RE: [OT] WEB-INF
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [OT] WEB-INF I'd prefer to see a clearer requirement for it from the user base What about a single site with multiple webapps all laid out with the same header/footer, left/right navigation styles ? - all static content. I understand now that the build/deploy process will take care of the redundant templates. A change in one header/footer just means I redeploy every web app using it - or essentially all of them. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] WEB-INF
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [OT] WEB-INF ...I'd encourage you to grab the 8.0.x source, built it and try out the new resource handling. Feedback welcome. From here? http://ci.apache.org/projects/tomcat/tomcat8/docs/building.html The source download link (http://tomcat.apache.org/download-80.cgi ) says permission denied. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 8 Resources - webAppMount
Is this saying that one can mount a directory under WEB-INF with a custom path? One of my biggest struggles with JSF page navigation is placing resources under WEB-INF and then figuring out how to navigate from a page that was forwarded to WEB-INF and that page under WEB-INF also needs to forward to another page in WEB-INF. The JSF navigation is usually one page behind the current page unless you explicitly redirect, which you can't do if the resource is in WEB-INF, so I end up with a 404 trying to forward from page1 in WEB-INF to page2 in WEB-INF. The only solution I see is exposing the last page in the root of the context or ditch the JSF framework and go back to straight servlets. This new feature sounds like it would help, but wouldn't it defeat the purpose of placing resources in WEB-INF? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] WEB-INF
-Original Message- From: Tim Funk [mailto:funk...@apache.org] Subject: Re: [OT] WEB-INF Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not allowed to be requested by the browser - its a simple enforcement mechanism to prevent users from direct access to calling jsps. Thanks Tim. A lot of old reference books on servlets/JSP never really touched on this topic, and I've read about placing resources in WEB-INF on the web somewhere since then. I was curious if this practice was originally by design or if the benefit was realized after the servlet spec - such as someone deciding hey, we should put stuff in WEB-INF. (Since it may be common to have jsp's as snippets for header / footers etc -- and there for they might be able to be called in surprising ways and exposing funny attacks) You mention header/footers, which was in the back of my mind when I posted this. Placing headers/footers in WEB-INF doesn't allow me to re-use these in different webapps, without having multiple copies of these? If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't reference it from \webapps\App2\WEB-INF\templates ... or can I? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] WEB-INF
When did it start that developers decided to place jsps in the WEB-INF directory? Was that intended from the beginning, or was it stumbled upon? Leo
CORS on Tomcat?
Does Tomcat support setting this header on the server? Header set Access-Control-Allow-Origin * If yes, where do we set it? Leo
RE: CORS on Tomcat?
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: CORS on Tomcat? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, On 5/21/13 11:34 AM, Leo Donahue - RDSA IT wrote: Does Tomcat support setting this header on the server? Header set Access-Control-Allow-Origin * If yes, where do we set it? You should know how to do this by now: url-rewrite. Thanks Chris. But.. but.. Apache has it... I wanted to avoid using a proxy that turns lengthy GET requests into POST requests for one of our REST based web apps. I was reading online where Cross Origin Resource Sharing was possible on some servers. Specifically here: http://enable-cors.org/server.html If you are using this with the CSRF prevention filter, you probably want to also mention those other domains in the entryPoints attribute. - -chris
RE: CORS on Tomcat?
-Original Message- From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: RE: CORS on Tomcat? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: CORS on Tomcat? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leo, On 5/21/13 11:34 AM, Leo Donahue - RDSA IT wrote: Does Tomcat support setting this header on the server? Header set Access-Control-Allow-Origin * If yes, where do we set it? You should know how to do this by now: url-rewrite. Thanks Chris. But.. but.. Apache has it... I wanted to avoid using a proxy that turns lengthy GET requests into POST requests for one of our REST based web apps. I was reading online where Cross Origin Resource Sharing was possible on some servers. Specifically here: http://enable-cors.org/server.html I realize I can set the header in the response, but was hoping this can be something we set on the server for a specific context maybe? response.setHeader(Access-Control-Allow-Origin, *); response.setHeader(Access-Control-Request-Method, GET,POST); Before IE supported this, Firefox did, which made it nice for some users who wanted to make an cross origin ajax requests to one of our servlets.
RE: CORS on Tomcat?
-Original Message- From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Sent: Tuesday, May 21, 2013 9:33 AM To: Tomcat Users List Subject: RE: CORS on Tomcat? B KKK KCB [ X ܚX KK[XZ[ \ \ ][ X ܚX P X ] \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ \ \ Z[ X ] \X K ܙ B Um. I didn't say that.
unsupported color?
Tomcat 7.0.37 This line frequents my catalina logs: May 13, 2013 8:29:25 PM com.esri.rest.json.SymbolJson color SEVERE: Unsupported Color: HsvColor How does this package cause Tomcat to throw a severe error? Why does Tomcat care whether the color is unsupported? Unsupported by ... ? Leo
RE: unsupported color?
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: unsupported color? On 14/05/2013 15:49, Leo Donahue - RDSA IT wrote: Tomcat 7.0.37 Unsupported by ... ? Ask your application vendor. Mark I would if I could... lol. It's all coming together now. Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request POST /index.cfm. Reason: Error reading from remote server ArcWS/4.0.20 Server at support.esri.com Port 80 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
server jvm
Installing Tomcat 7.0.39 using the service.bat will pick up the server jvm.dll located in the jdk directory, but now that there is a separate download for a server jre at 7u21, should we be using that instead? C:\Program Files\Java\jdk1.7.0_21\jre\bin\server\jvm.dll Or use the new Server JRE at 7u21 that is now a separate download. Leo
RE: getting the request that created the session
___ From: Leon Rosenberg [rosenberg.l...@gmail.com] Subject: Re: getting the request that created the session would ServletRequestListener being notified prior to any Filter execution? According to the docs, yes. A ServletRequest is defined as coming into scope of a web application when it is about to enter the first servlet or filter of the web application, and as going out of scope as it exits the last servlet or the first filter in the chain. http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequestListener.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7.0.33 manager - 403 Access Denied
-Original Message- From: Shanti Suresh [mailto:sha...@umich.edu] Subject: Tomcat 7.0.33 manager - 403 Access Denied All, I am wondering what I'm doing wrong - the Manager application is denying me access. Here are the details: Tomcat version: 7.0.33 JDK version: java version 1.7.0_09 Java(TM) SE Runtime Environment (build 1.7.0_09-b05) Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode) Operating System: RedHat Linus - 2.6.18-348.4.1.el5 Steps I took to permit manager: (1) $CATALINA_HOME/conf/Catalina/localhost/manager.xml--: Context path=/manager privileged=true antiResourceLocking=false docBase=${catalina.home}/webapps/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127\.0\.0\.1/ /Context (2) --$CATALINA_HOME/conf/tomcat-users.xml:-- user username=jmxparty password=r5678dcdddxx roles=standard,manager-jmx / Is that password really the SHA value of something? If your password was: password1, then you would store the SHA value of password1 in your tomcat-users.xml --- (3) $CATALINA_HOME/conf/server.xml:--Added digest=SHA:- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=SHA/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
-Original Message- From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404 also, if an 'ANN' email was sent, where /expert tomcat/ users can derive/develop a list of the popular/frequent URLs that bots use when attempting to compromise /tomcat/ servers. Wouldn't this depend on what user applications are deployed on the Tomcat server? By default, I thought we concluded that Tomcat out of the box is not compromised? Did I mis-read something? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404 That's the idea. That is one reason why I brought this discussion here : to check if, if the default factory setting was for example 1000 ms delay for each 404 answer, could anyone think of a severe detrimental side-effect ? What if I send 10,000 requests to your server for some file that is not there?
RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, April 17, 2013 10:28 AM To: Tomcat Users List Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404 Leo Donahue - RDSA IT wrote: -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404 That's the idea. That is one reason why I brought this discussion here : to check if, if the default factory setting was for example 1000 ms delay for each 404 answer, could anyone think of a severe detrimental side-effect ? What if I send 10,000 requests to your server for some file that is not there? Then you will just have to wait 10,000+ seconds in total before you get all your corresponding 404 responses. Which is exactly the point. Do you know of a real legitimate scenario in which a HTTP client (or more of them) would issue lots of requests for resources which they know might not be there ? No, I honestly don't. I was thinking like a miscreant in that I would do it intentionally to force your server to queue for the next 2.5 hours to return 404 messages to those 10,000 requests for nothing. Now I would have a new tool for DOS? But you point out something interesting further down... (this is a real question; it might be that there is, and that would be a real flaw to the scheme) More details : - legitimate, well-written applications should not normally be returning pages to the user, which contain lots of links which lead to nothing and result in 404 errors. So once a browser got to one of your normal pages, he should be able to continue navigating your site by clicking on links that work, not links that result in 404. So adding a 1 second delay before returning a (legitimate) 404 response should not bother legitimate users of legitimate applications too much. Even genuine legitimate and useful bots (like the Google ones), get your home page, and then (unless you tell them not to), they follow the links that they find there to get more pages and index your site. So they too should not get much inconvenienced by a delay in the 404 responses. - on the contrary, the way hacking bots work is that they are purposely trying to find, on your server, specific links which are known to sometimes correspond to generic applications which have security flaws. On most servers, these links do /not/ correspond to real available resources, so they result in 404 errors. That is what the bots expect, so when they get a 404 for one such link, they immediately try the next buggy one in their list, etc. If they get 404's for all of them, then they will give up, and switch to scanning some other server. In that case, by returning the 404 response quickly, you are actually helping them to spend little time on a non-existent flaw and to be able to try the next one sooner. But if for each 404 response, you force them to wait 1 second instead of 10 milliseconds, then you immensely slow them down. They will have to wait that 1 second, because otherwise they could never be sure if your server (or the network at that moment) is really slow, or if this is a deliberate delay. (And if you're really into making this even more annoying for them - hehe - you could even slightly vary the delay for each 404, say between 0.5 and 3 seconds, to make it even more unlikely that they will figure out some pattern). A vital part is to design an implementation for this, that from the point of view of your own server, is as lightweight as possible. You do not want to force one of your real working threads or instances to have to sit there during the 1 s delay doing nothing. You'd want to hand off this connection and response to some specialised lightweight thread, and go handle the next real worthy request. So you are saying it could be possible to know in advance that certain requests are for repeated requests of nothing or being made by a bot, versus regular legitimate requests, in order to move those bot requests off to another thread? But I am sure that the tomcat gurus here will have some good ideas for that part.
RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 4/17/13 8:49 AM, Mark H. Wood wrote: Yes. But someone *does* own the botted computers, and their own operations are slightly affected. I have wondered if there is some way to make a bot so intrusive that many more owners will ask themselves, why is my computer so slow/weird/whatever? I'd better get it looked at. Maybe I should install a virus scanner. People *do* do this (notice their computer sucking) but mostly (at least Americans) will just go out and buy another one, assuming that their computer just isn't fast enough to work well after owning it for a few years. soapboxIt's sad that most of us have more computing resources beneath our fingertips than spacecraft do, yet we upgrade every few years because MS Office has gotten fatter. /soapbox And no one ever uses (or knows about) the restore partition when their pc becomes full of junk. However, the old P4 laptop I have running XP with 2GB of RAM and dedicated video RAM doesn't do much for websites these days running a lot of graphics.. ahem Silverlight, flash, etc... The web is also getting fat. - -chris
RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404 So you are saying it could be possible to know in advance that certain requests are for repeated requests of nothing or being made by a bot, versus regular legitimate requests, in order to move those bot requests off to another thread? No, not at all. It would be nice but no. What I mean is that any 404 response should be handed off to one of these lightweight processes, so that the real useful process doesn't have to handle it. Of course some processing has already taken place to find out that the target resource of this URL does not exist and that responding with a 404 code is appropriate. But as soon as this is determined, the rest should be sub-contracted to a simple sidekick, which will do the 1 second wait and then send back the response on the connection and then close the connection. In the meantime, the real useful webserver process can be available to process the next request (which can be bogus again, but nothing to do about this). No need for this real valuable complex process to spend his own time waiting for 1 second, sending the 404, closing the connection etc.. And we do not really care if this sidekick, 404-sending-only process has a backlog at some times, and sometimes takes longer than 1 second to finish off this 404 response, do we ? No, I guess not. And.. If I'm understanding the point you are making, you're saying that delaying the 404 response slows down the ability of the bots to collect information. The bots will *still* collect data, it will just take them longer to get the list of possible exploits? Not knowing anything about the history of the HTTP 404 method, if a server does not find a matching request URI, why was it decided that the protocol would even respond at all? Seems like the request could have just been ignored or dropped. [Way OT...] If you get this to work, then the next place you can take this idea is to the phone company. Why should my phone even ring at all if I know the caller is from an 800 number... or from some other list of people I don't care to talk to ... I would love it if those guys had to wait 10 or 20 seconds between rings... that would be great!!
RE: [OT] Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: [OT] Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404 Leo Donahue - RDSA IT wrote: ... [Way OT...] If you get this to work, then the next place you can take this idea is to the phone company. Why should my phone even ring at all if I know the caller is from an 800 number... or from some other list of people I don't care to talk to ... I would love it if those guys had to wait 10 or 20 seconds between rings... that would be great!! You know, you may just have stumbled upon the idea for the next killer app there. The Phone-URLRewrite-App : ifcurrentCall.caller.phoneNumber.matches(/^800.*/)/if thencurrentCall.redirect(agenda.entry(mother-in-law).phoneNumber)/then I don't think she would mind. On the other hand, she could be volunteer to much info by being chatty. (good thing no one in my family reads this list...)
server.xml shutdown port command string
In the Tomcat docs pertaining to security considerations, in the server.xml section, it talks about if the shutdown port is not disabled, a strong password should be configured for bshutdown/b http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Server In the Tomcat docs for configuration, the serve.xml page talks about the shutdown attribute but uses the phrase command string. Is the command string what is being called the password on the security-howto page? http://tomcat.apache.org/tomcat-7.0-doc/config/server.html#Common_Attributes Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: explanation of resource-ref in web.xml
From: Jakub 1983 [jjaku...@gmail.com] Sent: Wednesday, April 17, 2013 7:26 PM To: Tomcat Users List Subject: explanation of resource-ref in web.xml What the hell is resource-ref in web.xml used for ? I use it in a context, to define a Resource such as a database connection. There is an example here: http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html#MySQL_DBCP_Example - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: resource-ref in web.xml
From: Jakub 1983 [jjaku...@gmail.com] Subject: resource-ref in web.xml when I define database conn in context.xml, resource-ref is not needed at all, so what is it actually for ? ** You need something to lookup from your Java src file: Context ctx = new InitialContext(); ds = (DataSource) ctx.lookup(java:comp/env/jdbc/whatever_you_called_this_in_resource-ref); (res-ref-name that is) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: server.xml shutdown port command string
From: Caldarale, Charles R [chuck.caldar...@unisys.com] Subject: RE: server.xml shutdown port command string From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: server.xml shutdown port command string Is the command string what is being called the password on the security-howto page? Yes, they're the same thing; the text should be more consistent. Note that the shutdown port is only used with IP address 127.0.0.1; it's not available outside of the box Tomcat is running on. - Chuck * If I am the only person deploying web apps (that I have developed), should I still consider changing this command string value to something more complex? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Adding Content-Length response header
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Adding Content-Length response header -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Here's the situation I have: I've got a response that I'm fairly sure fits into the response's buffer size, and I'd like to send a Content-Length header in that case. I could probably put a wrapper around the response's ServletOutputStream that counts bytes and then looks for done conditions (OutputStream.close, etc.), then adds a Content-Length header if the response hasn't yet been committed. What about using a ByteArrayOutputStream? It has a size method and you could use that in the response.setContentLength() and write out the ByteArrayOutputStream to your ServletOutputStream? Maybe? Thanks, - -chris
[OT] repos/asf/tomcat
Trying to teach myself Subversion by way of the Eclipse plugin (Subversive SVN Team Provider, SVNKit 1.7.8 Implementation) and I'm looking at the tomcat repository and trying to understand what I'm seeing. What is the difference between the trunk directory at the root of http://svn.apache.org/repos/asf/tomcat/ and the trunk directory in the /tc7.0.x/ ? /repos/asf/tomcat/is the repository? /tc7.0.x/ is the project in that repository? Of course, my eclipse subversion plugin only gives me a local repository, so perhaps Subversion running in a web server is slightly different than what I can do with this plugin? Sorry for the OT post. Leo
RE: [OT] repos/asf/tomcat
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [OT] repos/asf/tomcat On 21/03/2013 16:53, Leo Donahue - RDSA IT wrote: Trying to teach myself Subversion by way of the Eclipse plugin (Subversive SVN Team Provider, SVNKit 1.7.8 Implementation) and I'm looking at the tomcat repository and trying to understand what I'm seeing. What is the difference between the trunk directory at the root of http://svn.apache.org/repos/asf/tomcat/ and the trunk directory in the /tc7.0.x/ ? /repos/asf/tomcat/is the repository? /tc7.0.x/ is the project in that repository? Of course, my eclipse subversion plugin only gives me a local repository, so perhaps Subversion running in a web server is slightly different than what I can do with this plugin? Sorry for the OT post. Leo http://tomcat.apache.org/svn.html Mark Thanks. Repository structure !(necessarily)= project structure ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: problems faced in deploying servlet
-Original Message- From: Satya Priya Das [mailto:am_sp...@yahoo.co.in] Subject: problems faced in deploying servlet I am a retd. software person,worked with autocoder,COBOL,assembler,c, and now trying to learn java, I am using Java for the Web with Servlets,jsp,and EJB by Budi Kurniwan, but unfortunatetely the tomcat v4 has been used in the book for examples. Downloading of tomcat6.0.36, and installing of tomcat has been done success fully.The example in chapter one has been compiled and tested o.k.,The servlet context example compiled and deployed successfully. Now the example for RequestDemoServlet has been compiled o.k, but when I want to deploy the example with index.html file using action element, the source not found message is displayed. I have used alias name,class name, even url-mapping but result is same. A directory myapp has been created under which subdirs are build,doc,web and build.xml build.properties file. The wb.xml file created as per book with //DTDWeb application 2.3//en pL. guide me how I can trace the causes of resource not found message. Thanks s.p.das I looked up your book online using Google Books. I can see on page 31 where your project starts, but it skips the rest of the pages to page 34. I'm guessing this line is your problem: FORM ACTION=servlet/ResponseDemoServlet METHOD=POST Tomcat 4 had something called the invoker servlet turned on by default, which meant requests were passed through the mapping of: servlet/someservletname. Tomcat 6 doesn't have that on by default anymore, and you should leave it that way. All you need to do is update the url-mapping for your form's action to the correct url pattern, based on how you deployed your myapp and how you referenced this servlet in your web.xml. You are likely going to be confused throughout this book if all the examples are based on Tomcat 4. I don't know anyone still putting HTML code in out.println statements. Can you afford to get a newer book on JSP/Servlets? There are also semi-decent websites that have some newer content. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat 6.0.35 in production maintaince
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: tomcat 6.0.35 in production maintaince From: fachhoch [mailto:fachh...@gmail.com] Subject: tomcat 6.0.35 in production maintaince How can I detect in advance that my app is using up all available memory ? Monitor the JVM with any of a myriad of tools, such as VisualVM. http://wiki.apache.org/tomcat/FAQ/Memory http://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics This out of memory perm gen space error could this be because of some memory leak ? Pretty much guaranteed that one or more of your webapps is leaking. The default permgen space is 64MB. Could it also run out of permgen space if you deploy many web applications that don't leak, which exhausts the default permgen memory allocation? Is the wording on this page accurate? http://docs.oracle.com/javase/6/docs/technotes/guides/visualvm/monitor_tab.html [quote] PermGen. The PermGen graph displays changes in the permanent generation area over time. The permanent generation is the area of the heap where class and method objects are stored. If an application loads a very large number of classes, then the size of the permanent generation might need to be increased using the -XX:MaxPermSize option. [/quote] Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Console when running as a service.
I would be curious to find out how many users run Tomcat from the console in a virtual machine environment. When you remote into your virtual machine that is running Tomcat from the console, you must not be logging off of that session are you? How do you keep the console window open, unless you just close the session? When you remote back into your server after time passes, how do you know you will get the same session? In our virtual environment, I've never been able to leave the console window running. Something eventually kills the console window, so we've been running it as a service. Leo
JAVA_OPTS catalina.bat vs tomcat7w.exe
If I've asked this question before, my apologies. What is the difference between setting Java_OPTS in catalina.bat vs using the tomcat7w.exe with -D options in the Java Tab if you installed Tomcat as a windows service? Leo
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: JAVA_OPTS catalina.bat vs tomcat7w.exe What is the difference between setting Java_OPTS in catalina.bat vs using the tomcat7w.exe with -D options in the Java Tab if you installed Tomcat as a windows service? The latter is useful, the former isn't. Services do not use environment variables. - Chuck If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to set the options, are these wrong? Java Options: -Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37 -Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37 -Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed -Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties -Djava.opts=-XX:PermSize=128m -XX:MaxPermSize=384m Initial memory pool: 256MB Maximum memory pool: 512MB - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
-Original Message- From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to set the options, are these wrong? Java Options: -Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37 -Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37 -Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed -Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat- 7.0.37\conf\logging.properties -Djava.opts=-XX:PermSize=128m -XX:MaxPermSize=384m Wrong.. Just remove -Djava.opts= Should be: -Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37 -Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37 -Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed -Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties -XX:PermSize=128m -XX:MaxPermSize=384m - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
-Original Message- From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Subject: Re: JAVA_OPTS catalina.bat vs tomcat7w.exe Chuck, I have similar settings, and so far, so good (no abuse/attack), and I recently re-added jmx settings in tomcat7w.exe for my app...just to routinely check performance and/or memory-used by the app, while running on production server. can you please clarify 'the server is open to abuse from pretty much anyone who can reach it'? can you refer to me a blog or an article that discusses app abuse via jmx? http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Help understanding log file contents
1. What is the significance of GET requests with what seems like no resource request being made? They all seem to come from the side of the globe. such as: 220.181.108.165 - - [23/Feb/2013:22:41:22 -0700] GET / HTTP/1.1 200 13258 2. Why do some people like making dozens of requests in a row to get the favicon? Even if it was there, why do they want it? such as: 75.171.44.236 - - [23/Feb/2013:21:40:49 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:53 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:54 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:54 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:55 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:55 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:55 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:55 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:56 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:57 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:40:58 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:06 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:06 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:10 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:14 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:14 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:16 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:16 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:20 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:20 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:23 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:23 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:35 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:35 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:55 -0700] GET /favicon.ico HTTP/1.1 404 6386 75.171.44.236 - - [23/Feb/2013:21:41:55 -0700] GET /favicon.ico HTTP/1.1 404 6386 many more... 3. Can I assume that com.esri.rest.catalog.CatalogServlet.service doesn't clean up after itself well? This was the fifth occurrence of the same exception in localhost logs before I start getting out of memory errors. such as: Feb 24, 2013 5:46:57 AM org.apache.catalina.core.ApplicationDispatcher invoke SEVERE: Servlet.service() for servlet catalog threw exception com.esri.rest.HttpException: Service 'AGIS_MARICOPA' of type 'MapServer' does not exist or is inaccessible. at com.esri.rest.catalog.CatalogServlet.service(CatalogServlet.java:176) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339) at com.esri.rest.DispatchServlet.service(DispatchServlet.java:123) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.esri.rest.security.SecurityFilter.doFilter(SecurityFilter.java:79) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.esri.rest.RestFilter.doFilter(RestFilter.java:81) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at
RE: PermGen space errors
From: Caldarale, Charles R [chuck.caldar...@unisys.com] Subject: RE: PermGen space errors From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: PermGen space errors Deploying a third party app is causing Out of Memory errors on our web server. Will increasing these: -Xms1024m -Xmx1024m -XX:PermSize=256m -XX:MaxPermSize=356m just delay the inevitable? If the errors occur without redeployment, then it either really does need more space, or it's simply losing track of classes it creates as part of normal operation. - Chuck The error occurs without redeployment. Have been dealing with it since last weekend. Since my last post, upgrading to 7.0.37 and to the latest Java 1.6.0_39, nothing in the logs out of the ordinary. Except for this in catalina. What are these? Are these attempts to log into manager/html? Feb 23, 2013 7:37:16 PM org.apache.catalina.realm.LockOutRealm authenticate WARNING: An attempt was made to authenticate the locked user admin Feb 23, 2013 7:37:16 PM org.apache.catalina.realm.LockOutRealm authenticate WARNING: An attempt was made to authenticate the locked user admin Feb 23, 2013 7:37:17 PM org.apache.catalina.realm.LockOutRealm authenticate WARNING: An attempt was made to authenticate the locked user tomcat Feb 23, 2013 7:37:17 PM org.apache.catalina.realm.LockOutRealm authenticate WARNING: An attempt was made to authenticate the locked user admin And this drives me crazy... googlebots keep crawling for services that aren't deployed anymore... give up google..stop wasting my logs. Feb 23, 2013 8:55:54 PM org.apache.catalina.core.ApplicationDispatcher invoke SEVERE: Servlet.service() for servlet catalog threw exception com.esri.rest.HttpException: Service 'AGIS_MARICOPA' of type 'MapServer' does not exist or is inaccessible. at com.esri.rest.catalog.CatalogServlet.service(CatalogServlet.java:176) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339) at com.esri.rest.DispatchServlet.service(DispatchServlet.java:123) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.esri.rest.security.SecurityFilter.doFilter(SecurityFilter.java:79) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.esri.rest.RestFilter.doFilter(RestFilter.java:81) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1852) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at java.lang.Thread.run(Thread.java:662) They just keep hacking away at stuff that is not there.. 66.249.74.65 - - [23/Feb/2013:20:55:54 -0700] GET /rest/services/AGIS_MARICOPA/MapServer
RE: PermGen space errors
From: Leo Donahue - RDSA IT [leodona...@mail.maricopa.gov] Sent: Saturday, February 23, 2013 9:08 PM To: Tomcat Users List Subject: RE: PermGen space errors Since my last post, upgrading to 7.0.37 and to the latest Java 1.6.0_39, nothing in the logs out of the ordinary. Except for this in catalina. What are these? Are these attempts to log into manager/html? Feb 23, 2013 7:37:16 PM org.apache.catalina.realm.LockOutRealm authenticate WARNING: An attempt was made to authenticate the locked user admin Feb 23, 2013 7:37:16 PM org.apache.catalina.realm.LockOutRealm authenticate WARNING: An attempt was made to authenticate the locked user admin Feb 23, 2013 7:37:17 PM org.apache.catalina.realm.LockOutRealm authenticate WARNING: An attempt was made to authenticate the locked user tomcat Feb 23, 2013 7:37:17 PM org.apache.catalina.realm.LockOutRealm authenticate WARNING: An attempt was made to authenticate the locked user admin - 208.43.50.42 - - [23/Feb/2013:19:37:15 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 - 208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 - please don't do that. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Build vs. buy (Was: [Seriously OT] Help in diagnosing server unresponsiveness)
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Build vs. buy (Was: [Seriously OT] Help in diagnosing server unresponsiveness) Re-writing just because a piece of code has become out-of-touch with current standards or because nobody understands how it works is entirely wasted effort. - -chris And, not to mention the technology an application uses eventually reaches EOL, then what? It's easier to keep it limping along until the point at which someone decides it's worth spending money to update it. It has been my observation that the trend where I work is buy and try to configure or enhance the product to make it do something it didn't do before, because I believe some people think building solutions are too complex or too costly. Buying and maintaining in my opinion is harder when the vendor product changes. You end up building additional complex functionality around a product that did not do 100% of what you wanted when you bought it, now the vendor changes something and you're faced with nearly redoing everything you did before to keep maintenance on the current vendor product version.
RE: docBase
-Original Message- From: Pid [mailto:p...@pidster.com] Subject: Re: docBase On 11/01/2013 20:24, Leo Donahue - RDSA IT wrote: Tomcat 7.0.34 Java 1.6.0_35 Can the document base of a context be an administrative share? Yes. But I would not encourage it. 2nd only to NFS for causing random errors. Unless you have a massive number of images totalling large amounts of data, it would be better to arrange a periodic sync job to copy images across to each node. p Thank you sir. What if one suffers from having conservatively configured nodes? The amount of image cache we would want to create would not fit on any of our webservers. Our web servers are virtualized and have only a few GB of storage. Moving off topic: How does google do this: http://mt1.google.com/vt/lyrs=m@20500hl=ensrc=appx=11y=25z=6s=Ga do you think these images are sitting on every node? And what if google wanted to include an option to view aerial photos for each year for the past ten years? That becomes a lot of data that lives on each node? In the example above, when a user requests an image tile from google, you can't tell whether that image lives on the webserver, or whether the webserver fetches that image from a share on another server. I have a lot of room on my NAS, but not on my webservers. When we cache images for just our county, depending on how many scale levels I create and tile size, I can end up with several hundred GB for just a single year of aerial photos. Reading those images on local (webserver) storage vs network storage is what I'm trying to decide. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: docBase
-Original Message- From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: docBase Tomcat 7.0.34 Java 1.6.0_35 Can the document base of a context be an administrative share? Ex: \\servername\share$\somedirectoryfile:///\\servername\share$\somedire ctory I run tomcat as a service using a local account on webserver1, that same local account has read access to the administrative share (checked the passwords to make sure they were the same), but I'm getting an illegalArgumentException in the logs. The local account has share access and permissions on the \\servername\share$ root directory. Leo Never mind. It always takes a post to find the error right after I hit send. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: docBase
-Original Message- From: David kerber [mailto:dcker...@verizon.net] Subject: Re: docBase On 1/11/2013 3:28 PM, Leo Donahue - RDSA IT wrote: -Original Message- From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: docBase Tomcat 7.0.34 Java 1.6.0_35 Can the document base of a context be an administrative share? Ex: \\servername\share$\somedirectoryfile:///\\servername\share$\somedir e ctory I run tomcat as a service using a local account on webserver1, that same local account has read access to the administrative share (checked the passwords to make sure they were the same), but I'm getting an illegalArgumentException in the logs. The local account has share access and permissions on the \\servername\share$ root directory. Leo Never mind. It always takes a post to find the error right after I hit send. Care to share your findings? I take it all back. The typo in my context file I thought was the problem, was not it. In Tomcat 7.0.34 I had a context file in conf/Catalina/localhost called output.xml The docBase attribute was: docBase=\\servername\share$\gisoutput The purpose was to create a virtual output directory on Tomcat to read images from the network share. Something like http://servername/output/someimage.png Tomcat 7.0.34 was installed as a service using the service.bat, and the service was running under a local account on the webserver, not a local system account, one I created. The docBase was pointing to an administrative share on another storage server. I created the same local account on that storage server, and gave share and security permissions to that share. Then I started Tomcat 7.0.34 and got that exception in the log file. For the heck of it, I removed the 7.0.34 service and installed 7.0.32. The exact same setup is working in 7.0.32 Is the $ causing an issue? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
___ From: Christopher Schultz [ch...@christopherschultz.net] Sent: Friday, November 30, 2012 8:13 PM To: Tomcat Users List Subject: Re: Context Path for a subdirectory -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 11/30/12 5:52 PM, Leo Donahue - RDSA IT wrote: Ok, so before I upgraded to Tomcat 7.0.33 to use the container supplied remote address filter, what were my options to restrict access to just a subdirectory of a web app in Tomcat 6.0.35? Please remember that you aren't protecting a directory. Ever. You are protecting a url-pattern and nothing more. - -chris 1st, sorry for the format, I'm on vacation and webmail doesn't format replies the way I'd like. (sorry chuck, not taking your advice from before on getting out more. maybe tomorrow...) I have heard this before, and now I'm beginning to understand why I keep hearing this same comment. I now realize my choice of words in describing what I was trying to do leads to this comment. As many times as I've heard, you're not protecting a directory, and some other people use the phrase 'resource'... I always thought that there was some trick to getting by the url-pattern that no one wanted to mention. As far as the URL vs directory, the server is pretty locked down - so I'm told, and the IP I use is the IP of the host. Ultimately I wanted to restrict access to the URL /rest/admin to requests made by the local host only to that URL. webapps rest www admin Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, November 30, 2012 12:23 AM To: Tomcat Users List Subject: Re: Context Path for a subdirectory On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote: Reading the docs: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html ..The web application used to process each HTTP request is selected by Catalina based on matching the longest possible prefix of the Request URI against the context path of each defined Context. If I have a webapp, with a www directory, and in that www directory are other directories, how would I restrict access to one of those subdirectories to the localhost? webapps webapp1 -WEB-INF -classes -lib -www -directory1 -directory2 Is the context path of directory1: /webapp1/directory1 Would I create a context named directory1.xml such as the following? ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true path=/webapp1/directory1 Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 / /Context Of course you'll still have to map the filter to the correct context for directory1 in webapps webapp1 -WEB-INF -classes -lib -www -directory1 -directory2 filter-mapping filter-nameRemote Address Filter/filter-name url-pattern(??)/url-pattern /filter-mapping and (??) is ? ;-) Sadly, it's advertised in the help section. http://planning.maricopa.gov/sdk/rest/gettingstarted.html scroll to bottom of the page. I could surgery out bullet #7 I suppose, but I'm counting on the filter to work. Ah well, that is what the user enters, which does not necessarily match the layout of your application. But did I misunderstand, or did you want to have the IP filter apply only to the subdirectory in question ? Yes, I wanted the IP filter to apply only to http://planning.maricopa.gov/rest/admin I was confused in thinking that if I used a url-pattern, in a context file, of /rest/admin that it would restrict access to just admin - based on the longest matching prefix - but it restricted access to all of /rest My trick question was about how you would specify the url-pattern so that it applies only to: (webapps)/webapp1/www/directory1 (and not to (webapps)/webapp1/www/directory2 for instance). Using the Container provided Remote Address Filter was a good reason to upgrade to Tomcat 7.0.33 from 6.0.35. If I can tag another question on the end of this thread: The Remote Address Filter has an option to set the denyStatus from 403 to 404, or whatever. In general, I'm guessing it's better to respond that a restricted resource is not found, rather than respond that is it there but forbidden? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, November 30, 2012 8:20 AM To: Tomcat Users List Subject: Re: Context Path for a subdirectory Leo Donahue - RDSA IT wrote: If I can tag another question on the end of this thread: The Remote Address Filter has an option to set the denyStatus from 403 to 404, or whatever. In general, I'm guessing it's better to respond that a restricted resource is not found, rather than respond that is it there but forbidden? Purely personal opinion : by doing this, you kind of violate the spirit of the HTTP specification, and you create some confusion at the technical level. And, essentially, you are lying to the client. So, in general, it is not better. But hey, it's your server, so you're free to return whatever you believe is most appropriate. Within limits though. For example, if somewhere you provide a link to that section for some people, but when they click on it, they get a not found, they may think that your application isn't working, or that your documentation is incorrect. While if they get a forbidden, they may realise that they need to ask for a permission. Why is denyStatus an option? Why would someone use it? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, November 30, 2012 8:32 AM To: Tomcat Users List Subject: RE: Context Path for a subdirectory From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: RE: Context Path for a subdirectory Why is denyStatus an option? Why would someone use it? Because some people still believe in security through obscurity. - Chuck Security AND obscurity... only those that need to know. I can get in line with that. Why give someone a target to work on it you tell them they are forbidden. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Error page messages
Are there standardized server responses that one should expect to see when dealing with java.lang, javax.servlet and javax.faces exceptions that should be displayed to the client? I don't know that I would expect to see any of these on a public website, as I am likely not to care what happens on the server I'm browsing, as long as the server can recover/redirect. Leo
RE: Error page messages
-Original Message- From: Pid [mailto:p...@pidster.com] Sent: Friday, November 30, 2012 3:04 PM To: Tomcat Users List Subject: Re: Error page messages On 30/11/2012 21:00, Leo Donahue - RDSA IT wrote: Are there standardized server responses that one should expect to see when dealing with java.lang, javax.servlet and javax.faces exceptions that should be displayed to the client? You mean status codes or error pages? Error pages. If an exception isn't handled* by the app then it's 500 and a stacktrace if you haven't configured a custom error page. Those packages probably have a few tens of exceptions that could be thrown. I don't know that I would expect to see any of these on a public website, as I am likely not to care what happens on the server I'm browsing, as long as the server can recover/redirect. Catch them at the appropriate point in your code, or configure a custom error page. And what kind of information does one show the user in a custom error page? I don't know of any public facing websites, off hand, that show uncaught exception messages. I was just trying to decide what I would show, if anything, if I configured a custom error page for certain types of exceptions, such as java.lang, or javax.servlet, or javax.faces. p * uncaught exception is the usual term. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Error page messages
-Original Message- From: Pid [mailto:p...@pidster.com] Sent: Friday, November 30, 2012 3:13 PM To: Tomcat Users List Subject: Re: Error page messages On 30/11/2012 22:09, Leo Donahue - RDSA IT wrote: -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Friday, November 30, 2012 3:04 PM To: Tomcat Users List Subject: Re: Error page messages On 30/11/2012 21:00, Leo Donahue - RDSA IT wrote: Are there standardized server responses that one should expect to see when dealing with java.lang, javax.servlet and javax.faces exceptions that should be displayed to the client? You mean status codes or error pages? Error pages. If an exception isn't handled* by the app then it's 500 and a stacktrace if you haven't configured a custom error page. Those packages probably have a few tens of exceptions that could be thrown. I don't know that I would expect to see any of these on a public website, as I am likely not to care what happens on the server I'm browsing, as long as the server can recover/redirect. Catch them at the appropriate point in your code, or configure a custom error page. And what kind of information does one show the user in a custom error page? I don't know of any public facing websites, off hand, that show uncaught exception messages. I was just trying to decide what I would show, if anything, if I configured a custom error page for certain types of exceptions, such as java.lang, or javax.servlet, or javax.faces. A polite message saying oops, or a fail whale, or a unicorn... p Good options, and very tempting. Maybe one of these? http://tinyurl.com/bvl2gko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Error page messages
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, November 30, 2012 3:19 PM To: Tomcat Users List Subject: Re: Error page messages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 11/30/12 5:09 PM, Leo Donahue - RDSA IT wrote: -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Friday, November 30, 2012 3:04 PM To: Tomcat Users List Subject: Re: Error page messages On 30/11/2012 21:00, Leo Donahue - RDSA IT wrote: Are there standardized server responses that one should expect to see when dealing with java.lang, javax.servlet and javax.faces exceptions that should be displayed to the client? You mean status codes or error pages? Error pages. If an exception isn't handled* by the app then it's 500 and a stacktrace if you haven't configured a custom error page. Those packages probably have a few tens of exceptions that could be thrown. I don't know that I would expect to see any of these on a public website, as I am likely not to care what happens on the server I'm browsing, as long as the server can recover/redirect. Catch them at the appropriate point in your code, or configure a custom error page. And what kind of information does one show the user in a custom error page? I don't know of any public facing websites, off hand, that show uncaught exception messages. I was just trying to decide what I would show, if anything, if I configured a custom error page for certain types of exceptions, such as java.lang, or javax.servlet, or javax.faces. How about: web.xml: error-page exception-typejava.lang.Throwable/exception-type location/WEB-INF/uncaught-error.html/location /error-page uncaught-error.html: !DOCTYPE html html headtitleError/title/head body h1Error/h1 p Aw, crap. /p /body /html Yeah, I blew off some steam playing on dev port 8080 with some fun messages just now. This whole time I thought by confusing my end users by taking them back to the web app's main page when an exception occurs was a bad idea. I really didn't want to tell them, hey, sorry but the javax.faces.View expired because you waited too long to do something productive. You can put anything in there you want, man. If the stack trace seems too ugly for you (it really is, honestly), then replace it with something else. Need some inspiration? Try Google. Or http://ux.stackexchange.com/questions/15955/how-to-create-a-useful-500- internal-server-error-page - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC5MMQACgkQ9CaO5/Lv0PC2SwCeNW8Q8enE9m08sq9j6tYV FRX/ csoAniXbINKCbXd1ix+J9Nd3dHo0piLE =EnMx -END PGP SIGNATURE-
RE: Error page messages
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, November 30, 2012 3:28 PM To: Tomcat Users List Subject: RE: Error page messages From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: RE: Error page messages I don't know of any public facing websites, off hand, that show uncaught exception messages. You need to get out more ... - Chuck +1 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, November 30, 2012 3:39 PM To: Tomcat Users List Subject: Re: Context Path for a subdirectory -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 11/30/12 5:25 PM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Context Path for a subdirectory I don't think it's specifically /un/supported. For instance, Tomcat should happily deploy both of these files: myapp.war myapp#static.war That's not what's being discussed. You're describing logically nested paths, which is fully supported; the topic under discussion is physical (file system) nesting of one webapp inside another. There's definitely come nomenclature confusion going-on in this thread. For example: On 11/29/12 3:14 PM, Calderale, Charles R wrote: From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: Context Path for a subdirectory If I have a webapp, with a www directory, and in that www directory are other directories, how would I restrict access to one of those subdirectories to the localhost? [...] Is the context path of directory1: /webapp1/directory1 No, it's /webapp1/www/directory1. The context path for the webapp is /webapp1, not /webapp1/www/directory1. As you say, you can't just cause a new webapp context to spring-forth from another by adding a context.xml file to it. Explicitly deploying a subdirectory of an existing webapp using CATALINA_BASE/conf/Catalina/localhost/webapp#www#directory1.xml with path=${catalina.base}/webapps/webapp1/www/directory1 would probably work, but it is, of course, totally stupid to do things that way. I think OP was just trying to treat a subdirectory as a distinct webapp because (maybe?) that seemed like an easier way to restrict access. I can imagine this being conflated with, say, Apache httpd's ability to specify authentication requirements by dropping an .htaccess file into a directory. Obviously that's not how Tomcat does things. I think this is yet another instance of someone not understanding that a webapp is more than just set of files and subdirectories rooted somewhere on the filesystem. Honestly, Leo should know better after all the time he's been hanging around the list ;) - -chris Dang it. Ok, so before I upgraded to Tomcat 7.0.33 to use the container supplied remote address filter, what were my options to restrict access to just a subdirectory of a web app in Tomcat 6.0.35? I'll admit, contexts are confusing to me. You can create contexts in conf\Catalina\localhost that map to places that are not even in the webapps folder, but expose themselves as a URL to the end user. My thought was if I could create a context that mapped to a subdirectory, I could create a valve that restricted access to that URL. What is the right way to do this in Tomcat 6.0.35?
RE: Context Path for a subdirectory
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, November 30, 2012 4:04 PM To: Tomcat Users List Subject: RE: Context Path for a subdirectory From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: RE: Context Path for a subdirectory what were my options to restrict access to just a subdirectory of a web app in Tomcat 6.0.35? Using just spec-provided mechanisms, such access can be limited to specific users by including the appropriate security constraint elements in the webapp's WEB-INF/web.xml. The wrinkle you want is to limit by IP address, which is not a capability the servlet spec covers. I'll admit, contexts are confusing to me. The main thing to remember is that each webapp (context) is expected to be physically separate from all other webapps. (This has nothing to do with the URLs used to access the webapps, just the location of the webapps in the server's file system, database, memory, paper tape, or whatever medium they're stored on.) What is the right way to do this in Tomcat 6.0.35? Probably the easiest is just to pick up the filter from Tomcat 7 and use it in 6. The SecurityFilter from sourceforge might be able to do it, but I'm not sure (Chris should know). - Chuck I considered the security constraint, but wouldn't that have required me to set up SSL (for a secure user/password submittal) and get someone to pay for a public certificate - which would probably not happen. Sure, I could generate a cert myself. But I would still have to convince our office of enterprise tech that leaving an admin related webapp visible to the public is ok (authentication enabled or not). The last admin related webapp on our site had to be restricted by a valve, but that was for the whole context. The software company that we use also provides these kinds of web services to the whole world. They don't even bother restricting their /rest/admin directory, which really surprises me. Maybe I'm being paranoid by trying to one up them. http://services.arcgisonline.com/ArcGIS/rest/services http://services.arcgisonline.com/ArcGIS/rest/admin - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, November 30, 2012 4:45 PM To: Tomcat Users List Subject: Re: Context Path for a subdirectory Maybe a bit of lateral thinking here. What does the admin webapp really do ? For what it is doing, does it need to even live in the same website/host as the main application ? If it's actions are confined to managing some files on disk, or some data in a back-end database, maybe it can do that without being really integrated into your main application ? You could then set up a separate Host, running under SSL or whatever, to run this admin part. It's URL would never be visible under your main site. And you'd have all the flexibility to set up any security constraints you want, without interfering with the main user site. Fair question. The rest web app was configured using a product called ArcGIS Server. There are at least 4 servers involved in the end product you see. Server 1 - The ArcGIS Server - This is where you publish map documents as web services, and where you can export the web services handler (rest.war) to a production web server. Which I've done. Server 2 - The ArcSDE Server - This is where the GIS data physically resides in a SQL Server. Server 3 - The GIS Storage server - This is where Server 1 writes out the map images you see. I have a context on Server 4 that maps to a share on Server 3 as a virtual output directory. Server 4 - The production Tomcat server - This is where I deploy the rest web app that is created from Server 1 Any changes that I make to the rest web app are done on Server 1, in which I then need to generate a new rest.war file to be deployed on Server 4. Anything custom that I configure for the rest webapp, like the filter in web.xml, I have to remember to unpack the war file, make edits and re-pack it, or leave it exploded. Changes can be things like adding new output directories, map cache directories, adding features like the ability to generate KMZ files for Google Earth, and there is even an option to configure deploying the rest.war file with a security store. The rest/admin web app has one thing that I need, which is a clear cache feature. Any new web services that you deploy, or changes you make to existing services such as changing the color of a feature or what not, have to have the cache cleared. The way the Server 1 is configured, there are accounts that the rest/admin web app will take which let you do things like shutdown the services and other stuff, if you were able to brute force the rest/admin username/password. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
-Original Message- From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Sent: Friday, November 30, 2012 5:02 PM To: Tomcat Users List Subject: RE: Context Path for a subdirectory The way the Server 1 is configured, there are accounts that the rest/admin web app will take which let you do things like shutdown the services and other stuff, if you were able to brute force the rest/admin username/password. That would only do you any good if you knew the internal server name. But I have to protect from internal threats as well, right? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Context Path for a subdirectory
Reading the docs: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html ..The web application used to process each HTTP request is selected by Catalina based on matching the longest possible prefix of the Request URI against the context path of each defined Context. If I have a webapp, with a www directory, and in that www directory are other directories, how would I restrict access to one of those subdirectories to the localhost? webapps webapp1 -WEB-INF -classes -lib -www -directory1 -directory2 Is the context path of directory1: /webapp1/directory1 Would I create a context named directory1.xml such as the following? ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true path=/webapp1/directory1 Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 / /Context Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
-Original Message- From: Mark Eggers [mailto:its_toas...@yahoo.com] Sent: Thursday, November 29, 2012 1:12 PM To: Tomcat Users List Subject: Re: Context Path for a subdirectory On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote: Reading the docs: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html ..The web application used to process each HTTP request is selected by Catalina based on matching the longest possible prefix of the Request URI against the context path of each defined Context. If I have a webapp, with a www directory, and in that www directory are other directories, how would I restrict access to one of those subdirectories to the localhost? webapps webapp1 -WEB-INF -classes -lib -www -directory1 -directory2 Is the context path of directory1: /webapp1/directory1 Would I create a context named directory1.xml such as the following? ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true path=/webapp1/directory1 Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 / /Context Leo How about: http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html In particular: http://tomcat.apache.org/tomcat-7.0- doc/config/filter.html#Remote_Address_Filter Although as has been discussed previously on the mailing list, the regular expression is a bit simplistic. . . . . just my two cents. /mde/ Thank you Mark. I realized the first reply I got might be why not try it, my question, which I did, and of course I had it wrong. I thought of security-constraint right after I clicked send, but the filter will also work. http://planning.maricopa.gov/rest - needed to restrict access to one directory of that webapp. It's a third party app, but our data. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context Path for a subdirectory
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, November 29, 2012 3:40 PM To: Tomcat Users List Subject: Re: Context Path for a subdirectory Leo Donahue - RDSA IT wrote: -Original Message- From: Mark Eggers [mailto:its_toas...@yahoo.com] Sent: Thursday, November 29, 2012 1:12 PM To: Tomcat Users List Subject: Re: Context Path for a subdirectory On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote: Reading the docs: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html ..The web application used to process each HTTP request is selected by Catalina based on matching the longest possible prefix of the Request URI against the context path of each defined Context. If I have a webapp, with a www directory, and in that www directory are other directories, how would I restrict access to one of those subdirectories to the localhost? webapps webapp1 -WEB-INF -classes -lib -www -directory1 -directory2 Is the context path of directory1: /webapp1/directory1 Would I create a context named directory1.xml such as the following? ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true path=/webapp1/directory1 Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 / /Context Leo How about: http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html In particular: http://tomcat.apache.org/tomcat-7.0- doc/config/filter.html#Remote_Address_Filter Although as has been discussed previously on the mailing list, the regular expression is a bit simplistic. . . . . just my two cents. /mde/ Thank you Mark. I realized the first reply I got might be why not try it, my question, which I did, and of course I had it wrong. I thought of security-constraint right after I clicked send, but the filter will also work. http://planning.maricopa.gov/rest - needed to restrict access to one directory of that webapp. It's a third party app, but our data. Of course you'll still have to map the filter to the correct context for directory1 in webapps webapp1 -WEB-INF -classes -lib -www -directory1 -directory2 filter-mapping filter-nameRemote Address Filter/filter-name url-pattern(??)/url-pattern /filter-mapping and (??) is ? ;-) Sadly, it's advertised in the help section. http://planning.maricopa.gov/sdk/rest/gettingstarted.html scroll to bottom of the page. I could surgery out bullet #7 I suppose, but I'm counting on the filter to work. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat ROOT webapp homepage
Who designed the Tomcat ROOT webapp homepage? Was it just notepad as the design tool? Leo
RE: Tomcat ROOT webapp homepage
-Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Thursday, November 15, 2012 2:25 PM Subject: Re: Tomcat ROOT webapp homepage On 15 Nov 2012, at 18:06, Leo Donahue - RDSA IT leodona...@mail.maricopa.gov wrote: Who designed the Tomcat ROOT webapp homepage? Which version? 7.0 = me. Yes, sorry. 7.0.32 Was it just notepad as the design tool? Not notepad, why? I like the layout and wanted to know how you came up with the rounded divs that look nice in Firefox. I saw the css page that specified the rounded nature of those lower boxes (answered that myself since original post). Too bad IE9 can't get on the wagon and display those right. What did you use to visualize the overall layout? Or did you just sketch it out in your head? Either way, nice work. Leo
RE: Windows Service Security
-Original Message- From: Burn William [mailto:william.b...@willis.com] Sent: Wednesday, October 31, 2012 9:01 AM To: users@tomcat.apache.org Subject: Windows Service Security Can the Tomcat service run as a standard user, Yes does the user need elevated permissions, I don't believe so, I don't grant my standard user any specific privileges. or does it require local administrator access? No. I wouldn't do that. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org