RE: [OT] WEB-INF

2013-07-15 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Subject: Re: [OT] WEB-INF

I'd prefer to see a clearer requirement for it from the user base 

What about a single site with multiple webapps all laid out with the same 
header/footer, left/right navigation styles ?  - all static content.

I understand now that the build/deploy process will take care of the redundant 
templates.  A change in one header/footer just means I redeploy every web app 
using it - or essentially all of them.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] WEB-INF

2013-07-15 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Subject: Re: [OT] WEB-INF

...I'd encourage you to grab the 8.0.x source, built it and try out the new 
resource handling. Feedback welcome.

From here?  
http://ci.apache.org/projects/tomcat/tomcat8/docs/building.html

The source download link (http://tomcat.apache.org/download-80.cgi ) says 
permission denied.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 8 Resources - webAppMount

2013-07-15 Thread Leo Donahue - RDSA IT 
Is this saying that one can mount a directory under WEB-INF with a custom path? 
 

One of my biggest struggles with JSF page navigation is placing resources under 
WEB-INF and then figuring out how to navigate from a page that was forwarded to 
WEB-INF and that page under WEB-INF also needs to forward to another page in 
WEB-INF.

The JSF navigation is usually one page behind the current page unless you 
explicitly redirect, which you can't do if the resource is in WEB-INF, so I end 
up with a 404 trying to forward from page1 in WEB-INF to page2 in WEB-INF.  The 
only solution I see is exposing the last page in the root of the context or 
ditch the JSF framework and go back to straight servlets.

This new feature sounds like it would help, but wouldn't it defeat the purpose 
of placing resources in WEB-INF?

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] WEB-INF

2013-07-11 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Tim Funk [mailto:funk...@apache.org]
Subject: Re: [OT] WEB-INF

Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not
allowed to be requested by the browser - its a simple enforcement
mechanism to prevent users from direct access to calling jsps. 

Thanks Tim.  A lot of old reference books on servlets/JSP never really touched 
on this topic, and I've read about placing resources in WEB-INF on the web 
somewhere since then.  I was curious if this practice was originally by design 
or if the benefit was realized after the servlet spec - such as someone 
deciding hey, we should put stuff in WEB-INF.


(Since it may be  common to have jsp's as snippets for header / footers etc -- 
and there for
they might be able to be called in surprising ways and exposing funny attacks)

You mention header/footers, which was in the back of my mind when I posted 
this.  Placing headers/footers in WEB-INF doesn't allow me to re-use these in 
different webapps, without having multiple copies of these? 

If I have a header/footer template in \webapps\ROOT\WEB-INF\templates\, I can't 
reference it from  \webapps\App2\WEB-INF\templates  ... or can I?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[OT] WEB-INF

2013-07-10 Thread Leo Donahue - RDSA IT 
When did it start that developers decided to place jsps in the WEB-INF 
directory?  Was that intended from the beginning, or was it stumbled upon?

Leo

CORS on Tomcat?

2013-05-21 Thread Leo Donahue - RDSA IT 
Does Tomcat support setting this header on the server?

Header set Access-Control-Allow-Origin *

If yes, where do we set it?

Leo

RE: CORS on Tomcat?

2013-05-21 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: CORS on Tomcat?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Leo,

On 5/21/13 11:34 AM, Leo Donahue - RDSA IT wrote:
 Does Tomcat support setting this header on the server?

 Header set Access-Control-Allow-Origin *

 If yes, where do we set it?

You should know how to do this by now: url-rewrite.

Thanks Chris.  But.. but.. Apache has it...

I wanted to avoid using a proxy that turns lengthy GET requests into POST 
requests for one of our REST based web apps.  I was reading online where Cross 
Origin Resource Sharing was possible on some servers.  Specifically here:  
http://enable-cors.org/server.html


If you are using this with the CSRF prevention filter, you probably want to 
also
mention those other domains in the entryPoints attribute.

- -chris

RE: CORS on Tomcat?

2013-05-21 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: CORS on Tomcat?

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: CORS on Tomcat?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Leo,

On 5/21/13 11:34 AM, Leo Donahue - RDSA IT wrote:
 Does Tomcat support setting this header on the server?

 Header set Access-Control-Allow-Origin *

 If yes, where do we set it?

You should know how to do this by now: url-rewrite.

Thanks Chris.  But.. but.. Apache has it...

I wanted to avoid using a proxy that turns lengthy GET requests into POST
requests for one of our REST based web apps.  I was reading online where
Cross Origin Resource Sharing was possible on some servers.  Specifically here:
http://enable-cors.org/server.html


I realize I can set the header in the response, but was hoping this can be 
something we set on the server for a specific context maybe?

response.setHeader(Access-Control-Allow-Origin, *);
response.setHeader(Access-Control-Request-Method, GET,POST);

Before IE supported this, Firefox did, which made it nice for some users who 
wanted to make an cross origin ajax requests to one of our servlets.

RE: CORS on Tomcat?

2013-05-21 Thread Leo Donahue - RDSA IT 

-Original Message-
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Sent: Tuesday, May 21, 2013 9:33 AM
To: Tomcat Users List
Subject: RE: CORS on Tomcat?

B
KKK
KCB  [  X  ܚX KK[XZ[

 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[

 \ \  Z[ X ]
 \X K ܙ B

Um. I didn't say that.

unsupported color?

2013-05-14 Thread Leo Donahue - RDSA IT 
Tomcat 7.0.37

This line frequents my catalina logs:

May 13, 2013 8:29:25 PM com.esri.rest.json.SymbolJson color
SEVERE: Unsupported Color: HsvColor

How does this package cause Tomcat to throw a severe error?  Why does Tomcat 
care whether the color is unsupported?  Unsupported by ... ?

Leo

RE: unsupported color?

2013-05-14 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Subject: Re: unsupported color?

On 14/05/2013 15:49, Leo Donahue - RDSA IT wrote:
 Tomcat 7.0.37

 Unsupported by ... ?

Ask your application vendor.

Mark


I would if I could... lol.  It's all coming together now.


Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request POST /index.cfm.

Reason: Error reading from remote server

ArcWS/4.0.20 Server at support.esri.com Port 80

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

server jvm

2013-05-07 Thread Leo Donahue - RDSA IT 
Installing Tomcat 7.0.39 using the service.bat will pick up the server jvm.dll 
located in the jdk directory, but now that there is a separate download for a 
server jre at 7u21, should we be using that instead?

C:\Program Files\Java\jdk1.7.0_21\jre\bin\server\jvm.dll

Or use the new Server JRE at 7u21 that is now a separate download.

Leo

RE: getting the request that created the session

2013-04-28 Thread Leo Donahue - RDSA IT 
___
From: Leon Rosenberg [rosenberg.l...@gmail.com]
Subject: Re: getting the request that created the session

  would ServletRequestListener being notified prior to any Filter execution?

According to the docs, yes.

A ServletRequest is defined as coming into scope of a web application when it 
is about to enter the first servlet or filter of the web application, and as 
going out of scope as it exits the last servlet or the first filter in the 
chain.

http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequestListener.html 
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 7.0.33 manager - 403 Access Denied

2013-04-23 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Shanti Suresh [mailto:sha...@umich.edu]
Subject: Tomcat 7.0.33 manager - 403 Access Denied

All,

I am wondering what I'm doing wrong - the Manager application is denying me
access.
Here are the details:

Tomcat version:
  7.0.33
JDK version:
  java version 1.7.0_09
  Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
  Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode) Operating
System:
  RedHat Linus - 2.6.18-348.4.1.el5

Steps I took to permit manager:
(1) $CATALINA_HOME/conf/Catalina/localhost/manager.xml--:
Context path=/manager privileged=true antiResourceLocking=false
docBase=${catalina.home}/webapps/manager 
   Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=127\.0\.0\.1/
/Context


(2) --$CATALINA_HOME/conf/tomcat-users.xml:--
 user username=jmxparty
password=r5678dcdddxx
 roles=standard,manager-jmx /

Is that password really the SHA value of something?

If your password was:  password1, then you would store the SHA value of 
password1 in your tomcat-users.xml

---

(3) $CATALINA_HOME/conf/server.xml:--Added digest=SHA:-
Realm className=org.apache.catalina.realm.UserDatabaseRealm
   resourceName=UserDatabase digest=SHA/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-22 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404


also, if an 'ANN' email was sent, where /expert tomcat/ users can 
derive/develop a list of the popular/frequent URLs that bots use when 
attempting to compromise /tomcat/ servers.

Wouldn't this depend on what user applications are deployed on the Tomcat 
server?  By default, I thought we concluded that Tomcat out of the box is not 
compromised?  Did I mis-read something?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-17 Thread Leo Donahue - RDSA IT 
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404


That's the idea.  That is one reason why I brought this discussion here : to
check if, if the default factory setting was for example 1000 ms delay for each
404 answer, could anyone think of a severe detrimental side-effect ? 


What if I send 10,000 requests to your server for some file that is not there?

RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-17 Thread Leo Donahue - RDSA IT 
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Wednesday, April 17, 2013 10:28 AM
To: Tomcat Users List
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404

Leo Donahue - RDSA IT wrote:
 -Original Message-
 From: André Warnier [mailto:a...@ice-sa.com]
 Subject: Re: Tomcat access log reveals hack attempt: HEAD
 /manager/html HTTP/1.0 404


 That's the idea.  That is one reason why I brought this discussion
 here : to check if, if the default factory setting was for example
 1000 ms delay for each
 404 answer, could anyone think of a severe detrimental side-effect ?


 What if I send 10,000 requests to your server for some file that is not 
 there?

Then you will just have to wait 10,000+ seconds in total before you get all 
your
corresponding 404 responses.
Which is exactly the point.

Do you know of a real legitimate scenario in which a HTTP client (or more of
them) would issue lots of requests for resources which they know might not
be there ?

No, I honestly don't.  I was thinking like a miscreant in that I would do it 
intentionally to force your server to queue for the next 2.5 hours to return 
404 messages to those 10,000 requests for nothing.  Now I would have a new tool 
for DOS?  But you point out something interesting further down...

(this is a real question; it might be that there is, and that would be a real 
flaw
to the
scheme)

More details :

- legitimate, well-written applications should not normally be returning pages
to the user, which contain lots of links which lead to nothing and result in 
404
errors.
So once a browser got to one of your normal pages, he should be able to
continue navigating your site by clicking on links that work, not links that 
result
in 404.
So adding a 1 second delay before returning a (legitimate) 404 response
should not bother legitimate users of legitimate applications too much.
Even genuine legitimate and useful bots (like the Google ones), get your
home page, and then (unless you tell them not to), they follow the links that
they find there to get more pages and index your site. So they too should not
get much inconvenienced by a delay in the 404 responses.

- on the contrary, the way hacking bots work is that they are purposely trying
to find, on your server, specific links which are known to sometimes
correspond to generic applications which have security flaws.  On most
servers, these links do /not/ correspond to real available resources, so they
result in 404 errors.  That is what the bots expect, so when they get a 404 for
one such link, they immediately try the next buggy one in their list, etc.  If
they get 404's for all of them, then they will give up, and switch to scanning
some other server.
In that case, by returning the 404 response quickly, you are actually helping
them to spend little time on a non-existent flaw and to be able to try the next
one sooner.
But if for each 404 response, you force them to wait 1 second instead of 10
milliseconds, then you immensely slow them down.  They will have to wait
that 1 second, because otherwise they could never be sure if your server (or
the network at that moment) is really slow, or if this is a deliberate delay.
(And if you're really into making this even more annoying for them - hehe -
you could even slightly vary the delay for each 404, say between 0.5 and 3
seconds, to make it even more unlikely that they will figure out some
pattern).

A vital part is to design an implementation for this, that from the point of 
view
of your own server, is as lightweight as possible.  You do not want to force 
one
of your real working threads or instances to have to sit there during the 1 s
delay doing nothing.
You'd want to hand off this connection and response to some specialised
lightweight thread, and go handle the next real worthy request.

So you are saying it could be possible to know in advance that certain requests 
are for repeated requests of nothing or being made by a bot, versus regular 
legitimate requests, in order to move those bot requests off to another thread?

But I am sure that the tomcat gurus here will have some good ideas for that
part.

RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-17 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 4/17/13 8:49 AM, Mark H. Wood wrote:
 Yes.  But someone *does* own the botted computers, and their own
 operations are slightly affected.  I have wondered if there is some
 way to make a bot so intrusive that many more owners will ask
 themselves, why is my computer so slow/weird/whatever?  I'd better
 get it looked at.  Maybe I should install a virus scanner.

People *do* do this (notice their computer sucking) but mostly (at least
Americans) will just go out and buy another one, assuming that their
computer just isn't fast enough to work well after owning it for a few years.

soapboxIt's sad that most of us have more computing resources beneath
our fingertips than spacecraft do, yet we upgrade every few years because
MS Office has gotten fatter. /soapbox

And no one ever uses (or knows about) the restore partition when their pc 
becomes full of junk.

However, the old P4 laptop I have running XP with 2GB of RAM and dedicated 
video RAM doesn't do much for websites these days running a lot of graphics.. 
ahem Silverlight, flash, etc...  The web is also getting fat.


- -chris

RE: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-17 Thread Leo Donahue - RDSA IT 
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Tomcat access log reveals hack attempt: HEAD /manager/html
HTTP/1.0 404


 So you are saying it could be possible to know in advance that certain
requests are for repeated requests of nothing or being made by a bot, versus
regular legitimate requests, in order to move those bot requests off to
another thread?


No, not at all. It would be nice but no.
What I mean is that any 404 response should be handed off to one of these
lightweight processes, so that the real useful process doesn't have to handle
it.
Of course some processing has already taken place to find out that the target
resource of this URL does not exist and that responding with a 404 code is
appropriate.
But as soon as this is determined, the rest should be sub-contracted to a
simple sidekick, which will do the 1 second wait and then send back the
response on the connection and then close the connection.
In the meantime, the real useful webserver process can be available to
process the next request (which can be bogus again, but nothing to do about
this). No need for this real valuable complex process to spend his own time
waiting for 1 second, sending the 404, closing the connection etc..
And we do not really care if this sidekick, 404-sending-only process has a
backlog at some times, and sometimes takes longer than 1 second to finish off
this 404 response, do we ?

No, I guess not.


And..


If I'm understanding the point you are making, you're saying that delaying the 
404 response slows down the ability of the bots to collect information. The 
bots will *still* collect data, it will just take them longer to get the list 
of possible exploits?

Not knowing anything about the history of the HTTP 404 method, if a server does 
not find a matching request URI, why was it decided that the protocol would 
even respond at all?  Seems like the request could have just been ignored or 
dropped.

[Way OT...]
If you get this to work, then the next place you can take this idea is to the 
phone company.  Why should my phone even ring at all if I know the caller is 
from an 800 number... or from some other list of people I don't care to talk to 
... I would love it if those guys had to wait 10 or 20 seconds between rings... 
that would be great!!

RE: [OT] Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-17 Thread Leo Donahue - RDSA IT 
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: [OT] Tomcat access log reveals hack attempt: HEAD
/manager/html HTTP/1.0 404

Leo Donahue - RDSA IT wrote:
...


 [Way OT...]
 If you get this to work, then the next place you can take this idea is to the
phone company.  Why should my phone even ring at all if I know the caller is
from an 800 number... or from some other list of people I don't care to talk to
... I would love it if those guys had to wait 10 or 20 seconds between rings...
that would be great!!


You know, you may just have stumbled upon the idea for the next killer app 
there.
The Phone-URLRewrite-App :

ifcurrentCall.caller.phoneNumber.matches(/^800.*/)/if
   thencurrentCall.redirect(agenda.entry(mother-in-law).phoneNumber)/then

I don't think she would mind.  On the other hand, she could be volunteer to 
much info by being chatty.  (good thing no one in my family reads this list...)

server.xml shutdown port command string

2013-04-17 Thread Leo Donahue - RDSA IT 
In the Tomcat docs pertaining to security considerations, in the server.xml 
section, it talks about if the shutdown port is not disabled, a strong password 
should be configured for bshutdown/b
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Server

In the Tomcat docs for configuration, the serve.xml page talks about the 
shutdown attribute but uses the phrase command string.  Is the command 
string what is being called the password on the security-howto page?
http://tomcat.apache.org/tomcat-7.0-doc/config/server.html#Common_Attributes 

Leo
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: explanation of resource-ref in web.xml

2013-04-17 Thread Leo Donahue - RDSA IT 


From: Jakub 1983 [jjaku...@gmail.com]
Sent: Wednesday, April 17, 2013 7:26 PM
To: Tomcat Users List
Subject: explanation of resource-ref in web.xml

What the hell is resource-ref in web.xml used for ?


I use it in a context, to define a Resource such as a database connection.

There is an example here:  
http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html#MySQL_DBCP_Example
  


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: resource-ref in web.xml

2013-04-17 Thread Leo Donahue - RDSA IT 

From: Jakub 1983 [jjaku...@gmail.com]
Subject: resource-ref in web.xml

when I define database conn in context.xml, resource-ref is not needed at
all, so what is it actually for ?

**
You need something to lookup from your Java src file:

Context ctx = new InitialContext();
ds = (DataSource) 
ctx.lookup(java:comp/env/jdbc/whatever_you_called_this_in_resource-ref); 
(res-ref-name that is)
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: server.xml shutdown port command string

2013-04-17 Thread Leo Donahue - RDSA IT 

From: Caldarale, Charles R [chuck.caldar...@unisys.com]
Subject: RE: server.xml shutdown port command string

 From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
 Subject: server.xml shutdown port command string

 Is the command string what is being called the password on the
 security-howto page?

Yes, they're the same thing; the text should be more consistent.  Note that the 
shutdown port is only used with IP address 127.0.0.1; it's not available 
outside of the box Tomcat is running on.

 - Chuck
*

If I am the only person deploying web apps (that I have developed), should I 
still consider changing this command string value to something more complex?

Leo
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Adding Content-Length response header

2013-03-28 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Adding Content-Length response header

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Here's the situation I have: I've got a response that I'm fairly sure fits 
into the
response's buffer size, and I'd like to send a Content-Length header in that
case. I could probably put a wrapper around the response's
ServletOutputStream that counts bytes and then looks for done conditions
(OutputStream.close, etc.), then adds a Content-Length header if the
response hasn't yet been committed.

What about using a ByteArrayOutputStream?  
It has a size method and you could use that in the response.setContentLength()  
and write out the ByteArrayOutputStream to your ServletOutputStream?  
Maybe?


Thanks,
- -chris

[OT] repos/asf/tomcat

2013-03-21 Thread Leo Donahue - RDSA IT 
Trying to teach myself Subversion by way of the Eclipse plugin (Subversive SVN 
Team Provider, SVNKit 1.7.8 Implementation) and I'm looking at the tomcat 
repository and trying to understand what I'm seeing.

What is the difference between the trunk directory at the root of 
http://svn.apache.org/repos/asf/tomcat/ and the trunk directory in the 
/tc7.0.x/ ?

/repos/asf/tomcat/is the repository?
/tc7.0.x/   is the project in that repository?

Of course, my eclipse subversion plugin only gives me a local repository, so 
perhaps Subversion running in a web server is slightly different than what I 
can do with this plugin?  Sorry for the OT post.

Leo

RE: [OT] repos/asf/tomcat

2013-03-21 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Subject: Re: [OT] repos/asf/tomcat

On 21/03/2013 16:53, Leo Donahue - RDSA IT wrote:
 Trying to teach myself Subversion by way of the Eclipse plugin (Subversive
SVN Team Provider, SVNKit 1.7.8 Implementation) and I'm looking at the
tomcat repository and trying to understand what I'm seeing.

 What is the difference between the trunk directory at the root of
http://svn.apache.org/repos/asf/tomcat/ and the trunk directory in the
/tc7.0.x/ ?

 /repos/asf/tomcat/is the repository?
 /tc7.0.x/   is the project in that repository?

 Of course, my eclipse subversion plugin only gives me a local repository, so
perhaps Subversion running in a web server is slightly different than what I
can do with this plugin?  Sorry for the OT post.

 Leo


http://tomcat.apache.org/svn.html

Mark


Thanks.

Repository structure !(necessarily)= project structure ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: problems faced in deploying servlet

2013-03-19 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Satya Priya Das [mailto:am_sp...@yahoo.co.in]
Subject: problems faced in deploying servlet

I am a retd. software person,worked with autocoder,COBOL,assembler,c, and
now trying to learn java, I am using Java for the Web with Servlets,jsp,and EJB
by Budi Kurniwan, but unfortunatetely the tomcat v4 has been used in the
book for examples.
Downloading of tomcat6.0.36, and installing of tomcat has been done success
fully.The example in chapter one has been compiled and tested o.k.,The
servlet context example compiled and deployed successfully.
Now the example for RequestDemoServlet has been compiled  o.k, but when
I want to deploy the example with index.html file using action element, the
source not found message is displayed. I have used alias name,class name,
even url-mapping but result is same.
A directory myapp has been created under which  subdirs are build,doc,web
and build.xml build.properties file. The wb.xml file created as per book with
//DTDWeb application 2.3//en pL. guide me how I can trace the causes of
resource not found message.
Thanks
s.p.das

I looked up your book online using Google Books.  I can see on page 31 where 
your project starts, but it skips the rest of the pages to page 34.  I'm 
guessing this line is your problem:

FORM ACTION=servlet/ResponseDemoServlet METHOD=POST

Tomcat 4 had something called the invoker servlet turned on by default, which 
meant requests were passed through the mapping of:  servlet/someservletname.
Tomcat 6 doesn't have that on by default anymore, and you should leave it that 
way.

All you need to do is update the url-mapping for your form's action to the 
correct url pattern, based on how you deployed your myapp and how you 
referenced this servlet in your web.xml. 

You are likely going to be confused throughout this book if all the examples 
are based on Tomcat 4.  I don't know anyone still putting HTML code in 
out.println statements.  Can you afford to get a newer book on JSP/Servlets?  
There are also semi-decent websites that have some newer content.

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 6.0.35 in production maintaince

2013-03-12 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Subject: RE: tomcat 6.0.35 in production maintaince

 From: fachhoch [mailto:fachh...@gmail.com]
 Subject: tomcat 6.0.35 in production maintaince

 How can I detect in advance that my app is using up all available memory ?

Monitor the JVM with any of a myriad of tools, such as VisualVM.

http://wiki.apache.org/tomcat/FAQ/Memory
http://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics

 This out of memory perm gen space error could this be because of some
 memory leak ?

Pretty much guaranteed that one or more of your webapps is leaking.


The default permgen space is 64MB.  

Could it also run out of permgen space if you deploy many web applications that 
don't leak, which exhausts the default permgen memory allocation?  Is the 
wording on this page accurate?
http://docs.oracle.com/javase/6/docs/technotes/guides/visualvm/monitor_tab.html

[quote]
PermGen. The PermGen graph displays changes in the permanent generation area 
over time. The permanent generation is the area of the heap where class and 
method objects are stored. If an application loads a very large number of 
classes, then the size of the permanent generation might need to be increased 
using the -XX:MaxPermSize option.
[/quote]

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[OT] Console when running as a service.

2013-03-11 Thread Leo Donahue - RDSA IT 
I would be curious to find out how many users run Tomcat from the console in a 
virtual machine environment.

When you remote into your virtual machine that is running Tomcat from the 
console, you must not be logging off of that session are you?  How do you keep 
the console window open, unless you just close the session?  When you remote 
back into your server after time passes, how do you know you will get the same 
session?

In our virtual environment, I've never been able to leave the console window 
running.  Something eventually kills the console window, so we've been running 
it as a service.

Leo

JAVA_OPTS catalina.bat vs tomcat7w.exe

2013-02-25 Thread Leo Donahue - RDSA IT 
If I've asked this question before, my apologies.

What is the difference between setting Java_OPTS in catalina.bat vs using the 
tomcat7w.exe with -D options in the Java Tab if you installed Tomcat as a 
windows service?

Leo

RE: JAVA_OPTS catalina.bat vs tomcat7w.exe

2013-02-25 Thread Leo Donahue - RDSA IT 

-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe

 From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
 Subject: JAVA_OPTS catalina.bat vs tomcat7w.exe

 What is the difference between setting Java_OPTS in catalina.bat vs
 using the tomcat7w.exe with -D options in the Java Tab if you
 installed Tomcat as a windows service?

The latter is useful, the former isn't.  Services do not use environment
variables.

 - Chuck

If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to 
set the options, are these wrong?

Java Options:
-Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37
-Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37
-Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed
-Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=9090
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties
-Djava.opts=-XX:PermSize=128m -XX:MaxPermSize=384m

Initial memory pool:  256MB
Maximum memory pool: 512MB

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: JAVA_OPTS catalina.bat vs tomcat7w.exe

2013-02-25 Thread Leo Donahue - RDSA IT 


-Original Message-
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe

If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to
set the options, are these wrong?

Java Options:
-Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37
-Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37
-Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed
-Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=9090
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-
7.0.37\conf\logging.properties
-Djava.opts=-XX:PermSize=128m -XX:MaxPermSize=384m

Wrong..

Just remove -Djava.opts=

Should be:

-Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37
-Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37
-Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed
-Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=9090
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties
-XX:PermSize=128m
-XX:MaxPermSize=384m

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: JAVA_OPTS catalina.bat vs tomcat7w.exe

2013-02-25 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
Subject: Re: JAVA_OPTS catalina.bat vs tomcat7w.exe

Chuck, I have similar settings, and so far, so good (no abuse/attack), and I
recently re-added jmx settings in tomcat7w.exe for my app...just to routinely
check performance and/or memory-used by the app, while running on
production server.

can you please clarify 'the server is open to abuse from pretty much anyone
who can reach it'? can you refer to me a blog or an article that discusses app
abuse via jmx? 

http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Help understanding log file contents

2013-02-24 Thread Leo Donahue - RDSA IT 
1. What is the significance of GET requests with what seems like no resource 
request being made?  They all seem to come from the side of the globe.

such as:  

220.181.108.165 - - [23/Feb/2013:22:41:22 -0700] GET / HTTP/1.1 200 13258


2. Why do some people like making dozens of requests in a row to get the 
favicon?  Even if it was there, why do they want it?

such as:

75.171.44.236 - - [23/Feb/2013:21:40:49 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:53 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:54 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:54 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:55 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:55 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:55 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:55 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:56 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:57 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:40:58 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:06 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:06 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:10 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:14 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:14 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:16 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:16 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:20 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:20 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:23 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:23 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:35 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:35 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:55 -0700] GET /favicon.ico HTTP/1.1 404 
6386
75.171.44.236 - - [23/Feb/2013:21:41:55 -0700] GET /favicon.ico HTTP/1.1 404 
6386
many more...


3. Can I assume that com.esri.rest.catalog.CatalogServlet.service doesn't clean 
up after itself well?  This was the fifth occurrence of the same exception in 
localhost logs before I start getting out of memory errors.

such as:

Feb 24, 2013 5:46:57 AM org.apache.catalina.core.ApplicationDispatcher invoke
SEVERE: Servlet.service() for servlet catalog threw exception
com.esri.rest.HttpException: Service 'AGIS_MARICOPA' of type 'MapServer' does 
not exist or is inaccessible.
at com.esri.rest.catalog.CatalogServlet.service(CatalogServlet.java:176)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at 
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at 
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
at 
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
at 
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
at com.esri.rest.DispatchServlet.service(DispatchServlet.java:123)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at 
com.esri.rest.security.SecurityFilter.doFilter(SecurityFilter.java:79)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.esri.rest.RestFilter.doFilter(RestFilter.java:81)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at

RE: PermGen space errors

2013-02-23 Thread Leo Donahue - RDSA IT 


From: Caldarale, Charles R [chuck.caldar...@unisys.com]
Subject: RE: PermGen space errors

 From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
 Subject: PermGen space errors

 Deploying a third party app is causing Out of Memory errors on
 our web server.

 Will increasing these: -Xms1024m -Xmx1024m -XX:PermSize=256m
 -XX:MaxPermSize=356m  just delay the inevitable?
 If the errors occur without redeployment, then it either really does need 
 more space, or it's simply losing track of classes it creates as part of 
 normal operation.
 - Chuck

The error occurs without redeployment.  Have been dealing with it since last 
weekend.

Since my last post, upgrading to 7.0.37 and to the latest Java 1.6.0_39, 
nothing in the logs out of the ordinary.  Except for this in catalina.  What 
are these?  Are these attempts to log into manager/html?

Feb 23, 2013 7:37:16 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user admin
Feb 23, 2013 7:37:16 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user admin
Feb 23, 2013 7:37:17 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user tomcat
Feb 23, 2013 7:37:17 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user admin


And this drives me crazy...

googlebots keep crawling for services that aren't deployed anymore... give up 
google..stop wasting my logs.

Feb 23, 2013 8:55:54 PM org.apache.catalina.core.ApplicationDispatcher invoke
SEVERE: Servlet.service() for servlet catalog threw exception
com.esri.rest.HttpException: Service 'AGIS_MARICOPA' of type 'MapServer' does 
not exist or is inaccessible.
at com.esri.rest.catalog.CatalogServlet.service(CatalogServlet.java:176)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at 
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at 
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
at 
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
at 
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
at com.esri.rest.DispatchServlet.service(DispatchServlet.java:123)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at 
com.esri.rest.security.SecurityFilter.doFilter(SecurityFilter.java:79)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.esri.rest.RestFilter.doFilter(RestFilter.java:81)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at 
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1852)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)

They just keep hacking away at stuff that is not there..

66.249.74.65 - - [23/Feb/2013:20:55:54 -0700] GET 
/rest/services/AGIS_MARICOPA/MapServer

RE: PermGen space errors

2013-02-23 Thread Leo Donahue - RDSA IT 

From: Leo Donahue - RDSA IT [leodona...@mail.maricopa.gov]
Sent: Saturday, February 23, 2013 9:08 PM
To: Tomcat Users List
Subject: RE: PermGen space errors

Since my last post, upgrading to 7.0.37 and to the latest Java 1.6.0_39, 
nothing in the logs out of the ordinary.  Except for this in catalina.  What 
are these?  Are these attempts to log into manager/html?

Feb 23, 2013 7:37:16 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user admin
Feb 23, 2013 7:37:16 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user admin
Feb 23, 2013 7:37:17 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user tomcat
Feb 23, 2013 7:37:17 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user admin

-

208.43.50.42 - - [23/Feb/2013:19:37:15 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:16 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 
-
208.43.50.42 - - [23/Feb/2013:19:37:17 -0700] HEAD /manager/html HTTP/1.0 401 
-

please don't do that.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Build vs. buy (Was: [Seriously OT] Help in diagnosing server unresponsiveness)

2013-02-12 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Build vs. buy (Was: [Seriously OT] Help in diagnosing server
unresponsiveness)

Re-writing just because a piece of code has become out-of-touch with current 
standards or because nobody understands how it works is entirely wasted effort.

- -chris

And, not to mention the technology an application uses eventually reaches EOL, 
then what?  It's easier to keep it limping along until the point at which 
someone decides it's worth spending money to update it.

It has been my observation that the trend where I work is buy and try to 
configure or enhance the product to make it do something it didn't do before, 
because I believe some people think building solutions are too complex or too 
costly.  

Buying and maintaining in my opinion is harder when the vendor product changes. 
 You end up building additional  complex functionality around a product that 
did not do 100% of what you wanted when you bought it, now the vendor changes 
something and you're faced with nearly redoing everything you did before to 
keep maintenance on the current vendor product version.

RE: docBase

2013-01-16 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Pid [mailto:p...@pidster.com]
Subject: Re: docBase

On 11/01/2013 20:24, Leo Donahue - RDSA IT wrote:
 Tomcat 7.0.34
 Java 1.6.0_35

 Can the document base of a context be an administrative share?

Yes.  But I would not encourage it.  2nd only to NFS for causing random errors.

Unless you have a massive number of images totalling large amounts of data,
it would be better to arrange a periodic sync job to copy images across to each
node.


p


Thank you sir.

What if one suffers from having conservatively configured nodes?  The amount of 
image cache we would want to create would not fit on any of our webservers.  
Our web servers are virtualized and have only a few GB of storage.


Moving off topic:

How does google do this:  
http://mt1.google.com/vt/lyrs=m@20500hl=ensrc=appx=11y=25z=6s=Ga  do 
you think these images are sitting on every node?  And what if google wanted to 
include an option to view aerial photos for each year for the past ten years?  
That becomes a lot of data that lives on each node?  

In the example above, when a user requests an image tile from google, you can't 
tell whether that image lives on the webserver, or whether the webserver 
fetches that image from a share on another server.

I have a lot of room on my NAS, but not on my webservers.  When we cache images 
for just our county, depending on how many scale levels I create and tile size, 
I can end up with several hundred GB for just a single year of aerial photos.  
Reading those images on local (webserver) storage vs network storage is what 
I'm trying to decide.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: docBase

2013-01-11 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: docBase

Tomcat 7.0.34
Java 1.6.0_35

Can the document base of a context be an administrative share?

Ex:
\\servername\share$\somedirectoryfile:///\\servername\share$\somedire
ctory

I run tomcat as a service using a local account on webserver1, that same local
account has read access to the administrative share (checked the passwords
to make sure they were the same), but I'm getting an
illegalArgumentException in the logs.  The local account has share access and
permissions on the \\servername\share$ root directory.

Leo

Never mind.  It always takes a post to find the error right after I hit send.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: docBase

2013-01-11 Thread Leo Donahue - RDSA IT 
-Original Message-
From: David kerber [mailto:dcker...@verizon.net]
Subject: Re: docBase

On 1/11/2013 3:28 PM, Leo Donahue - RDSA IT wrote:
 -Original Message-
 From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
 Subject: docBase

 Tomcat 7.0.34
 Java 1.6.0_35

 Can the document base of a context be an administrative share?

 Ex:

\\servername\share$\somedirectoryfile:///\\servername\share$\somedir
 e
 ctory

 I run tomcat as a service using a local account on webserver1, that
 same local account has read access to the administrative share
 (checked the passwords to make sure they were the same), but I'm
 getting an illegalArgumentException in the logs.  The local account
 has share access and permissions on the \\servername\share$ root
directory.

 Leo

 Never mind.  It always takes a post to find the error right after I hit send.

Care to share your findings?


I take it all back.  The typo in my context file I thought was the problem, was 
not it.

In Tomcat 7.0.34 I had a context file in conf/Catalina/localhost called 
output.xml

The docBase attribute was:  docBase=\\servername\share$\gisoutput

The purpose was to create a virtual output directory on Tomcat to read images 
from the network share.  Something like http://servername/output/someimage.png

Tomcat 7.0.34 was installed as a service using the service.bat, and the service 
was running under a local account on the webserver, not a local system account, 
one I created.  The docBase was pointing to an administrative share on another 
storage server.  I created the same local account on that storage server, and 
gave share and security permissions to that share.  Then I started Tomcat 
7.0.34 and got that exception in the log file.

For the heck of it, I removed the 7.0.34 service and installed 7.0.32.  The 
exact same setup is working in 7.0.32

Is the $ causing an issue?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-12-03 Thread Leo Donahue - RDSA IT 
___
From: Christopher Schultz [ch...@christopherschultz.net]
Sent: Friday, November 30, 2012 8:13 PM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Leo,

On 11/30/12 5:52 PM, Leo Donahue - RDSA IT wrote:
 Ok, so before I upgraded to Tomcat 7.0.33 to use the container
 supplied remote address filter, what were my options to restrict
 access to just a subdirectory of a web app in Tomcat 6.0.35?

Please remember that you aren't protecting a directory. Ever. You are
protecting a url-pattern and nothing more. 
- -chris

1st, sorry for the format, I'm on vacation and webmail doesn't format replies 
the way I'd like.
(sorry chuck, not taking your advice from before on getting out more.  maybe 
tomorrow...)

I have heard this before, and now I'm beginning to understand why I keep 
hearing this same comment.  I now realize my choice of words in describing what 
I was trying to do leads to this comment.

As many times as I've heard, you're not protecting a directory, and some other 
people use the phrase 'resource'... I always thought that there was some trick 
to getting by the url-pattern that no one wanted to mention.

As far as the URL vs directory, the server is pretty locked down - so I'm told, 
and the IP I use is the IP of the host.  

Ultimately I wanted to restrict access to the URL /rest/admin to requests made 
by the local host only to that URL.

webapps
  rest
www
  admin

Leo
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Friday, November 30, 2012 12:23 AM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

 On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:
 Reading the docs:
 http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

 ..The web application used to process each HTTP request is
 selected by
 Catalina based on matching the longest possible prefix of the
 Request URI against the context path of each defined Context.
 If I have a webapp, with a www directory, and in that www
 directory are
 other directories, how would I restrict access to one of those
 subdirectories to the localhost?
 webapps
   webapp1
-WEB-INF
  -classes
  -lib
-www
  -directory1
  -directory2

 Is the context path of directory1:  /webapp1/directory1

 Would I create a context named directory1.xml such as the following?

 ?xml version=1.0 encoding=UTF-8? Context
 antiResourceLocking=false privileged=true
 path=/webapp1/directory1

Valve className=org.apache.catalina.valves.RemoteAddrValve
   allow=127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 /
 /Context


 Of course you'll still have to map the filter to the correct context
 for directory1 in

 webapps
  webapp1
   -WEB-INF
 -classes
 -lib
   -www
 -directory1
 -directory2


 filter-mapping
   filter-nameRemote Address Filter/filter-name
   url-pattern(??)/url-pattern
 /filter-mapping

 and (??) is  ?

 ;-)


 Sadly, it's advertised in the help section.

 http://planning.maricopa.gov/sdk/rest/gettingstarted.html  scroll to bottom 
 of the page.

 I could surgery out bullet #7 I suppose, but I'm counting on the filter to 
 work.


Ah well, that is what the user enters, which does not necessarily match the 
layout of your application.
But did I misunderstand, or did you want to have the IP filter apply only to 
the subdirectory in question ?  

Yes, I wanted the IP filter to apply only to 
http://planning.maricopa.gov/rest/admin

I was confused in thinking that if I used a url-pattern, in a context file, of 
/rest/admin that it would restrict access to just admin - based on the longest 
matching prefix - but it restricted access to all of /rest

My trick question was about how you would specify the url-pattern so that it 
applies only to:
(webapps)/webapp1/www/directory1 
(and not to
(webapps)/webapp1/www/directory2 for instance).


Using the Container provided Remote Address Filter was a good reason to upgrade 
to Tomcat 7.0.33 from 6.0.35.

If I can tag another question on the end of this thread:

The Remote Address Filter has an option to set the denyStatus from 403 to 404, 
or whatever.  In general, I'm guessing it's better to respond that a restricted 
resource is not found, rather than respond that is it there but forbidden? 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Friday, November 30, 2012 8:20 AM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

Leo Donahue - RDSA IT wrote:

 If I can tag another question on the end of this thread:

 The Remote Address Filter has an option to set the denyStatus from 403 to
404, or whatever.  In general, I'm guessing it's better to respond that a
restricted resource is not found, rather than respond that is it there but 
forbidden?


Purely personal opinion : by doing this, you kind of violate the spirit of 
the HTTP
specification, and you create some confusion at the technical level.
And, essentially, you are lying to the client.
So, in general, it is not better.

But hey, it's your server, so you're free to return whatever you believe is 
most appropriate.
Within limits though. For example, if somewhere you provide a link to that 
section for
some people, but when they click on it, they get a not found, they may think 
that your
application isn't working, or that your documentation is incorrect.  While if 
they get a
forbidden, they may realise that they need to ask for a permission.


Why is denyStatus an option?  Why would someone use it?

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Friday, November 30, 2012 8:32 AM
To: Tomcat Users List
Subject: RE: Context Path for a subdirectory

 From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
 Subject: RE: Context Path for a subdirectory

 Why is denyStatus an option?  Why would someone use it?

Because some people still believe in security through obscurity.

 - Chuck

Security AND obscurity...  only those that need to know. I can get in line with 
that.  Why give someone a target to work on it you tell them they are forbidden.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Error page messages

2012-11-30 Thread Leo Donahue - RDSA IT 
Are there standardized server responses that one should expect to see when 
dealing with java.lang, javax.servlet and javax.faces exceptions that should be 
displayed to the client?

I don't know that I would expect to see any of these on a public website, as I 
am likely not to care what happens on the server I'm browsing, as long as the 
server can recover/redirect.

Leo

RE: Error page messages

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Pid [mailto:p...@pidster.com]
Sent: Friday, November 30, 2012 3:04 PM
To: Tomcat Users List
Subject: Re: Error page messages

On 30/11/2012 21:00, Leo Donahue - RDSA IT wrote:
 Are there standardized server responses that one should expect to see
when dealing with java.lang, javax.servlet and javax.faces exceptions that
should be displayed to the client?

You mean status codes or error pages?

Error pages.


If an exception isn't handled* by the app then it's 500 and a stacktrace if you
haven't configured a custom error page.  Those packages probably have a few
tens of exceptions that could be thrown.


 I don't know that I would expect to see any of these on a public website, as 
 I
am likely not to care what happens on the server I'm browsing, as long as the
server can recover/redirect.

Catch them at the appropriate point in your code, or configure a custom error 
page.

And what kind of information does one show the user in a custom error page?  I 
don't know of any public facing websites, off hand, that show uncaught 
exception messages.  I was just trying to decide what I would show, if 
anything, if I configured a custom error page for certain types of exceptions, 
such as java.lang, or javax.servlet, or javax.faces.



p


* uncaught exception is the usual term.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Error page messages

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Pid [mailto:p...@pidster.com]
Sent: Friday, November 30, 2012 3:13 PM
To: Tomcat Users List
Subject: Re: Error page messages

On 30/11/2012 22:09, Leo Donahue - RDSA IT wrote:
 -Original Message-
 From: Pid [mailto:p...@pidster.com]
 Sent: Friday, November 30, 2012 3:04 PM
 To: Tomcat Users List
 Subject: Re: Error page messages

 On 30/11/2012 21:00, Leo Donahue - RDSA IT wrote:
 Are there standardized server responses that one should expect to
 see
 when dealing with java.lang, javax.servlet and javax.faces exceptions
 that should be displayed to the client?

 You mean status codes or error pages?

 Error pages.


 If an exception isn't handled* by the app then it's 500 and a
 stacktrace if you haven't configured a custom error page.  Those
 packages probably have a few tens of exceptions that could be thrown.


 I don't know that I would expect to see any of these on a public
 website, as I
 am likely not to care what happens on the server I'm browsing, as
 long as the server can recover/redirect.

 Catch them at the appropriate point in your code, or configure a custom
error page.

 And what kind of information does one show the user in a custom error
page?  I don't know of any public facing websites, off hand, that show
uncaught exception messages.  I was just trying to decide what I would show,
if anything, if I configured a custom error page for certain types of 
exceptions,
such as java.lang, or javax.servlet, or javax.faces.

A polite message saying oops, or a fail whale, or a unicorn...


p

Good options, and very tempting.

Maybe one of these?  

http://tinyurl.com/bvl2gko 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Error page messages

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, November 30, 2012 3:19 PM
To: Tomcat Users List
Subject: Re: Error page messages

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Leo,

On 11/30/12 5:09 PM, Leo Donahue - RDSA IT wrote:
 -Original Message- From: Pid [mailto:p...@pidster.com]
 Sent: Friday, November 30, 2012 3:04 PM To: Tomcat Users List
 Subject: Re: Error page messages

 On 30/11/2012 21:00, Leo Donahue - RDSA IT wrote:
 Are there standardized server responses that one should expect to
 see
 when dealing with java.lang, javax.servlet and javax.faces exceptions
 that should be displayed to the client?

 You mean status codes or error pages?

 Error pages.


 If an exception isn't handled* by the app then it's 500 and a
 stacktrace if you haven't configured a custom error page.  Those
 packages probably have a few tens of exceptions that could be thrown.


 I don't know that I would expect to see any of these on a public
 website, as I
 am likely not to care what happens on the server I'm browsing, as
 long as the server can recover/redirect.

 Catch them at the appropriate point in your code, or configure a
 custom error page.

 And what kind of information does one show the user in a custom error
 page?  I don't know of any public facing websites, off hand, that show
 uncaught exception messages.  I was just trying to decide what I would
 show, if anything, if I configured a custom error page for certain
 types of exceptions, such as java.lang, or javax.servlet, or
 javax.faces.

How about:

web.xml:
error-page
  exception-typejava.lang.Throwable/exception-type
  location/WEB-INF/uncaught-error.html/location
/error-page

uncaught-error.html:
!DOCTYPE html
html
headtitleError/title/head
body
  h1Error/h1
  p
Aw, crap.
  /p
/body
/html

Yeah, I blew off some steam playing on dev port 8080 with some fun messages 
just now.

This whole time I thought by confusing my end users by taking them back to the 
web app's main page when an exception occurs was a bad idea. I really didn't 
want to tell them, hey, sorry but the javax.faces.View expired because you 
waited too long to do something productive.


You can put anything in there you want, man. If the stack trace seems too ugly
for you (it really is, honestly), then replace it with something else.

Need some inspiration? Try Google. Or
http://ux.stackexchange.com/questions/15955/how-to-create-a-useful-500-
internal-server-error-page

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC5MMQACgkQ9CaO5/Lv0PC2SwCeNW8Q8enE9m08sq9j6tYV
FRX/
csoAniXbINKCbXd1ix+J9Nd3dHo0piLE
=EnMx
-END PGP SIGNATURE-

RE: Error page messages

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Friday, November 30, 2012 3:28 PM
To: Tomcat Users List
Subject: RE: Error page messages

 From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
 Subject: RE: Error page messages

 I don't know of any public facing websites, off hand, that show
 uncaught exception messages.

You need to get out more ...

 - Chuck

+1


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, November 30, 2012 3:39 PM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chuck,

On 11/30/12 5:25 PM, Caldarale, Charles R wrote:
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Subject: Re: Context Path for a subdirectory

 I don't think it's specifically /un/supported.

 For instance, Tomcat should happily deploy both of these files:

 myapp.war myapp#static.war

 That's not what's being discussed.  You're describing logically nested
 paths, which is fully supported; the topic under discussion is
 physical (file system) nesting of one webapp inside another.

There's definitely come nomenclature confusion going-on in this thread. For
example:

 On 11/29/12 3:14 PM, Calderale, Charles R wrote:
 From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
  Subject: Context Path for a subdirectory

 If I have a webapp, with a www directory, and in that www directory
 are other directories, how would I restrict access to one of those
 subdirectories to the localhost?

 [...]

 Is the context path of directory1:  /webapp1/directory1

 No, it's /webapp1/www/directory1.

The context path for the webapp is /webapp1, not
/webapp1/www/directory1.

As you say, you can't just cause a new webapp context to spring-forth from
another by adding a context.xml file to it. Explicitly deploying a 
subdirectory of
an existing webapp using
CATALINA_BASE/conf/Catalina/localhost/webapp#www#directory1.xml with
path=${catalina.base}/webapps/webapp1/www/directory1 would probably
work, but it is, of course, totally stupid to do things that way.

I think OP was just trying to treat a subdirectory as a distinct webapp because
(maybe?) that seemed like an easier way to restrict access. I can imagine this
being conflated with, say, Apache httpd's ability to specify authentication
requirements by dropping an .htaccess file into a directory. Obviously that's
not how Tomcat does things.

I think this is yet another instance of someone not understanding that a
webapp is more than just set of files and subdirectories rooted somewhere
on the filesystem. Honestly, Leo should know better after all the time he's
been hanging around the list ;)

- -chris

Dang it.

Ok, so before I upgraded to Tomcat 7.0.33 to use the container supplied remote 
address filter, what were my options to restrict access to just a subdirectory 
of a web app in Tomcat 6.0.35?

I'll admit, contexts are confusing to me.  You can create contexts in 
conf\Catalina\localhost that map to places that are not even in the webapps 
folder, but expose themselves as a URL to the end user. My thought was if I 
could create a context that mapped to a subdirectory, I could create a valve 
that restricted access to that URL.

What is the right way to do this in Tomcat 6.0.35?

RE: Context Path for a subdirectory

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Friday, November 30, 2012 4:04 PM
To: Tomcat Users List
Subject: RE: Context Path for a subdirectory

 From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
 Subject: RE: Context Path for a subdirectory

 what were my options to restrict access to just a subdirectory of a
 web app in Tomcat 6.0.35?

Using just spec-provided mechanisms, such access can be limited to specific
users by including the appropriate security constraint elements in the
webapp's WEB-INF/web.xml.  The wrinkle you want is to limit by IP address,
which is not a capability the servlet spec covers.

 I'll admit, contexts are confusing to me.

The main thing to remember is that each webapp (context) is expected to be
physically separate from all other webapps.  (This has nothing to do with the
URLs used to access the webapps, just the location of the webapps in the
server's file system, database, memory, paper tape, or whatever medium
they're stored on.)

 What is the right way to do this in Tomcat 6.0.35?

Probably the easiest is just to pick up the filter from Tomcat 7 and use it in 
6.
The SecurityFilter from sourceforge might be able to do it, but I'm not sure
(Chris should know).

 - Chuck


I considered the security constraint, but wouldn't that have required me to set 
up SSL (for a secure user/password submittal) and get someone to pay for a 
public certificate - which would probably not happen.  Sure, I could generate a 
cert myself.  But I would still have to convince our office of enterprise tech 
that leaving an admin related webapp visible to the public is ok 
(authentication enabled or not).  The last admin related webapp on our site had 
to be restricted by a valve, but that was for the whole context.

The software company that we use also provides these kinds of web services to 
the whole world.  They don't even bother restricting their /rest/admin 
directory, which really surprises me.  Maybe I'm being paranoid by trying to 
one up them.

http://services.arcgisonline.com/ArcGIS/rest/services 

http://services.arcgisonline.com/ArcGIS/rest/admin 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Friday, November 30, 2012 4:45 PM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

Maybe a bit of lateral thinking here.
What does the admin webapp really do ?  For what it is doing, does it need to
even live
in the same website/host as the main application ?
If it's actions are confined to managing some files on disk, or some data in a
back-end database, maybe it can do that without being really integrated into
your main application ?
You could then set up a separate Host, running under SSL or whatever, to run
this admin part.  It's URL would never be visible under your main site.  And
you'd have all the flexibility to set up any security constraints you want,
without interfering with the main user site.


Fair question.

The rest web app was configured using a product called ArcGIS Server.  There 
are at least 4 servers involved in the end product you see.

Server 1 - The ArcGIS Server - This is where you publish map documents as web 
services, and where you can export the web services handler (rest.war) to a 
production web server.  Which I've done.
Server 2 - The ArcSDE Server - This is where the GIS data physically resides in 
a SQL Server.
Server 3 - The GIS Storage server - This is where Server 1 writes out the map 
images you see.  I have a context on Server  4 that maps to a share on Server 3 
as a virtual output directory.
Server 4 - The production Tomcat server - This is where I deploy the rest web 
app that is created from Server 1

Any changes that I make to the rest web app are done on Server 1, in which I 
then need to generate a new rest.war file to be deployed on Server 4.  Anything 
custom that I configure for the rest webapp, like the filter in web.xml, I have 
to remember to unpack the war file, make edits and re-pack it, or leave it 
exploded.  Changes can be things like adding new output directories, map cache 
directories, adding features like the ability to generate KMZ files for Google 
Earth, and there is even an option to configure deploying the rest.war file 
with a security store.

The rest/admin web app has one thing that I need, which is a clear cache 
feature.  Any new web services that you deploy, or changes you make to existing 
services such as changing the color of a feature or what not, have to have the 
cache cleared.

The way the Server 1 is configured, there are accounts that the rest/admin web 
app will take which let you do things like shutdown the services and other 
stuff, if you were able to brute force the rest/admin username/password.

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-11-30 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Sent: Friday, November 30, 2012 5:02 PM
To: Tomcat Users List
Subject: RE: Context Path for a subdirectory


The way the Server 1 is configured, there are accounts that the rest/admin
web app will take which let you do things like shutdown the services and
other stuff, if you were able to brute force the rest/admin
username/password.


That would only do you any good if you knew the internal server name.  But I 
have to protect from internal threats as well, right?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Context Path for a subdirectory

2012-11-29 Thread Leo Donahue - RDSA IT 
Reading the docs:  http://tomcat.apache.org/tomcat-7.0-doc/config/context.html 

..The web application used to process each HTTP request is selected by 
Catalina based on matching the longest possible prefix of the Request URI 
against the context path of each defined Context.

If I have a webapp, with a www directory, and in that www directory are other 
directories, how would I restrict access to one of those subdirectories to the 
localhost?

webapps
 webapp1
  -WEB-INF
-classes
-lib
  -www
-directory1
-directory2

Is the context path of directory1:  /webapp1/directory1

Would I create a context named directory1.xml such as the following?

?xml version=1.0 encoding=UTF-8?
Context antiResourceLocking=false privileged=true 
path=/webapp1/directory1

  Valve className=org.apache.catalina.valves.RemoteAddrValve
 allow=127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 /
/Context


Leo 




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-11-29 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Mark Eggers [mailto:its_toas...@yahoo.com]
Sent: Thursday, November 29, 2012 1:12 PM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:
 Reading the docs:
 http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

 ..The web application used to process each HTTP request is selected by
Catalina based on matching the longest possible prefix of the Request URI
against the context path of each defined Context.

 If I have a webapp, with a www directory, and in that www directory are
other directories, how would I restrict access to one of those subdirectories 
to
the localhost?

 webapps
   webapp1
-WEB-INF
  -classes
  -lib
-www
  -directory1
  -directory2

 Is the context path of directory1:  /webapp1/directory1

 Would I create a context named directory1.xml such as the following?

 ?xml version=1.0 encoding=UTF-8? Context
 antiResourceLocking=false privileged=true
 path=/webapp1/directory1

Valve className=org.apache.catalina.valves.RemoteAddrValve
   allow=127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 / /Context


 Leo

How about:

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

In particular:


http://tomcat.apache.org/tomcat-7.0-
doc/config/filter.html#Remote_Address_Filter


Although as has been discussed previously on the mailing list, the
regular expression is a bit simplistic.

. . . . just my two cents.
/mde/


Thank you Mark.

I realized the first reply I got might be why not try it, my question, which I 
did, and of course I had it wrong.

I thought of security-constraint right after I clicked send, but the filter 
will also work.

http://planning.maricopa.gov/rest - needed to restrict access to one directory 
of that webapp.  It's a third party app, but our data.

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Context Path for a subdirectory

2012-11-29 Thread Leo Donahue - RDSA IT 


-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Thursday, November 29, 2012 3:40 PM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory

Leo Donahue - RDSA IT wrote:
 -Original Message-
 From: Mark Eggers [mailto:its_toas...@yahoo.com]
 Sent: Thursday, November 29, 2012 1:12 PM
 To: Tomcat Users List
 Subject: Re: Context Path for a subdirectory

 On 11/29/2012 11:41 AM, Leo Donahue - RDSA IT wrote:
 Reading the docs:
 http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

 ..The web application used to process each HTTP request is selected
 by
 Catalina based on matching the longest possible prefix of the Request
 URI against the context path of each defined Context.
 If I have a webapp, with a www directory, and in that www directory
 are
 other directories, how would I restrict access to one of those
 subdirectories to the localhost?
 webapps
   webapp1
-WEB-INF
  -classes
  -lib
-www
  -directory1
  -directory2

 Is the context path of directory1:  /webapp1/directory1

 Would I create a context named directory1.xml such as the following?

 ?xml version=1.0 encoding=UTF-8? Context
 antiResourceLocking=false privileged=true
 path=/webapp1/directory1

Valve className=org.apache.catalina.valves.RemoteAddrValve
   allow=127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 /
 /Context


 Leo
 How about:

 http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

 In particular:


 http://tomcat.apache.org/tomcat-7.0-
 doc/config/filter.html#Remote_Address_Filter


 Although as has been discussed previously on the mailing list, the
 regular expression is a bit simplistic.

 . . . . just my two cents.
 /mde/


 Thank you Mark.

 I realized the first reply I got might be why not try it, my question, which 
 I
did, and of course I had it wrong.

 I thought of security-constraint right after I clicked send, but the filter 
 will
also work.

 http://planning.maricopa.gov/rest - needed to restrict access to one
directory of that webapp.  It's a third party app, but our data.


Of course you'll still have to map the filter to the correct context for 
directory1
in

webapps
  webapp1
   -WEB-INF
 -classes
 -lib
   -www
 -directory1
 -directory2


filter-mapping
   filter-nameRemote Address Filter/filter-name
   url-pattern(??)/url-pattern
 /filter-mapping

and (??) is  ?

;-)


Sadly, it's advertised in the help section.

http://planning.maricopa.gov/sdk/rest/gettingstarted.html  scroll to bottom of 
the page.

I could surgery out bullet #7 I suppose, but I'm counting on the filter to work.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat ROOT webapp homepage

2012-11-15 Thread Leo Donahue - RDSA IT 
Who designed the Tomcat ROOT webapp homepage?

Was it just notepad as the design tool?

Leo

RE: Tomcat ROOT webapp homepage

2012-11-15 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Pid * [mailto:p...@pidster.com]
Sent: Thursday, November 15, 2012 2:25 PM
Subject: Re: Tomcat ROOT webapp homepage

On 15 Nov 2012, at 18:06, Leo Donahue - RDSA IT
leodona...@mail.maricopa.gov wrote:

 Who designed the Tomcat ROOT webapp homepage?

Which version? 7.0 = me.

Yes, sorry. 7.0.32

 Was it just notepad as the design tool?

Not notepad, why?

I like the layout and wanted to know how you came up with the rounded divs that 
look nice in Firefox.  I saw the css page that specified the rounded nature of 
those lower boxes (answered that myself since original post).  Too bad IE9 
can't get on the wagon and display those right.

What did you use to visualize the overall layout?  Or did you just sketch it 
out in your head?  Either way, nice work.

Leo

RE: Windows Service Security

2012-10-31 Thread Leo Donahue - RDSA IT 
-Original Message-
From: Burn William [mailto:william.b...@willis.com] 
Sent: Wednesday, October 31, 2012 9:01 AM
To: users@tomcat.apache.org
Subject: Windows Service Security

Can the Tomcat service run as a standard user, 
Yes

does the user need elevated permissions, 
I don't believe so, I don't grant my standard user any specific privileges.

or does it require local administrator access?
No.  I wouldn't do that.

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org