure
   /cookie-config
   tracking-modeCOOKIE/tracking-mode
 /session-config


My first thought is you could catch the error in web.xml using an
error-page and error-code 408, and then use a location to redirect?

http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServletResponse.html

Re: Tomcat 7 : Configure redirect url for session timeout

[Leo Donahue]

On Fri, Mar 14, 2014 at 3:48 PM, Akash Jain akash.delh...@gmail.comwrote:
Leo,

If any request comes after session timeout interval ... why would it go
into error ?

Perhaps because the request/response that was created with a session is no
longer valid after the session timeout.  What other option would you have
if not an error-page?

Re: JNDIRealm - Active Directory Roles

[Leo Donahue]

On Thu, Mar 13, 2014 at 10:15 AM, bjoern.bec...@easycash.de wrote:

 Hello,

 server.xml:
 Realm className=org.apache.catalina.realm.JNDIRealm  debug=99
 connectionName=CN=SVC,OU=Service
 Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de

connectionPassword=_2VK!WHzybn1SJ8P

 connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)

 userSearch=(sAMAccountName={0})
 userSubtree=true

 roleSearch=(memberof={0})
 roleSubtree=true
 userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
 Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de 
 /

 !--roleBase=DC=DOM,DC=de
 roleName=cn
 --


Lines that are different in my context:

connectionURL=ldap://fully.qualified.server.name:389;
userSearch=(amp;(objectCategory=person)(sAMAccountName={0}))
roleSearch=(member={0})
userRoleName=memberOf

I don't know if it makes a difference for you or not.

Re: Site down for maintenance senario

[Leo Donahue]

On Wed, Mar 12, 2014 at 11:28 AM, John Smith tomcat.ran...@gmail.comwrote:

 Is there a straightforward way to toggle or add something in Tomcat, in the
 event a webapp is intentionally taken 'offline for maintenance? The user
 would receive the same single notification page saying as much, for any and
 all requests.

 Tomcat 7.0.42


What would respond to the user's request if the web app they asked for is
down?  All you are going to get is a not found error which will be handled
by your ROOT web application.

Re: Site down for maintenance senario

[Leo Donahue]

On Wed, Mar 12, 2014 at 11:51 AM, Leo Donahue donahu...@gmail.com wrote:

 On Wed, Mar 12, 2014 at 11:28 AM, John Smith tomcat.ran...@gmail.comwrote:

 Is there a straightforward way to toggle or add something in Tomcat, in
 the
 event a webapp is intentionally taken 'offline for maintenance? The user
 would receive the same single notification page saying as much, for any
 and
 all requests.

 Tomcat 7.0.42


 What would respond to the user's request if the web app they asked for is
 down?  All you are going to get is a not found error which will be handled
 by your ROOT web application.


I wonder if parallel deployment is an option for you?  Maybe someone else
will have a better idea.

webapp#1.war could be your notice web app, while webapp#2.war could be your
normal site.

Deleting webapp#2.war would make requests fall back to your web app that
notifies the user the site is down.

Redeploying an updated webapp#2 would then override the the other one.

Re: Site down for maintenance senario

[Leo Donahue]

On Wed, Mar 12, 2014 at 11:58 AM, Leo Donahue donahu...@gmail.com wrote:

 On Wed, Mar 12, 2014 at 11:51 AM, Leo Donahue donahu...@gmail.com wrote:

 On Wed, Mar 12, 2014 at 11:28 AM, John Smith tomcat.ran...@gmail.comwrote:

 Is there a straightforward way to toggle or add something in Tomcat, in
 the
 event a webapp is intentionally taken 'offline for maintenance? The user
 would receive the same single notification page saying as much, for any
 and
 all requests.

 Tomcat 7.0.42


 What would respond to the user's request if the web app they asked for is
 down?  All you are going to get is a not found error which will be handled
 by your ROOT web application.


 I wonder if parallel deployment is an option for you?  Maybe someone else
 will have a better idea.

 webapp#1.war could be your notice web app, while webapp#2.war could be
 your normal site.

 Deleting webapp#2.war would make requests fall back to your web app that
 notifies the user the site is down.

 Redeploying an updated webapp#2 would then override the the other one.


Redeeming myself

Use two # symbols.  webapp.war  would be an earlier version of webapp##1.war

Read this:
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Parallel_deployment

Re: Site down for maintenance senario

[Leo Donahue]

On Mar 12, 2014 2:15 PM, André Warnier a...@ice-sa.com wrote:

 I was going to suggest to replace the normal myApp.war by one named
similarly, but returning a on maintenance page.
 But the solution above is cleverer.
 Bonus points.

Thanks.  I've never had bonus points before. ;)

Re: Tomcat and Spring Framework

[Leo Donahue]

On Mon, Mar 10, 2014 at 12:58 PM, Mark H. Wood mw...@iupui.edu wrote:

 It's probably worth asking what full-fledged enterprise applications
 means.  I'm not aware of any specification with that title.


That was a Spring term from the page I was reading, and the reason I
asked the question.

Tomcat itself is not a J(2)EE application server.  I have been under the
impression that one could successfully could implement *some* of the J(2)EE
stack carefully on Tomcat through other means.

Spring is one of those means?

From what I've been reading about Spring in the last three days is it is
essentially a bunch of design patterns turned into objects.  Dependency
Injection through patterns - I get that.  The AOP part of Spring is
basically a mechanism for applying object behavior to other objects without
composition.  I know i have that wording wrong, but essentially, AOP though
the use of point-cuts lets me applying object behavior of logging to other
objects without those objects being composed of my logging objects.  I
don't know how I would do that with a pattern, unless it is some kind of
front controller pattern - but I don't know.

So, Spring allows Tomcat to host full-fledged enterprise applications
that would normally require a J(2)EE application server like Glassfish?
That is what I was asking, without saying it specifically.

Re: The Service Component

[Leo Donahue]

On Mon, Mar 10, 2014 at 10:15 AM, André Warnier a...@ice-sa.com wrote:


 It is particularly nice to know that it works, and that the Service
 element really (apparently) corresponds to something real at the Tomcat
 level.  So it is apparently not just an element of order allowing to
 group Connectors with Engine.
 Which is contrary to what I imagined, and which I believe definitely
 answers the original OP's question (at least the first part).


Yes, question answered.

So some use the multiple Service in server.xml for app isolation or in
place of virtual hosting.

Mr. Janner indicates he has to modify 7 values in his server.xml  I guess I
have that many as well.

I also find this is needed if running multiple instances of Tomcat but I
don't want to change the subject of this thread.

I have to change the following in server.xml when I add more Tomcat
instances or upgrade:

server shutdown port
connector port for HTTP
connector port for AJP
realm org.apache.catalina.realm.UserDatabaseRealm if digesting passwords in
tomcat-users.xml
host appbase (optional depending on config)
valve org.apache.catalina.valves.AccessLogValve (optional depending where
you like the root log to go)
cleaning up all the comments...

My down time is minimal, but I find I do some prep work before I remove
the old windows service and install the new.  My down time consists of the
time it takes to take one instance down and start the new one, and maybe 20
min of prep work glarring at the server.xml to make sure I didn't miss some
configuration.

Re: The Service Component

[Leo Donahue]

On Mon, Mar 10, 2014 at 7:26 AM, Jeffrey Janner jeffrey.jan...@polydyne.com
 wrote:

  -Original Message-
  From: Leo Donahue [mailto:donahu...@gmail.com]
  Sent: Friday, March 07, 2014 9:44 AM
  To: users@tomcat.apache.org
  Subject: The Service Component
 
  Who uses more than one Service in their server.xml and why?  I get that
  you can have multiple Connectors if you have multiple Service
  components but why use multiple connectors?
 
  Are there any docs on the use cases for these features?
 

 Hi Leo,
 I may be the only person on this list who does this consistently.
 I use it as an alternative method of virtual hosting, i.e. each host gets
 its own Service and related sub-structure.


You are lucky you have control over that.  I have no luck asking our data
center to add another host entry to our web server.  I always ask them,
isn't it easier than asking you for another vm?  :)

Re: Tomcat7w.exe

[Leo Donahue]

On Fri, Mar 7, 2014 at 12:43 PM, Howard W. Smith, Jr. 
smithh032...@gmail.com wrote:


 Actually, i hate clicking on things... I use Windows keyboard shortcuts as
 much as possible.


Even when you run the following command, you still get a GUI.

Tomcat7w //ES/Tomcat7

Do you Ctrl + Tab your way through that dialog?

Plus, I don't know what this is supposed to edit, but it doesn't change the
values in the Tomcat7w.exe dialog:
Tomcat7 //ES//Tomcat7 --Startup=Auto  (or Automatic)

Running that command still shows Manual in the Startup type on the
General tab.

The Service Component

[Leo Donahue]

Who uses more than one Service in their server.xml and why?  I get
that you can have multiple Connectors if you have multiple Service
components but why use multiple connectors?

Are there any docs on the use cases for these features?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: The Service Component

[Leo Donahue]

On Fri, Mar 7, 2014 at 9:01 AM, Leon Rosenberg rosenberg.l...@gmail.com wrote:
 Hello,

 I do use multiple connectors but one service.
 Multiple connectors to separate user traffic from admin/management traffic.
 For example if due to overload no threads are available to server http
 request on the 'main' connector, I still can look into the app, to see what
 is going on, over my administrative connector.

 Leon

You are just changing the port number then in your administrative
connector, in the same Service element?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: The Service Component

[Leo Donahue]

On Fri, Mar 7, 2014 at 9:37 AM, Christopher Schultz
ch...@christopherschultz.net wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leo,

 On 3/7/14, 10:44 AM, Leo Donahue wrote:
 Who uses more than one Service in their server.xml and why?  I get
 that you can have multiple Connectors if you have multiple Service
 components but why use multiple connectors?

 You can already have multiple Connectors per Service but the
 difference is that all Connectors in Service can access all web
 applications in that Service.

 Are there any docs on the use cases for these features?

 Let's say that you wanted to deploy a non-secure webapp (/open) and a
 secure webapp (/secure). And let's say that you were terribly paranoid
 about proper setup: you want to make sure that nobody can access your
 /secure webapp without going through HTTPS.

 If you were to simply do this:

 Service
   Connector port=80 /!-- let's just be brief --
   Connector port=443 /
   Host appBase=webapps /
 /Service

 ... then anyone could access either web application via http:// and
 https://. (Of course, you'd set CONFIDENTIAL in your web.xml, but
 remember, we're being paranoid, here).

 Instead, you can do this:

 Service
   Connector port=80 /!-- let's just be brief --
   Host appBase=insecure-webapps /
 /Service
 Service
   Connector port=443 /
   Host appBase=secure-webapps /
 /Service

 This way, anyone requesting http:///secure would get a 404.

 I'm sure you could come up with a real-world use-case for the above,
snip
It's good enough to get the wheels turning...  Thanks.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat7w.exe

[Leo Donahue]

Did I miss something in the documentation about renaming this if one is
running multiple windows services of Tomcat?

ex:
#Prod port 80
c:\apache-tomcat
c:\apache-tomcat\apache-tomcat-7.0.52
service install Tomcat7 (from bin directory here)

#Dev port 8080
c:\apache-tomcat-dev
c:\apache-tomcat-dev\apache-tomcat-7.0.52
service install Tomcat7dev (from bin directory here)

If I run the Tomcat7w.exe from #Dev, all of those settings point to #Prod.

Unless I change the name of Tomcat7w.exe in #Dev to Tomcat7devw.exe, then
everything is fine.

Was that listed in the docs somewhere and I missed it?

Re: Tomcat7w.exe

[Leo Donahue]

On Fri, Mar 7, 2014 at 10:58 AM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: Leo Donahue [mailto:donahu...@gmail.com]
  Subject: Tomcat7w.exe

  Did I miss something in the documentation about renaming this if one is
  running multiple windows services of Tomcat?

 Besides the doc André pointed out, it's discussed briefly at the end of
 RUNNING.txt in the Tomcat installation directory.


I re-read that article André listed, again.  I blame my lack of command
line upbringing for not catching that.  Windows people click on things.
Bad habits.

As for RUNNING.txt, I missed that.

And, it is a good idea to rename those files, BEFORE, you issue:  service
install Tomcat7(whatever)
Otherwise, you just need to rename the 'w binary.

Tomcat and Spring Framework

[Leo Donahue]

Any Spring developers on the list?

http://docs.spring.io/spring/docs/4.0.2.RELEASE/spring-framework-reference/htmlsingle/#overview-usagescenarios

Is that saying that you can use a regular Tomcat for all of that?

full-fledged enterprise applications on Tomcat?

Re: Tomcat and Spring Framework

[Leo Donahue]

On Fri, Mar 7, 2014 at 3:41 PM, Konstantin Kolinko
knst.koli...@gmail.comwrote:

 2014-03-08 2:30 GMT+04:00 Leo Donahue donahu...@gmail.com:
  Any Spring developers on the list?
 
 
 http://docs.spring.io/spring/docs/4.0.2.RELEASE/spring-framework-reference/htmlsingle/#overview-usagescenarios
 

 A link to htmlsingle page?? That takes a while to load.


Yes, sorry.  That is the link to the reference on the quick start page here:
http://projects.spring.io/spring-framework/#quick-start


 Here is a quicker one to that chapter 2.3:


 http://docs.spring.io/spring/docs/4.0.2.RELEASE/spring-framework-reference/html/overview.html#overview-usagescenarios

  Is that saying that you can use a regular Tomcat for all of that?
 
  full-fledged enterprise applications on Tomcat?

 Yes. Why not?

 I'm good with that, just asking.  New to Spring.

Re: Installing the OWF webapp to an existing Tomcat Instance

[Leo Donahue]

On Tue, Feb 25, 2014 at 7:17 AM, J. Brian Hall jbrianhall...@me.com wrote:
 Chuck, you are THE MAN!

+1

 One other kink I tried to work-out.  When I go to
 https://localhost:8443/owf, I get the following common message: There is a
 problem with this website's security certificate.  The security certificate
 presented by this website was not issued by a trusted certificate
 authority.  Bla, bla, bla, ...

There is some important stuff in the bla bla part.

If you created your certificate with a domain name, you can't expect
to not get warned when you access your site with the name localhost.
 Did you try putting in the server name or domain name in the URL?
Same error?  What exactly is the error?

Just because the cert wasn't issued by a trusted source doesn't mean
you can't self sign one yourself and use it.  If you created the cert
correctly, and install it in the Trusted Root Certification
Authorities store, you shouldn't get that error message.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Installing the OWF webapp to an existing Tomcat Instance

[Leo Donahue]

On Tue, Feb 25, 2014 at 10:57 AM, J. Brian Hall jbrianhall...@me.com wrote:
 Leo,

 -Original Message-
 From: Leo Donahue [mailto:donahu...@gmail.com]
 Sent: Tuesday, February 25, 2014 9:44 AM
 To: Tomcat Users List
 Subject: Re: Installing the OWF webapp to an existing Tomcat Instance

 What exactly is the error?

 Response: No problem. I didn't create the cert, it came with the owf webapp.
 I'm working in a development/test environment so maybe the untrusted
 certificate message is unavoidable?

No, it doesn't matter about your dev environment.  But if the cert
came from someone else, the reason you're getting the Certificate
error in your browser is because the cert wasn't issued to your domain
and wasn't issued by anyone that is a trusted authority to issue certs
in the first place.

 Just because the cert wasn't issued by a trusted source doesn't mean you
 can't self sign one yourself and use it.  If you created the cert correctly,
 and install it in the Trusted Root Certification Authorities store, you
 shouldn't get that error message.

 Response: Assuming the webapp developer created the certs correctly, how do
 I install them in the Trusted Root Authorities store?


In your browser, I'm assuming IE, click on the Certificate Error next
to the address bar, then View Certificate, then Install Certificate.

Using that import wizard, choose the radio option to place the cert in
the following place.  Click browse, then click Trusted Root
Certification Authorities  and finish out the wizard.

I probably wouldn't do this if I were you.  I would generate my own
self signed certificate instead and install that the way I just
described.

If you forget that OWF cert is installed and happen to browse to a
site that requires that cert and the site is really unsafe, you won't
be happy later.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

linux vs windows responses on the list

[Leo Donahue]

In general, is it assumed that all responses given to the list assume
the OP is running a version of Linux, if they don't state the OS?

For example, I read the post about Tomcat upgrades/security patching
best practices and the advice given is to modify init.d script.  I
don't recall seeing the OP indicate they run Linux and the list
usually gently bashes people for not being specific about their
environment.

Since I run Tomcat on Windows, I don't know what the init.d script is,
but reading that response I get the feeling the that Tomcat on Linux
is alot easier to manage than Tomcat on Windows, especially if you
are running Tomcat as a Windows service.

I would have thought that another option to that post would be to use
the appBase attribute of a Host element and just move your webapps
out of the traditional location located within the Tomcat installation
directory.  But I guess I didn't understand the OP.

Is it time for us to go to Linux?

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Test to display an empty form by servlet.

[Leo Donahue]

On Wed, Feb 12, 2014 at 2:23 PM, JB MORLA jbmo...@gmail.com wrote:
 The purpose of this manual is to demonstrate MVC. In that case, the first
 component that runs is the Controller, that is the servlet.
 If I display an html form that redirects to the jsp, it's the html form
 that has the control.

You are missing some parts to this.

Start here:  http://simple.souther.us/ar01s05.html

Either deploy the .war file to Tomcat or change it to a .zip and
explore the contents.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Test to display an empty form by servlet.

[Leo Donahue]

On Wed, Feb 12, 2014 at 1:10 PM, JB MORLA jbmo...@gmail.com wrote:
 If there is a field called username, in a form with url registration ,
 how can I display the form the first time in Tomcat 7? (When the field is
 empty)

 initialize the username property?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] question regarding tomcat source code and dependencies

[Leo Donahue]

On Fri, Feb 7, 2014 at 1:50 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leo,

 So... what does this all have to do with the recent security announcement?

 Hope that helps,
 - -chris

I thought I was black listed there for a day, or maybe it wasn't
Tomcat-list-worthy.  That thread never showed up in my inbox, but it
was in MarkMail.. Maybe gmail is having problems lately..

To answer your question, what it has to do with the announcement:  nothing.

I read the announcement, looked at the source code for that class and
started applying what I saw to what I had been reading about lately.
that is all, personal interest.

I appreciate the comments.

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

question regarding tomcat source code and dependencies

[Leo Donahue]

This question was spawned by two things:

I'm reading a book on Dependency Injection
The latest security announcement - reading the source for FileUploadBase.java

Some reading material suggests that one use a simple factory pattern
to move object creation dependencies to a different class.

I see where the object dependencies that FileUploadBase.java has, like
FileItemIteratorImpl, just simply place those dependent classes in the
same java source file.

I don't see a problem with that approach, should I?

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org