Re: jsvc degrades performance in production
Hi, I have read about similar issues in some old posts, and it appears to be related to the compilation of jsvc, you need to make sure it points to your JDK. Check what parameters you use when building jsvc. What version of Java are you using? its also possible that its picking up a jvm that does not support the -server argument. You can configure it with ./configure -java=/path/to/jdk/ . good luck, Peter - Original Message - From: Leon Rosenberg rosenberg.l...@googlemail.com To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, 26 February, 2009 10:20:10 GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: jsvc degrades performance in production just a question, if you are behind a loadbalancer, why wouldn't your just run it as non-root user on a non-privelleged port without jsvc? regards Leon On Thu, Feb 26, 2009 at 3:31 AM, B.V. Prasad hi...@yahoo.com wrote: I am running Tomcat 6 on a group of Linux servers behind a loadbalancer. This setup was working fine when I ran Tomcat as root. However, when I moved to jsvc, the production servers started to become unavailable within a couple of hours, serving thousands of requests. I had to restart them to be online again, only to get into the same issue in a couple of hours. When switched back to run as root, things were fine again. I could find no errors in any logs. I found that jsvc uses client JVM (the servers are server-class VMWare servers) by default. I am suspecting when I ran as root (startup.sh), Tomcat used server JVM that gave better performance, while jsvc performed worse with client JVM, causing my maxThreads (150) to exhaust, acceptCount (100) to fill up and making tomcat to deny requests. I am guessing if I make jsvc to use server JVM, my problem will go away. I appreciate if someone can validate this theory or offer other clues before I try this in production. Of course, I shall also try a stress test case. Thanks, BV Prasad - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: PostgreSQL vs MySQL with Tomcat
when they hit this kind of problem they assume it's a limitation of the kind of tools they are using Exactly, mostly its a suboptimal implementation of these technologies Our core business is reporting with complex risk modeling, we do intensive risk calculations on raw data using complex joins on millions of rows of data using page long SQL queries at time, and they do just fine on Postgres (milliseconds to a few seconds at worst). Occasionally we use some C functions when speed is an issue, but SQL joins are *hardley a bottleneck. Peter - Original Message - From: Chris Wareham cware...@visitlondon.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, 23 January, 2009 12:45:58 GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: PostgreSQL vs MySQL with Tomcat Jonathan Mast wrote: Perhaps the discussion should move back towards how Tomcat interacts with databases. It would be more on topic, but a well architected web application will have a data access layer that is not dependent on the Servlet API, both for testability and reusability. While a data source may be configured in Tomcat, the correct use of dependency injection would mean that the data access layer shouldn't be concerned where the data source comes from. To reiterate, database interaction is an architectural issue, not a web container one. This thread seems to be damning MySQL for not having super advanced features, some of which should perhaps not even be in the purview of the database layer, but more appropriately belong at the application layer (ie. Tomcat). No, many people damn MySQL for it's lack of standards conformance and idiosyncracies that make it harder to maintain data integrity. I am particularly wary of MySQL because of the way missing features have been disingenuously described as unnecessary, and broken features as the MySQL developers knowing better than everyone else. For example, I rewrote a report generator for my company. The existing generator, a PHP + MySQL setup, was insanely slow and difficult to maintain being that it consisted of 1 php page containing hundreds of lines of code. I rewrote it in jsp + POJO and the new version runs much faster, because it doesn't have a single query with a JOIN clause in it. The old generator had super complex queries that took forever to run and placed an enormous amount of load on the database server. I achieved that same result of a JOIN by pushing that functionality up to the Java layer. Sure we can argue about which DBMS has the fastest JOINs but nonetheless it remains that JOIN queries will always be computationally expensive compared to single table queries. Well thats my 2 cents :) By it's very definition (see Codd or Date), an RDBMS should be capable of performing joins with good performance. MySQL often struggles to do so thanks to the poor optimiser, so you had to implement what should be core functionality of an RDBMS in your application layer. Great. Did you try explaining those queries to find out if reordering the joins would give the performance you were looking for? Or is MySQL the only database you are familiar with? This is the problem with much of the LAMP crowd - they've never tried anything else, so when they hit this kind of problem they assume it's a limitation of the kind of tools they are using, not of the specific tools themselves. Chris -- Chris Wareham Senior Software Engineer Visit London Ltd 6th floor, 2 More London Riverside, London SE1 2RR Tel: +44 (0)20 7234 5848 Fax: +44 (0)20 7234 5753 www.visitlondon.com 'Visit London Limited' is registered in England under No.761149; Registered Office: Visit London, 2 More London Riverside, London SE1 2RR. Visit London is the official visitor organisation for London. Visit London is partly funded by Partnership, the Mayor's London Development Agency and London Councils. The information contained in this e-mail is confidential and intended for the named recipient(s) only. If you have received it in error, please notify the sender immediately and then delete the message. If you are not the intended recipient, you must not use, disclose, copy or distribute this email. The views expressed in this e-mail are those of the individual and not of Visit London. We reserve the right to read and monitor any email or attachment entering or leaving our systems without prior notice. Please don't print this e-mail unless you really need to. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: PostgreSQL vs MySQL with Tomcat
I realize that SQL isn't exactly the most widely adhered to standard Perhaps! But then again before the new ANSI SQL standard (particularly the ANSI SQL/92 join syntax changes) this was far worse, MS-SQL 6.5 and Oracle (SQL/86 standard) were horrendous and migrating was not fun, these days though Microsoft's T-SQL, Postgres, and ORACLE all use a very similar dialect, the only really major difference I can think of is T-SQL stored procedures, which have no counterpart in Postgres. In my modest experience though I have noticed the MySQL SQL dialect appears to be less similar. Postgres, IMHO, was held back for many years by not having a windows release version, but its super competitive now and a really rock solid database. There is nothing substantial missing from Postgres that the big (or should I say expensive) guns have. Its enterprise scale and has great tools and extensions (like Slony replication). I personally would not pay for a database when there is Postgres for free. Cheers Peter - Original Message - From: Rusty Wright rusty.wri...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, 18 January, 2009 08:09:54 GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: PostgreSQL vs MySQL with Tomcat It's a rewrite of an app I did awhile ago in php. I think the biggest gripe I've had with mysql is the problem where I was violating a unique constraint and it was giving me some generic (completely useless) error; HY001 I think. In various ways, which I can't articulate, MySQL just feels to me more amateurish compared to PostgreSQL. With MySQL things are changed on an apparently ad-hoc basis and I've heard that they've broken backwards compatibility more than once. I realize that SQL isn't exactly the most widely adhered to standard, but MySQL seems to be more divergent than [most of] the others. When I had that HYwhatever error, I was completely stumped, so in order to troubleshoot it I copied the database to an MS SQL Server that I'd been using for something else. I remember having read somewhere that SQL Server is reasonably close to the SQL standard and I was amazed at how much work it took to translate my ddl and sql from MySQL to SQL Server. (Apache DdlUtils and Hibernate could have helped with the ddl.) I can't remember all of the various problems I've had with MySQL but here's one that seems typical; I started using it back when it was (or at least it seemed to me) more typical to edit user permissions by updating the mysql.users table, rather than using the GRANT command. So I have these various sql files that insert stuff in the mysql.users, mysql.db, and mysql.hosts tables and they have lots of 'y' and 'n' entries. At some point they changed things and they had to be uppercase. Previously I think they converted them to Y and N, but suddenly a newer version accepted the lower case with no complaints but didn't convert them, and they didn't work (it was as if the ys were Ns); I could have been inserting any random letter or digit apparently. That took some head scratching to figure out. I had forgotten that Sun bought MySQL so it should be interesting to see how that plays out. I heard that they're doing a major rewrite, starting from scratch, but going to keep it backwards compatible. Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rusty, Rusty Wright wrote: I'm in the process of migrating a MySQL database to PostgrSQL. Is this to cool-off your DBA's ears? ;) Seriously, if you could explain why you've decided to switch, I think it would help a lot of readers understand some of the differences between these two RDBMSs. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklyBnIACgkQ9CaO5/Lv0PCuvgCfdZ9j+2Z5cGuk3aQsYFg7VaAO msIAnR8r+ZmyYeJz2T3Sbzbk9hCEDGlU =26DN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: PostgreSQL vs MySQL with Tomcat
Sorry my bad, absolutely correct. PostgreSQL does have support for stored procedures, you can even choose from 4 languages out of the box and 3 more from addons: http://www.postgresql.org/download/products/4.html. - Original Message - From: Kees de Kooter kdekoo...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Monday, 19 January, 2009 13:24:54 GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: PostgreSQL vs MySQL with Tomcat the only really major difference I can think of is T-SQL stored procedures, which have no counterpart in Postgres. PostgreSQL does have support for stored procedures, you can even choose from 4 languages out of the box and 3 more from addons: http://www.postgresql.org/download/products/4.html. PL/pgSQL is the closest to Oracle's PL/SQL and MS's T-SQL. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging Tomcat errors
You could configure your logging to only log the container level categories. Categories seem useful! will have to do some more reading... thanks a lot for this, it seems like the solution I am looking for! cheers, Peter - Original Message - From: Kees Jan Koster [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Friday, 14 November, 2008 8:37:56 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: Logging Tomcat errors Dear Peter, I guess it should be easy enough to distinguish between severe errors and ordinary errors, but how do you distinguish between 500 errors application runtime errors? I specifically want to report errors that occur at the container level and not at the application level... I hope this makes sense. Each logged line has an associated categry. You could configure your logging to only log the container level categories. -- Kees Jan http://java-monitor.com/forum/ [EMAIL PROTECTED] 06-51838192 Human beings make life so interesting. Do you know that in a universe so full of wonders, they have managed to invent boredom. Quite astonishing... -- Terry Partchett - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Logging Tomcat errors
Hi all, Can anyone point me in the right direction, I need to implement a logging and reporting mechanism for Tomcat (6.0.18 on Debian based Linux with JSVC). I am thinking of using either Log4j or Juli logging for only severe errors. Ideal would be to send an alert when the server crashes (by logging to an email appender - I know log4j has this feature), other errors can go to a log file. Some documentation/advice would be a great help! cheers, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Logging Tomcat errors
I guess it should be easy enough to distinguish between severe errors and ordinary errors, but how do you distinguish between 500 errors application runtime errors? I specifically want to report errors that occur at the container level and not at the application level... I hope this makes sense. Thanks Peter - Original Message - From: Charles R Caldarale [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Friday, 14 November, 2008 5:32:17 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: RE: Logging Tomcat errors From: Peter Stavrinides [mailto:[EMAIL PROTECTED] Subject: Logging Tomcat errors Can anyone point me in the right direction, I need to implement a logging and reporting mechanism for Tomcat (6.0.18 on Debian based Linux with JSVC). What specifically do you need to know beyond what's in the doc? http://tomcat.apache.org/tomcat-6.0-doc/logging.html http://wiki.apache.org/tomcat/FAQ/Logging http://wiki.apache.org/tomcat/HowTo#head-af688216137bbf0542fa3f599cd4c41dcba68056 http://wiki.apache.org/tomcat/HowTo#head-6e03ddcd16fff5f1900e5332f311ed7faa228119 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Error reporting
Hi everyone, I am looking into implementing an error reporting mechanism that will translate errors into a notification via say an email. I am interested in errors that can't be handled by my application like 500 (Internal Server Errors) and the like which occur on the servlet container i.e.:tomcat. Would I have to implement a valve? Any pointers would be much appreciated. Thanks, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Code Injection Tomcat 6
Hi Chris, The crunch of your argument: I would argue that your data protection should occur at the business layer. ... Adding a single layer of security should not be considered a replacement for code and security reviews, unit testing, and user-level testing. Unfortunately, you did not understand or have missed the point... its not about forgoing coded checks, the key point here is to manage data security in a more efficient way. Really? I wasn't aware that converting '' to lt; was that much of a bottleneck. You naively assume the vendors point of view here, encoding output is not always sufficient! data is now more complex Is it? The same attack vectors exist today than did several years ago, and the mitigations for those vectors are still the same. Are you kidding? If you cannot see this then there is little point to this discussion and so many projects out there are simply a waste of time! Peter - Original Message - From: Christopher Schultz [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, 27 May, 2008 9:27:33 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: Code Injection Tomcat 6 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter, Peter Stavrinides wrote: | The one problem though is that these arcane methods we have been | using (encoding output, coding some validation checks, using prepared | statements etc..) are not scalable enough Really? I wasn't aware that converting '' to lt; was that much of a bottleneck. In fact, this is certainly scalable because if you think it's taking too much time on a single server, you can scale horizontally. | data is now more complex Is it? The same attack vectors exist today than did several years ago, and the mitigations for those vectors are still the same. | new technologies (AJAX,COMET,JSON,SOAP etc) are adding layers, and | add significantly to the problem. I respectfully disagree. A new interface (i.e. swapping SOAP for HTTP) should not change your business logic in the slightest (which is where any taint checking should occur). The same is true for presentation logic: if you are using SOAP, yous SOAP library ought to be converting any output such that special characters (such as '') are not dangerous. The same can be said for web-page generation. If you are emitting web pages, then your output technology should handle this for you (JSP, for instance, does handle this for you if you follow the rules). Adding a single layer of security should not be considered a replacement for code and security reviews, unit testing, and user-level testing. | Preventing data interception is not | so straightforward any more, without something available at the web | server end of things, any security solutions we implement will always | have holes and scalability issues. I would argue that your data protection should occur at the business layer, which should be insulated from the HTTP layer in the first place. In that case, installing a prophylactic at the HTTP level would expose your business logic to vectors that do not include HTTP (such as COMET or SOAP). | Security is somewhat of a moving | target, I think we have to move on from these techniques... only when | you have experienced a problem, do you feel compelled to give it the | attention it requires. My query is not based on paranoia, I want a | better way of managing the problem in the enterprise. Actually, in this situation, paranoia is your friend. It's a good motivator to review your systems to make sure that they react properly when given potentially damaging inputs. That's what unit testing is for. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkg8UpUACgkQ9CaO5/Lv0PAklgCgvBeaMpQsc+U1dqRTlwKES06t xE8AmwV2YNKNWPxfJzECrsBT9KrsR0qY =bc6/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Code Injection Tomcat 6
Hi everyone What is the best approach to mitigate malicious code injection into HTML form components? I know that IIS has a security option to limit what can be posted to the server, does Tomcat have something similar? I am looking for a global solution of some sort, as I have too many active forms to secure individually, is this possible with a filter or valve, or a configuration setting? Thanks for your help! Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Production Configuration
Hi All My question concerns optimizing Tomcat. Our setup is roughly this: - Dual Quad Core with 8 gigs memory (4 gigs dedicated for Tomcat) - Single instance of Tomcat6 - Single web application (Java Servlet) - AJP connector A little about the application: The site is relatively low volume, however traffic spikes when our newsletter is sent out. The application is complex and connects to a large research database serving a number large pages with reports, charts, data tables etc, which are generated dynamically from live data... sessions tend to get quite large. My thinking is that I should be supporting in the region of 200 to 300 sessions as a minimum. So given this setup, how should I configure the connector with regards to: maxThreads and any other relevant attributes. I am thinking of about 300 threads? I would be grateful for your advice. Thanks for your help, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Production Configuration
Sorry I forgot to add: Connector port=8009 protocol=AJP/1.3 connectionTimeout=2 enableLookups=false redirectPort=8443 maxThreads=300/ We also run under SSL, which is taken care of by Apache. - Original Message - From: Peter Stavrinides [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, 6 May, 2008 12:16:17 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Tomcat Production Configuration Hi All My question concerns optimizing Tomcat. Our setup is roughly this: - Dual Quad Core with 8 gigs memory (4 gigs dedicated for Tomcat) - Single instance of Tomcat6 - Single web application (Java Servlet) - AJP connector A little about the application: The site is relatively low volume, however traffic spikes when our newsletter is sent out. The application is complex and connects to a large research database serving a number large pages with reports, charts, data tables etc, which are generated dynamically from live data... sessions tend to get quite large. My thinking is that I should be supporting in the region of 200 to 300 sessions as a minimum. So given this setup, how should I configure the connector with regards to: maxThreads and any other relevant attributes. I am thinking of about 300 threads? I would be grateful for your advice. Thanks for your help, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cookie-less session tracking - whats are the downsides
This topic comes up on the list very frequently, you ask ten developers this question you may even get eleven opinions. Your answer is it depends on your use case and security requirements (for example: I may not care, in a shopping cart application, if I write a product id in the URL, but I may care about exposing a primary key for a user record in the URL)... these are subject to your implementation. I suggest you do a little more reading and understand the history of cookies and URL rewriting, which may help you to understand why/why not/when to use them, because this is a highly subjective area, and when do developers agree about technology anyway! Personally though, I am prepared to sacrifice some compatibility in favour of security... on the other hand I also detest the over paranoid. Peter mfs wrote: Guys, I would want to know the downsides to using cookie-less sessions ? I want to give my client the freedom to disable cookies on the browser if he chooses to, but i would want to know the implications to that ? Some say, exposing your sessionId in the url exposes it to hackers who can spoof the IP (as of the victim) and provide the jsessionId (in the url) and can gain control of the victim's session, but if u are using ssl, that shouldnt be an issue. Would someone comment on the real hazards/bottlenecks to the cookie-less approach. Thanks in advance and Regards, Farhan. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Error Page Question
oh no! even more work for me now... thanks anyway for your help guys! Len Popp wrote: You can't override the 503 error page using an error-page declaration. :-( The only way I know of to change it is to replace org.apache.catalina.valves.ErrorReportValve with your own version, which you specify in the errorReportValveClass attribute of the Host element in server.xml. I haven't tried this, but it's documented for Tomcat 5.5 and 6.0. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Error Page Question
Hi all, How do I display a friendly error page (503 site under maintenance) if my application is taken off-line? I understand how to override error pages with my application running, but can I, and where do I configure a 503 when its down, but Tomcat is still running. Thanks Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Error Page Question
Oh thanks! that sounds quite simple... so I just add my error page descriptor in the ROOT applications web.xml and it will override. David Delbecq wrote: The easiest way i found out here was to use the 404 of the ROOT web application ^^ to display a 'site under maintenance'. You could also create a ROOT/webappname/index.html to get same result En l'instant précis du 19/03/08 11:55, Peter Stavrinides s'exprimait en ces termes: Hi all, How do I display a friendly error page (503 site under maintenance) if my application is taken off-line? I understand how to override error pages with my application running, but can I, and where do I configure a 503 when its down, but Tomcat is still running. Thanks Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Error Page Question
Unfortunately this solution doesn't solve it, I can only override 404 pages?, for 503 pages it simply ignores the override in web.xml, anybody got any other suggestions? Peter Stavrinides wrote: Oh thanks! that sounds quite simple... so I just add my error page descriptor in the ROOT applications web.xml and it will override. David Delbecq wrote: The easiest way i found out here was to use the 404 of the ROOT web application ^^ to display a 'site under maintenance'. You could also create a ROOT/webappname/index.html to get same result En l'instant précis du 19/03/08 11:55, Peter Stavrinides s'exprimait en ces termes: Hi all, How do I display a friendly error page (503 site under maintenance) if my application is taken off-line? I understand how to override error pages with my application running, but can I, and where do I configure a 503 when its down, but Tomcat is still running. Thanks Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using a custom method of session-id propagation
Tom this is 100% correct there is no way to even instantiate a session object from a self-supplied session-id let alone replace the current session object in the HttpRequest. but I am still a little curious as to why Tomcats generated session id is not adequate, is it purely because you can't get at it early enough? I apologise Christopher for second guessing, but I just don't see what rewriting Tomcats session management brings... you did say nevertheless that you don't recommend it, for good reason, this is tried and tested code that is central to the servers operation, I feel this task is 'unthinkable' and will only introduce a host of problems and complexity. After reading a little, Tomcat 5x onwards comes with session replication capabilities, which means there is some code which you can reference and write a valve that intercepts the request as soon as a new session is created and before its sent back to the user in the response, an example of this being the ReplicationValve which ships with Tomcat. ||You can then persist it in a database or do whatever you want with it. Maybe these can help a little: http://www.onjava.com/pub/a/onjava/2004/11/24/replication1.html?page=last http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html Peter Tom van Wietmarschen wrote: L.S., I was wondering if it is possible to write a custom method of propagating the session ID between HTTP requests. Specifically: we want to store the session id in a X-ourcompanyname-sessionid header (we use a custom http client so we can modify that to send the sessionid back in a header). The reason for this is that we have to deal with clients that are using mobile data connections, and mobile phone operators sometimes feel the need to mess with a clients cookies and sessions as well as doing other kinds of nasty things in their proxies. Non-standard headers are usually left alone. I've been looking at a way to do this but I can't find a solution, filters seem to be too late in the chain: a request object is already created and there is no way to even instantiate a session object from a self-supplied session-id let alone replace the current session object in the HttpRequest. Does anyone known if there is a way to write my own handlers for retrieving and setting the current sessionid and have tomcat use that instead of looking at the requesturl or cookies ? Sincerely, Tom van Wietmarschen - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using a custom method of session-id propagation
The problem is that the server needs to be the one generating the session id for a number of reasons, i.e.: ensuring it is always unique and set correctly, and its best left that way... so I think you're walking down a dark alley and its not likely that the API would ever allow this as it opens up untold security holes. Furthermore, without using a URL or cookies to transport the id how do you propose that the server should communicate it to an agent? ...not sure if XML over HTTP / SOAP could potentially provide a solution, but then again you have similar problems with proxies and firewalls etc. in any event. Good luck, Peter Tom van Wietmarschen wrote: L.S., I was wondering if it is possible to write a custom method of propagating the session ID between HTTP requests. Specifically: we want to store the session id in a X-ourcompanyname-sessionid header (we use a custom http client so we can modify that to send the sessionid back in a header). The reason for this is that we have to deal with clients that are using mobile data connections, and mobile phone operators sometimes feel the need to mess with a clients cookies and sessions as well as doing other kinds of nasty things in their proxies. Non-standard headers are usually left alone. I've been looking at a way to do this but I can't find a solution, filters seem to be too late in the chain: a request object is already created and there is no way to even instantiate a session object from a self-supplied session-id let alone replace the current session object in the HttpRequest. Does anyone known if there is a way to write my own handlers for retrieving and setting the current sessionid and have tomcat use that instead of looking at the requesturl or cookies ? Sincerely, Tom van Wietmarschen - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security and Performance Configuration
Hmm... AJP Connector is definitely an option. Mark H. Wood wrote: Well, IF you are sure you want to use Apache HTTPD to frontend Tomcat, there's no reason for Tomcat to run an HTTP connector at all. Just use the AJP connector, and only allow it to listen to your frontend service(s), or firewall it away from the Big Bad Internet. (Or both.) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring the manager application for Tomcat 6
Wow it works that was easy!... thanks so much Charles!!! would have
taken me forever to find this.
Peter
Caldarale, Charles R wrote:
From: Peter Stavrinides [mailto:[EMAIL PROTECTED]
Subject: Configuring the manager application for Tomcat 6
Why is it that placing the library in $CATALINA_HOME/lib
just works? and the manager app knows how to find it
there.
The documentation in RUNNING.txt is incorrect for Tomcat 6. In
particular, there is no $CATALINA_BASE/lib, as you can tell by looking
in the conf/catalina.properties file. The common.loader is defined to
use ${catalina.home}/lib.
You might want to enable the shared.loader in conf/catalina.properties,
targeting ${catalina.base}/lib, and put your JDBC driver there.
Note that RUNNING.txt claims that *every* Tomcat directory can be under
$CATALINA_BASE, which, of course, makes no sense, since that would leave
nothing under $CATALINA_HOME. Looks like this file wasn't updated for
the revised directory structure.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Configuring the manager application for Tomcat 6
Hi all, This may be a trivial problem for most, but here goes... I am upgrading my Tomcat 5 server to Tomcat 6, which has gone pretty smoothly except for one problem with the manager application. A copy of the manager application is running on my server instance, I am also using a JDBC realm with basic authentication to authenticate for the manager application. The caveat is that I require the postgres driver on my classpath, so I placed it in $CATALINA_BASE/lib but the manager app still can't authenticate and I get JDBC related errors in the logs (it can't find the driver?), but when I place the driver in $CATALINA_HOME/lib instead everything works. Ideally I don't want to mix proprietary libraries with the Tomcat libraries in $CATALINA_HOME/lib, I would like to leave the default binaries alone to simplify upgrades, everything should be run in my instance. So I need to find out how to configure the manager application to look in the correct place for the driver. I realize that there have been major changes to the classloader, and I have also seen the documentation for configuring GlobalNamingResources and realize this might be what I need, is it? If so how do I configure a Resource for my JDBC realm and driver. Why is it that placing the library in $CATALINA_HOME/lib just works? and the manager app knows how to find it there. Thanks a lot for your help, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Turning off jsessionid
Actually this is not so uncommon, an there are many 'good' reasons to do so, see: http://randomcoder.com/articles/jsessionid-considered-harmful Here is an example of a filter that takes care of this: http://randomcoder.com/repos/public/randomcoder-website/tags/1.0.3/WEB-INF/src/com/randomcoder/security/DisableUrlSessionFilter.java Best wishes, Peter curunir wrote: Since you were curious why someone would want to disable URL rewriting, I can tell you why we had to do this. For our client, it was taken for a given that users would be frequently copying/pasting URLs in emails and IMs to other users. It's not a necessary part of our application, but we all know the vast majority of computer users are basically clueless when it comes to security and simply won't consider the security implications of their actions. If you enable URL rewriting, it makes it possible for someone visiting a URL sent to them in an email/IM to be logged in as the user who was originally passed the URL. Additionally, the users of the application frequently take screenshots when submitting bugs and those screenshots would, in many cases, also include the session id. In our application, where real money is at stake, this kind of risk is unacceptable. I'd go as far as to say that URL rewriting is fundamentally insecure for this reason and should be turned off whenever it's possible that URLs would be exposed in either of these two manners (provided your application requires a decent level of security). Christopher Schultz-2 wrote: ... I'm not sure why you'd ever want to do this, though. I'd love to hear your reason for doing it, though. ... - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Monitoring Tomcat
This is perfect!!! thanks Leon Leon Rosenberg wrote: http://moskito.anotheria.net/moskitodemo/mui/mskShowAllProducers http://www.lambdaprobe.org/d/index.htm On Dec 3, 2007 12:09 PM, Pedro [EMAIL PROTECTED] wrote: Hi All I am just curious to know what people are using to monitor Tomcat, for my purposes I just require something very simple, and don't have too much time to spend. I am looking for a solution kind of like this: A basic summary of memory usage The potential to detect memory leaks *A summary log (not to verbose) to provide historical data Some CPU usage and thread info would be nice Error Detection, lock-up etc are not critical but would be a bonus The most important feature I am looking for is to produce a short summary log to store historical data. I don't mind running a GUI tool like JConsole or JMeter, but maybe a servlet or a valve would be better ?? Please share your thoughts / experience, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5, Apache 2.0.XX and mod_proxy
Thats because your configuration is incomplete, in order for Apache to pass the cookie to the correct context you need to do some additional configuration (or alternatively use a connector like mod_jk) You may need to configure the jvmRoute parameter in server.xml, this allows Apache to map to the correct Tomcat context, otherwise deploy your web app in the Tomcat root context. Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 debug=0 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true jvmRoute=T1/ You also need to add a server mapping in Apache, one way to do this easily is with a RewriteMap. (If you use Apache 2.2 then you could use the in-built mod_proxy_balancer module). I also use Apache 2.0 so I just make a static mapping, which looks something like this: RewriteMap SERVERS rnd:/etc/apache2/servers.conf -- servers.conf -- T1 tomcat.server.com:8081 ALL tomcat.server.com:8081 #configure more instances for load balancing if you wish Peter mip wrote: I'm trying to proxy my Tomcat web application through Apache 2.0 using mod_proxy. I have uncommented the following in my server.xml: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 debug=0 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / and I've added the following to my httpd.conf: VirtualHost *:80 ServerName foo.bar.com ProxyPass / http://foobar.com:8082/app/ ProxyPassReverse / http://foobar.com:8082/app/ /VirtualHost The pages are being passed without any problems but the sessions are being lost as cookies are not being passed. I'm guessing I need to add something to the above stanza which rewrite the cookies. But what?
Re: Tomcat 5.5, Apache 2.0.XX and mod_proxy
It is just the port your Tomcat is running on, which could be any port, so if you are using 8082 that will be your port... it's better though not to be on port 80. mip wrote: Thanks Peter. Should that be: -- servers.conf -- T1 tomcat.server.com:8082 ALL tomcat.server.com:8082 ? If not what is port 8081 being used for? Peter Stavrinides wrote: Thats because your configuration is incomplete, in order for Apache to pass the cookie to the correct context you need to do some additional configuration (or alternatively use a connector like mod_jk) You may need to configure the jvmRoute parameter in server.xml, this allows Apache to map to the correct Tomcat context, otherwise deploy your web app in the Tomcat root context. Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 debug=0 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true jvmRoute=T1/ You also need to add a server mapping in Apache, one way to do this easily is with a RewriteMap. (If you use Apache 2.2 then you could use the in-built mod_proxy_balancer module). I also use Apache 2.0 so I just make a static mapping, which looks something like this: RewriteMap SERVERS rnd:/etc/apache2/servers.conf -- servers.conf -- T1 tomcat.server.com:8081 ALL tomcat.server.com:8081 #configure more instances for load balancing if you wish Peter mip wrote: I'm trying to proxy my Tomcat web application through Apache 2.0 using mod_proxy. I have uncommented the following in my server.xml: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 debug=0 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / and I've added the following to my httpd.conf: VirtualHost *:80 ServerName foo.bar.com ProxyPass / http://foobar.com:8082/app/ ProxyPassReverse / http://foobar.com:8082/app/ /VirtualHost The pages are being passed without any problems but the sessions are being lost as cookies are not being passed. I'm guessing I need to add something to the above stanza which rewrite the cookies. But what? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat in production
I am just wandering about when to use the APR and when not to, especially for those of us using Apache as a front end (although in my case this is done solely to integrate perl and java apps into a common namespace) Gregor Schneider wrote: Take a look at the Apache Portable Runtime: It will increase Tomcat's performance regarding static content sigificantly: http://tomcat.apache.org/tomcat-6.0-doc/apr.html Cheers Gregor - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat in production
Thanks for this response Gregor, I had assumed this was the case, just needed the confirmation. Peter Gregor Schneider wrote: Hi Peter, when you're using Apache HTTP in front to serve static content and Tomcat is serving JSP / Servlets only, using the APR won't give you any advantage (AFAIC). However, some ppl are using Tomcat only (running on port 80 / 443 with f.e. JSVC): Then, according to my brain-cells, the APR will increase performance serving the static content. The APR actually is also used by Apache HTTPD - meaning you'll get the same performance serving static content via Tomcat only using the APR as compared to a Apache HTTP-in-front / Tomcat-combination. Cheers Gregor - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBC Realm with case insensitive user name
The most common reason...blah blah
You know pid, just because people ask questions doesn't mean they are
stupid, so why treat them that way? If you can read 'carefully' you can
notice that the path was given as well as the relevant config in
server.xml. So If the path was incorrect you could see it immediately, I
didn't write this because it seemed like a good idea, it was there for a
purpose.
That's a lot of attitude for someone who wants help from the list. Or am
I misreading your tone?
You are not compelled to answer, in-fact it is preferred that you don't
answer questions if you are going to diverge off the actual problem,
because it side-tracks serious readers, as is becoming the case with
this question, and the likelihood of a solution being found is
diminished... can you understand the irritation??
Pid wrote:
Pedro wrote:
OK PID then you tell me where the jar goes hey?
That's a lot of attitude for someone who wants help from the list. Or am
I misreading your tone?
I refer to my previous question:
Perhaps you can elaborate on when you're getting this exception if we're
to help you.
(An actual error message would also be useful.)
You say you are using Tomcat 6 for development, and Tomcat 5.5 in
production. Is the error occurring in development or production?
Which version of Tomcat are you compiling the classes against? The
internal class structure of Tomcat 6 is not guaranteed to be identical
to Tomcat 5.5, so it's entirely possibly you're using a class that
doesn't exist in 5.5, if you're compiling against 6 and deploying
against 5.5. (or vice versa).
p
{
The most common reason that a ClassNotFoundException is encountered
while mixing testing/deployment on different versions of Tomcat is that
jars have been placed in the wrong location.
List members usually offer up the obvious solutions first, because
they're the most common solutions. Especially given that one message is
usually insufficient to determine what the users level of knowledge is.
Fsck knows why I'm bothering to explain that though.
}
p
Tim Funk wrote:
The dir structure changed from 5.5 to 6 so you need to place your
files in different directories depending on the version. See the
version specific docs details.
-Tim
Pedro wrote:
Hi all,
I basically need to implement case insensitive user names, can this
be done with a servlet filter or do I need to subclass JDBC realm:
public class CustomJdbcRealm extends JDBCRealm {
public CustomJdbcRealm() {
super();
}
public Principal authenticate(String username, String
credentials) {
return super.authenticate(username.toLowerCase(), credentials);
}
}
And in server.xml:
Realm className=mypackage.CustomJdbcRealm ...
I tried this approach but get class not found exceptions, I am using
tomcat6 in development and 5.5 in production. I package this class in
a jar and drop it in the $CATALENA_BASE/server/lib folder.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Re: JDBC Realm with case insensitive user name
David, you are also arrogant!! I know what I wrote, and I know where the
classloader looks for things so Tims answer is irrelevant and so is
yours given that I have placed the jar in the correct place already and
configured server.xml correctly. You also lack basic reading skills if
you cant see this.
David Smith wrote:
Peter -- cool it. As quoted from the OP below:
I tried this approach but get class not found exceptions, I am using
tomcat6 in development and 5.5 in production. I package this
class in
a jar and drop it in the $CATALENA_BASE/server/lib folder.
Tim Funk actually (and correctly) asked the OP to read the docs. I
would add that the dev system should be on the same version as the
production system. To cross versions like this between development
and production is counter-productive. $CATALINA_BASE/server/lib works
for 5.5, but not for 6. In tomcat 6, it should be $CATALINA_BASE/lib
by default.
--David
Pid wrote:
Peter Stavrinides wrote:
The most common reason...blah blah
You know pid, just because people ask questions doesn't mean they are
stupid, so why treat them that way? If you can read 'carefully' you can
notice that the path was given as well as the relevant config in
server.xml. So If the path was incorrect you could see it
immediately, I
didn't write this because it seemed like a good idea, it was there
for a
purpose.
That's a lot of attitude for someone who wants help from the list.
Or am
I misreading your tone?
You are not compelled to answer, in-fact it is preferred that you don't
answer questions if you are going to diverge off the actual problem,
because it side-tracks serious readers, as is becoming the case with
this question, and the likelihood of a solution being found is
diminished... can you understand the irritation??
erm, what?
did or did not the original question end with a query about packaging
and class not found exceptions?
someone had already taken care of the case-sensitivity point, i was
attempting to address the other one, as had Tim previously (who also got
a sharpish response from the OP).
p
Pid wrote:
Pedro wrote:
OK PID then you tell me where the jar goes hey?
That's a lot of attitude for someone who wants help from the list.
Or am
I misreading your tone?
I refer to my previous question:
Perhaps you can elaborate on when you're getting this exception if
we're
to help you.
(An actual error message would also be useful.)
You say you are using Tomcat 6 for development, and Tomcat 5.5 in
production. Is the error occurring in development or production?
Which version of Tomcat are you compiling the classes against? The
internal class structure of Tomcat 6 is not guaranteed to be identical
to Tomcat 5.5, so it's entirely possibly you're using a class that
doesn't exist in 5.5, if you're compiling against 6 and deploying
against 5.5. (or vice versa).
p
{
The most common reason that a ClassNotFoundException is encountered
while mixing testing/deployment on different versions of Tomcat is
that
jars have been placed in the wrong location.
List members usually offer up the obvious solutions first, because
they're the most common solutions. Especially given that one
message is
usually insufficient to determine what the users level of knowledge
is.
Fsck knows why I'm bothering to explain that though.
}
p
Tim Funk wrote:
The dir structure changed from 5.5 to 6 so you need to place your
files in different directories depending on the version. See the
version specific docs details.
-Tim
Pedro wrote:
Hi all,
I basically need to implement case insensitive user names, can
this
be done with a servlet filter or do I need to subclass JDBC
realm:
public class CustomJdbcRealm extends JDBCRealm {
public CustomJdbcRealm() {
super();
}
public Principal authenticate(String username, String
credentials) {
return super.authenticate(username.toLowerCase(),
credentials);
}
}
And in server.xml:
Realm className=mypackage.CustomJdbcRealm ...
I tried this approach but get class not found exceptions, I am
using
tomcat6 in development and 5.5 in production. I package this
class in
a jar and drop it in the $CATALENA_BASE/server/lib folder.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new
Re: Help with Tomcat IIS
You need to alias them on windows you would use the hosts file to map the IP to host name. The only requirement is a static ip Demetris Zavorotnichenko wrote: Just another question (not quite on the subject) I have several websites that I have through IIS How can I host the all through a single IP ? I have assigned separate Header to each but what next ? How can I browse those pages from another computer on the network ? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Simple question
How do I configure Tomcat to provide a page redirect from the context of a servlet to the default start page i.e.: /myapp/ to go to - /myapp/home Thanks Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Simple question
Thanks! Pid wrote: Peter Stavrinides wrote: How do I configure Tomcat to provide a page redirect from the context of a servlet to the default start page i.e.: /myapp/ to go to - /myapp/home add home to the list of 'welcome' files in your web.xml welcome-file-list welcome-fileindex.jsp/welcome-file ... welcome-filehome/welcome-file /welcome-file-list p Thanks Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat crash @ midnight - but why?
Because tomcat is running as a service, permissions may be an issue for creating/writing to the directory in question, most likely this is why the task fails... unless the Timer task is a critical process don't use System.exit(0), just check the if the task runs or not and if not log the error/send an alert. Peter Martin Cavanagh wrote: Mark Thomas wrote: Martin Cavanagh wrote: Heres trouble...the System does call System.exit(), when it can't create the directory... - so I understand why my application would stop- but why would tomcat shutdown? And there is the problem. System.exit() will kill the JVM (unless you are running under a security manager and don't give the code permission to do this). Tomcat registers a shutdown hook on startup which performs a clean stop if the JVM is stopped. This is why you see what appears to be a 'normal' shutdown in the logs. Mark ahh good - and now I just need to work out why it can't create directorys on this one server - great! Now before I execute the System.exit I do a dump. Thanks alot. Additionaly I'll be installing the JDK so I can use the server JVM. Martin - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Understanding jvmRoute usage
We assign the name, for instance jvmRoute=LB1 where LB1 maps to a tomcat server in mod_proxy, if you want to switch between different versions of the same app you will have trouble with the context, unless each version is named differently. [EMAIL PROTECTED] wrote: Thanks, So do you assign a different jvmroute to each webapp? That would potentially be a better way to run multiple versions of the same app rather than running different Tomcats. That would be a nice way to switch quickly between different versions. Currently we have quite a painfull method for switching applications. Regards -Original Message- From: Peter Stavrinides [mailto:[EMAIL PROTECTED] Sent: 12 September 2007 10:41 To: Tomcat Users List Subject: Re: Understanding jvmRoute usage I use this parameter because I needed to integrate multiple web apps on the same backend server using mod_proxy and mod_rewrite into the same namespace(of the apache front end). We point to the server and configure a sticky session so we don't have to run everything in the root context, magic !! __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Understanding jvmRoute usage
I use this parameter because I needed to integrate multiple web apps on the same backend server using mod_proxy and mod_rewrite into the same namespace(of the apache front end). We point to the server and configure a sticky session so we don't have to run everything in the root context, magic !! Rainer Jung wrote: [EMAIL PROTECTED] wrote: Hi I am going through all of the potential settings I can set for mod_jk and am not sure how the route property in mod_jk might be used. I understand that this help to differentiate different servers in a load balanced cluster to prevent sessions getting mixed up and to do session stickyness. If however this defaults to machine name this would only be used when running two instances of tomcat on the same physical box. It then seems to me that the only time you would really use jvmroute is when you have multiple instances of tomcat running on the same box. Does anyone know of other scenarios when this might be usefull or imaginative ways of using this. Regards The load balancer docs http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html tell us: === If you want to use session stickyness, you must set different jvmRoute attributes in the Engine element in Tomcat's server.xml. Furthermore the names of the workers which are managed by the balancer have to be equal to the jvmRoute of the Tomcat instance they connect with. === The workers properties documentation gives us information about the alternative attribute route: === Normally the name of a balanced worker in a load balancer is equal to the jvmRoute of the corresponding Tomcat instance. If you want to include a worker corresponding to a Tomcat instance into several load balancers with different balancing configuration (e.g. disabled, stopped) you can use this attribute. Define a seperate worker per lb and per Tomcat instance with an arbitrary worker name and set the route attribute of the worker equal to the jvmRoute of the target Tomcat instance. If this attribute is left empty, the name of the worker will be used. This attribute can be changed at runtime using status worker. === Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: an easier way to deploy war file?
If you set up Tomcat correctly, and place all your jars in the correct places you can hot deploy the war without a restart. This works over plain http, you don't even need access to the server, all you need is a password for the manager (it's better to use a database realm). There are many ways to secure the manager in production, the simplest is to remove the manager.xml and host-manager.xml files from the $CATALINA_BASE/conf/Catalina/localhost/ directory, or if your configuration permits allow the manager url to resolve only on the internal network, this is a typical scenario if tomcat is left to run on a secure port. cheers Peter is to make the manager URL resolve Gregor Schneider wrote: - *never* start tomcat as root: create a user tomcat if not already existing and run tomcat with that user-id - if it's not a production-server with very high security, grant ftp-access to user tomcat - from your local pc, ftp to your ubuntu, login as user tomcat - change to directory www/webapps - put your web-app.war that's it be sure that autodeploy is set to true. having done so, there's no need to delete any directories on your ubuntu-server cheers gregor ps: before starting tomcat as user tomcat, you might have to issue chown -R tomcat:tomcat * in $CATALINA_HOME - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat jsessionid and mod_rewrite
Hi all My question involves Tomcat in conjunction with Apache and mod_rewrite. Tomcat appends a jsessionid to the first request, but not to subsequent requests, which is normal behaviour. When I access my Servlet directly through Tomcat that is precisely what I get. But when I redirect requests through Apache and mod_rewrite for some reason the session id is being appended to every subsequent request. I can remove this of course using a filter, but before I do so, can anyone explain to me why this is happening? Thanks Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat jsessionid and mod_rewrite
Although I am not responsible for the front end, I seem to recall we use mod_proxy for the reverse proxy. We have front end Apache web servers that listen for requests externally, internally I can access Tomcat directly. mod_rewrite is used to make our applications on Tomcat and Apache appear as one. I use a Java Servlet on Tomcat 5.5.20 with JDK 6.02 ... What I am curious to know is if the cookie gets set correctly with this configuration? could the proxy be interfering with normal Tomcat operation? Is your webapp using a session cookie (JSESSIONID)? I don't explicitly do anything, Tomcat handles this, but yes. Peter Rainer Jung wrote: Hi Peter, Peter Stavrinides wrote: Hi all My question involves Tomcat in conjunction with Apache and mod_rewrite. Tomcat appends a jsessionid to the first request, but not to subsequent requests, which is normal behaviour. When I access my Servlet directly through Tomcat that is precisely what I get. But when I redirect requests through Apache and mod_rewrite for some reason the session id is being appended to every subsequent request. I can remove this of course using a filter, but before I do so, can anyone explain to me why this is happening? What do you mean by redirect requests through? Are you using mod_proxy or mod_jk? You should describe your setup (abstract, versions used and relevant parts of the configuration). Is your webapp using a session cookie (JSESSIONID)? Thanks Peter Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat jsessionid and mod_rewrite
Thanks Rainer, this makes sense. Peter Rainer Jung wrote: Peter Stavrinides wrote: Although I am not responsible for the front end, I seem to recall we use mod_proxy for the reverse proxy. We have front end Apache web servers that listen for requests externally, internally I can access Tomcat directly. mod_rewrite is used to make our applications on Tomcat and Apache appear as one. I use a Java Servlet on Tomcat 5.5.20 with JDK 6.02 ... What I am curious to know is if the cookie gets set correctly with this configuration? could the proxy be interfering with normal Tomcat operation? I would not expect Tomcat to behave differently in itself. But yes, the reverse proxy could e.g. filter the cookies or mjore likely, the cookies need some sort of rewriting in order to fit to the URL the client is using to connect to the reverse proxy. You need to involve your frontend people, it's very likely the solution will be found in their configuration. If they use AJP13 to connect to Tomcat, most (all) of the translation should be done automatically. If they use HTTP to connect to your Tomcat, some translations have to be done inside Apache httpd. This will be easier with Apache 2.2, than with 2.0. There are separate discussion lists for Apache httpd. One thing that might help, depending on what the frontend people do exactly: there are proxyName, proxyPort and scheme attributes for the Connector elements in server.xml: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Sessions counter on Web Application Manager
If you consider what a session actually is, its a connection between a client and server, then you will understand that until that connection is actually broken and the server reclaims those resources there will still be a session/connection. Thus, session invalidate marks a session as expired and waits for the server to clean up, it does not destroy and remove the session. Peter Justin Madex wrote: Good Afternoon, I recently took note of the Sessions counter on the Tomcat Web Application Manager for one of the applications that i have deployed to the server and the fact that the counter never decreases until the session times out. Despite the fact that my application calls Session.invalidate when the user logs out, the session counter never decreases. Could anyone give me some information around this counter and why it doesnt decrease when you invalidate the session. Thanks Kind Regards Justin Madex - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
I just find it hard to believe that there is no open-source project/library to mange users that includes the above functionality. Web server logins are dismal across the board, but its so easy to write a filter so I think nobody bothered. Peter Stephen More wrote: On 8/22/07, Christopher Schultz [EMAIL PROTECTED] wrote: 1. Checks to see if the Session exists and has a Principal. 2. Checks to see if the Session contains my User object. If not, it loads the User object and performs the real login (as opposed to the basic authentication provided by the container). 3. Checks to see what the user's status is. If the user is in the must change password state, I send them to the change password screen. Using the default tomcat realms I see 2 possibilities: 1. use the JDBCRealm and create a SQL view for user_roles. If the user has an expired password, then a role called expiredPassword should exist as a row in this view. 2. use the JAASRealm, if the password is expired add the role expiredPassword. Both of these would require a Filter that checks for the existence of the role expiredPassword and redirect as needed. I just find it hard to believe that there is no open-source project/library to mange users that includes the above functionality. -Steve - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Does anyone have an approach to checking if Tomcat instance is UP?
In what context?? over the network?, over the web?, on the server? There is a portion of the shell script used in a Linux implementation for Tomcat 5.5 that checks for the running process: if start-stop-daemon --test --start --pidfile $CATALINA_PID \ --user $TOMCAT5_USER --startas $JAVA_HOME/bin/java \ /dev/null; then if [ -f $CATALINA_PID ]; then echo $DESC is not running, but pid file exists. exit 1 else echo $DESC is not running. exit 3 fi else echo -n $DESC is running with Java pid cat $CATALINA_PID exit 0 fi Smith Norton wrote: No - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
I also didn't understand exactly what you mean, but 'JDBCRealm'... implies using a database, so the simple way is to redirect and use a web form to change it, which is easy enough. If you don't want to use a web form then its an entirely different story, I assume some sort of extension or customization to Tomcat is required. Peter Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, Stephen More wrote: Has anyone written or know of a JDBCRealm that supports an expired password ? Can you phrase that in a different way? I wouldn't want my JDBCRealm to allow expired passwords to be used. Do you mean that you want expired-password-users to be forced to change their password before doing anything else? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1 99vbSIqBOgDuLkLX7D8V4ys= =QI3O -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
Hi Steven You are limited as to what logic the realm performs automatically, checking for expired passwords requires some manual work on your side. You might want to look at implementing a JAASRealm, and your own login module: See the bottom of this page: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JDBCRealm And: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html For authentication you could duplicate the table structure in the JDBCRealm example, but add columns or another table to store a timestamp for when the user last changed/created their password. Then In your login module compare that field to the current time. If the login is valid but fails because of expiry, then redirect to a change password page, otherwise authenticate or deny accordingly. Kind regards Peter Stephen More wrote: In looking at the docs: http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html there is no Attribute for userCredExpireCol. How do I configure the JDBCRealm to look at an expiration column ? -Steve On 8/22/07, Peter Stavrinides [EMAIL PROTECTED] wrote: I also didn't understand exactly what you mean, but 'JDBCRealm'... implies using a database, so the simple way is to redirect and use a web form to change it, which is easy enough. If you don't want to use a web form then its an entirely different story, I assume some sort of extension or customization to Tomcat is required. Peter Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, Stephen More wrote: Has anyone written or know of a JDBCRealm that supports an expired password ? Can you phrase that in a different way? I wouldn't want my JDBCRealm to allow expired passwords to be used. Do you mean that you want expired-password-users to be forced to change their password before doing anything else? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1 99vbSIqBOgDuLkLX7D8V4ys= =QI3O -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Delete Tomcat logs
You might want to truncate, 'not delete', instead. David Smith wrote: AFAIK, this won't work on Windows unless you stop tomcat before and restart tomcat after. Windows keeps the log file open and will do strange things if you take the file out from underneath it. I believe log4j has options to support what the OP wants through log rotation. --David Ronald Klop wrote: On Wed Aug 22 10:58:13 CEST 2007 Tomcat Users List users@tomcat.apache.org wrote: Do you know some Windows script to delete Tomcat logs after 5 days? Thanks a lot Windows has a scheduler. Put 'DEL c:\Tomcat\logs\*.*' in it every 5 days. Ronald. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Uncanny Error
Hi All, Can anyone who is knowledgeable of dynamic class reloading help me to understand some strange behaviour... I run my servlet on Tomcat, it works great for a while, but then some classes seem to disappear, or at least they cant be found any more... I don't know much about Javaassist, but there seems to be some dynamic class reloading or something to that effect causing the error. When the application breaks it fills the logs with errors similar to the one below where the only thing that varies each time is the class (no such class: $RandomClass) Error: org.apache.hivemind.ApplicationRuntimeException: Unable to add method java.lang.Object get(ognl.OgnlContext, java.lang.Object) to class $ASTProperty_11488aa7b43: [source error] no such class: $RiskModel_61 Caused by: javassist.CannotCompileException: [source error] no such class: $RiskModel_61 Kind regards Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Suggestions for overlapping URI spaces
To be honest I'm not sure how you are getting this right, its probably best to use separate namespaces though, then you can use URL rewriting to make them appear as one, this solution is really powerfull, we use it to integrate all our apps in our domain, we even integrate Java and Perl apps using Apache mod_rewrite, there is a similar module for tomcat called tuckey http://tuckey.org/urlrewrite/ Peter -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Fri 8/3/2007 8:16 PM To: Tomcat Users List Subject: Suggestions for overlapping URI spaces -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I have two applications deployed in production that share a URL space. Actually, one is deployed as the root webapp, the the other one is at, say, /foo. My problem is that each webapp maintains its own session identifiers as cookies. Since the session id cookie is always called JSESSIONID, a visitor who uses both applications gets two cookies (one with /, and one with /foo) with different JSESSIONID values. I'm guessing that Tomcat doesn't try to pick the best one, since things get /really/ confusing when this happens. Basically, our users get caught in a continuous please-login - login - please-login - login loop. It appears that the root JSESSIONID is being preferred over the more recent /foo one, which is never read properly so the login can never happen. Does anyone have any suggestions for how to fix this? Some obvious ideas are: 1. Don't do that. 2. Change the session id cookie name in one of the apps (is this possible and/or recommended?) 3. Use SSO -- except that I currently deploy these two applications in separate Tomcat instances. 4. Re-deploy the root webapp to /bar and forward / to /bar. I'm just looking for the right solution. Any comments or suggestions would be appreciated. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGs38V9CaO5/Lv0PARApHzAKCqMrz2AntBJDAosgUkd5iBzBZVRwCglY2m SlO68LvbodFxNLWIoObTorQ= =KdXa -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] . - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Recovery from OutOfMemoryError?
I have recently changed a lot of my old perceptions on this matter after reading this excellent article: http://www.ibm.com/developerworks/java/library/j-jtp01274.html If you change your mindset when you write your apps to consider how the garbage collector actually operates, then those memory errors are less likely to come back and bite you. And on the subject of soft references, I started using them as well as transient decelerations on some objects I didn't need to persist in serializable classes and it really helps reduce the load. Java 6 also comes with JConsole, a really handy profiling tool, make the most of it. Peter Caldarale, Charles R wrote: From: Christopher Schultz [mailto:[EMAIL PROTECTED] Subject: Re: Recovery from OutOfMemoryError? (Sorry for not responding sooner. Went out to dinner and to see the Spider Pig movie :-) Actually, my past experience has been that it's the GC thread that OOMEs, not a worker thread. Assuming we're talking about a current HotSpot-based JVM, the threads doing GCs cannot get OOMEs, since they are dedicated to doing just GC operations, and never do any object allocations themselves. On older JVMs (and some from other vendors), the thread that initially encounters an allocation failure also does the GC; if the GC fails to recover enough memory, it can generate an OOME for itself. It has always been my understanding that a JVM that suffers an OOME is all but done for. The JVM itself doesn't care about any exceptions thrown at the application. There are certainly a ton of applications that handle such error conditions very badly, and hang themselves up by doing such things as trying to display messages rather than nulling out now useless references. Some of the stress-testing of our JVM involves running apps designed to provoke OOMEs; these readily recover and keep on truckin'. The OP would seem to corroborate this claim, since it sounds like his whole app server becomes unresponsive once he gets an OOME (hence the early morning phone calls). The supposed timing of the phone calls leaves me somewhat skeptical; what are they running where the peak load occurs at 3 AM? If your assertion (OOMEs can be ignored, since only one allocation fails and the rest of the VM is fine) were true, then the OP would not be getting any calls in the middle of the night: the user would simply re-try the request and (hopefully) get a result the second time. That's not what I said at all. Each logical module should be designed to handle such situations, typically by discarding what has been done up to the point of failure, and then returning an error to its caller. What is likely to have happened instead in the OP's case is that the app encountering the OOME had no provision at all for error recovery, and simply quit, leaving many now useless objects around with live references to them. It may have even made matters worse by trying to generate an error message of some sort. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with 8 GB memory
This is really not true, (unless the machine in question is more than four years then performance is faster for some operations and slower for others), with a new machine you will gain. Mohan2005 wrote: Hello: we also wish to convert out 32bit dual cores to 64bit dual cores to run java applications (multiple instances with large JVM memory) but people advice that 64bit are 20 - 30% slower than the 32bit with smaller JVM. why? and if true how to overcome?? thanks Peter Stavrinides wrote: Some of arguments presented hold some truths, but look at the bigger picture... the point is that 64bit is a superior architecture to 32 bit, but it is still maturing... the reasons for this are both hardware and software related... the way we write programs will have to change to take advantage of the new architecture, and the current generation of hardware will no doubt mature to realize the potential of 64bit architecture. 32 bits processors can represent numbers up to 4,294,967,295 while a 64-bit machine can represent numbers up to 18,446,744,073,709,551,615. For modern hardware to take advantage of the processing power of the 64 bit architecture a system must have a minimum 4GB Ram, but probably needs significantly more and more importantly the CAPACITY to take full advantage of it, allocating it to running processes, with less there is potential for lag. 64bit machines have been around since the 60's but only now are software and hardware vendors supporting it for the mainstream market. So is 64bit better than 32bit right now? the answer is yes, a 64-bit processor has more technology, a better design with more transistors, thus faster speeds are possible. This is currently where the true benefit of switching to a 64-bit processor lays, it has nothing to do with the memory address space, which is exactly that, just space for more complex computations. Peter Alexey Solofnenko wrote: No, each of two 4GB processes will have only a half of the objects under the same load. And I heard that GC does not scale linear with heap size. And this is without multi-threading performance considerations. As usual, your mileage may vary and only tests can tell for sure. - Alexey. Caldarale, Charles R wrote: From: Alexey Solofnenko [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat with 8 GB memory I was under impression that GC does not scale linearly. That means one 8GB process will be slower than two 4GB processes. Not true. The time of a full GC using modern algorithms depends mostly on the number and type of live objects, not the amount of heap space. The number and type of live (reachable) objects stays relatively constant for most application once the ramp-up period is over. Consequently, running a single JVM with the largest heap you can fit in the process space is the most efficient from a GC point of view. (Of course, there are plenty of other reasons not to put all your eggs in one basket.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with 8 GB memory
Apologies Ron this was supposed to be directed at Andrew Miehs! Peter Stavrinides wrote: From your comments Ron you obviously didn't understand a thing I wrote, because you have just repeated me! Andrew Miehs wrote: On 29/07/2007, at 2:34 PM, Peter Stavrinides wrote: 32 bits processors can represent numbers up to 4,294,967,295 while a 64-bit machine can represent numbers up to 18,446,744,073,709,551,615. For modern hardware to take advantage of the processing power of the 64 bit architecture a system must have a minimum 4GB Ram, but probably needs significantly more and more importantly the CAPACITY to take full advantage of it, allocating it to running processes, with less there is potential for lag. 64bit machines have been around since the 60's but only now are software and hardware vendors supporting it for the mainstream market. So is 64bit better than 32bit right now? the answer is yes, a 64-bit processor has more technology, a better design with more transistors, thus faster speeds are possible. This is currently where the true benefit of switching to a 64-bit processor lays, it has nothing to do with the memory address space, which is exactly that, just space for more complex computations. This is definitely not looking at the big picture. Whether or not to go 64bit depends on your application. BASED ON MY TESTS If your application runs in Java AND you are using Sun JVM 1.5 AND performance is an issue, then I would definitely go 64bit linux. else if your Java application doesn't have a performance requirement, but needs lots of memory, be that for caching or anything else, then I would use 64 bit - Pick your own operating system... else if the machine you are using has more than 4GB RAM, I would look at using a 64bit OS, - up to you whether you want 32bit or 64bit Java. else if none of this applies to you, I would probably run a 32 bit OS, and wait for someone to port the last remaining packages/ drivers. BTW More transistors mean less CPU clock speed - not more... (But I think you meant larger operations per cycle). Cheers Andrew - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with 8 GB memory
Andrew, In theory yes you are right, but remember that a 64bit Integer can also be calculated by a 32bit processor, but only in two CPU cycles, this is where the theoretical advantage of the 64 bit architecture lies. However in reality introducing the 64bit processor also introduces a number of new hardware related problems (peak bandwidth, sustained bandwidth, access latency), which have to do with he amount of data that two components (i.e. the CPU and RAM) can exchange over a given period. The catch 22 is that with increased processing power, the latency problem is getting worse (a side-effect of faster CPU's is more bus cycles worth of delay for each memory access) Vendors are trying to compensate in various ways, for example widening the bus. So, a 64bit processor alone cannot speed up your application, the 12G RAM will help, but your actual bandwidth may not be, in real terms, too different from a 32bit system with far less RAM because of latency problems. 64bit hardware designs are improving... this is where the real promise lies. I hope this explanation is a bit clearer, lol Peter Andrew Miehs wrote: On 30/07/2007, at 8:02 AM, Peter Stavrinides wrote: Apologies Ron this was supposed to be directed at Andrew Miehs! Peter Stavrinides wrote: From your comments Ron you obviously didn't understand a thing I wrote, because you have just repeated me! Dear Peter, Obviously! :-) On 29/07/2007, at 2:34 PM, Peter Stavrinides wrote: This is currently where the true benefit of switching to a 64-bit processor lays, it has nothing to do with the memory address space, which is exactly that, just space for more complex computations I was mainly referring to this sentence. It is NOT true to say that it has nothing to do with memory space. Some of our Java processes are running 12G RAM - this would not be possible with 32bit - at least not with Java. (Yes it could be done with multiple processes and some for of communication between them) Memory space is ONE of the factors - and to be honest the one that was more important for our application than the 15% speedup. Regards Andrew - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with 8 GB memory
Some of arguments presented hold some truths, but look at the bigger picture... the point is that 64bit is a superior architecture to 32 bit, but it is still maturing... the reasons for this are both hardware and software related... the way we write programs will have to change to take advantage of the new architecture, and the current generation of hardware will no doubt mature to realize the potential of 64bit architecture. 32 bits processors can represent numbers up to 4,294,967,295 while a 64-bit machine can represent numbers up to 18,446,744,073,709,551,615. For modern hardware to take advantage of the processing power of the 64 bit architecture a system must have a minimum 4GB Ram, but probably needs significantly more and more importantly the CAPACITY to take full advantage of it, allocating it to running processes, with less there is potential for lag. 64bit machines have been around since the 60's but only now are software and hardware vendors supporting it for the mainstream market. So is 64bit better than 32bit right now? the answer is yes, a 64-bit processor has more technology, a better design with more transistors, thus faster speeds are possible. This is currently where the true benefit of switching to a 64-bit processor lays, it has nothing to do with the memory address space, which is exactly that, just space for more complex computations. Peter Alexey Solofnenko wrote: No, each of two 4GB processes will have only a half of the objects under the same load. And I heard that GC does not scale linear with heap size. And this is without multi-threading performance considerations. As usual, your mileage may vary and only tests can tell for sure. - Alexey. Caldarale, Charles R wrote: From: Alexey Solofnenko [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat with 8 GB memory I was under impression that GC does not scale linearly. That means one 8GB process will be slower than two 4GB processes. Not true. The time of a full GC using modern algorithms depends mostly on the number and type of live objects, not the amount of heap space. The number and type of live (reachable) objects stays relatively constant for most application once the ramp-up period is over. Consequently, running a single JVM with the largest heap you can fit in the process space is the most efficient from a GC point of view. (Of course, there are plenty of other reasons not to put all your eggs in one basket.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with 8 GB memory
From your comments Ron you obviously didn't understand a thing I wrote, because you have just repeated me! Andrew Miehs wrote: On 29/07/2007, at 2:34 PM, Peter Stavrinides wrote: 32 bits processors can represent numbers up to 4,294,967,295 while a 64-bit machine can represent numbers up to 18,446,744,073,709,551,615. For modern hardware to take advantage of the processing power of the 64 bit architecture a system must have a minimum 4GB Ram, but probably needs significantly more and more importantly the CAPACITY to take full advantage of it, allocating it to running processes, with less there is potential for lag. 64bit machines have been around since the 60's but only now are software and hardware vendors supporting it for the mainstream market. So is 64bit better than 32bit right now? the answer is yes, a 64-bit processor has more technology, a better design with more transistors, thus faster speeds are possible. This is currently where the true benefit of switching to a 64-bit processor lays, it has nothing to do with the memory address space, which is exactly that, just space for more complex computations. This is definitely not looking at the big picture. Whether or not to go 64bit depends on your application. BASED ON MY TESTS If your application runs in Java AND you are using Sun JVM 1.5 AND performance is an issue, then I would definitely go 64bit linux. else if your Java application doesn't have a performance requirement, but needs lots of memory, be that for caching or anything else, then I would use 64 bit - Pick your own operating system... else if the machine you are using has more than 4GB RAM, I would look at using a 64bit OS, - up to you whether you want 32bit or 64bit Java. else if none of this applies to you, I would probably run a 32 bit OS, and wait for someone to port the last remaining packages/ drivers. BTW More transistors mean less CPU clock speed - not more... (But I think you meant larger operations per cycle). Cheers Andrew - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5 and 6 Security advise
Hi all, I need some advice with regards to Tomcat security, my company is not convinced about Tomcat's security, I work for a financial institution so you might understand their paranoia. My question is how best to secure a Java servlet that runs on Tomcat. Requests are routed through front end servers running Apache on separate physical machines. Should I configure in addition an Apache server locally or is Tomcat okay without it, my feeling is that this is not necessary. Tomcat uses a JDBC realm to connect to a database for authentication, we use SSL and the machines are pretty well locked down. Is there anything else that should be considered? Does Apache offer something extra so that Tomcat should run with its own Apache web server bearing in mind we use only Java. Thanks for your help, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with 8 GB memory
Our 64 bit machines outperform our 32 bit machines like night and day using Tomcat 5, I can only imagine the difference with Tomcat 6... in any event there is no difference for Tomcat it depends entirely on the virtual machine. Big memory is useful ONLY if you have applications that can benefit big memory such as database systems. Actually it is allocated directly to the JVM so you can have 50 gig if you want with no performance penalty Andrew Miehs wrote: On 26/07/2007, at 10:57 AM, Joe Nathan wrote: I would discourage to use such machine! 8GB means you are using 64 bit machine which will be much slower than 32 bit machines. Big memory is useful ONLY if you have applications that can benefit big memory such as database systems. In Java, if you use lots of memory and create lots of objects, your Java applications will have periodic seisures! This is because of garbage collection will take significant time, if started. Dear Joe - I have more than 1 or 2 of these machines (16GB RAM, 6GB for Tomcat). The Sun 64bit JVM 1.5 is about 15% faster than the 32bit for our application. (Running under Tomcat) I would be happy with 1 ~ 2 GB 32bit machines! This could deliver much faster services. Java eats memory... The more memory you have, the more you can cache and the less you need to annoy your backend. Andrew - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5 and 6 Security advise
It makes for interesting reading, however it was written for Tomcat 4... how current is it?? and nothing is mentioned about the benefits of running Apache with Tomcat for securing Tomcat in a purely Java environment, please read the question Craig! Craig Skinner wrote: On Thu, Jul 26, 2007 at 10:51:01AM +0300, Peter Stavrinides wrote: Hi all, I need some advice with regards to Tomcat security, http://www.oreilly.com/catalog/tomcat/chapter/ch06.pdf - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5 and 6 Security advise
Thanks Chuck, I have done most of these, I already run Tomcat as a daemon using a non-privileged account, and use a JDBC realm to authenticate users. I will check for any loose ends like connectors in the config files. Peter Caldarale, Charles R wrote: From: Peter Stavrinides [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5 and 6 Security advise and nothing is mentioned about the benefits of running Apache with Tomcat for securing Tomcat in a purely Java environment Adding layers generally doesn't improve security - it just provides additional targets. Some things to do: 1) Browse through the server.xml and web.xml settings in Tomcat's conf directory, and disable anything you don't need, especially connectors. 2) Remove any uneeded webapps that come with Tomcat, such as the examples, docs, and webdav. 3) Use a proper authentication Realm, not the toy default one that keeps credentials in the tomcat-users.xml file. 4) Restrict access to Tomcat's file structure to a specific userid, and run Tomcat with that userid. I'm not aware of any security vulnerabilities in current Tomcat levels other than the rather minor cross-scripting ones inherent in some of the examples. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 and SSL
Knock knock... anybody? Peter Stavrinides wrote: Hi All This may be a trivial issue for most, but I am quite new to tomcat. I am trying to configure SSL, These are the steps I took: - I have created a key/value pair using the keytool in suns jdk no problem there - I have configured the http connector in tomcats server.xml like this: Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/opt/irm-server/conf/.tomcat5key keystorePass=my secret password / - I added the following to my web.xml: user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint After restarting tomcat the port changes correctly, so it appears to be working but the page wont come up in the browser. Firefox Error Message: Unable to connect Firefox can't establish a connection to the server at mydomain.myserver:8443. what am I missing? thanks in advance, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 and SSL
I don't use the APR, and I am running on Linux Caldarale, Charles R wrote: From: Peter Stavrinides [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5.5 and SSL what am I missing? Do you have APR installed? If so, the SSL configuration is quite different. If running without APR, did you follow the steps outlined here? http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html With APR: http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5.5 and SSL
Hi All This may be a trivial issue for most, but I am quite new to tomcat. I am trying to configure SSL, These are the steps I took: - I have created a key/value pair using the keytool in suns jdk no problem there - I have configured the http connector in tomcats server.xml like this: Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/opt/irm-server/conf/.tomcat5key keystorePass=my secret password / - I added the following to my web.xml: user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint After restarting tomcat the port changes correctly, so it appears to be working but the page wont come up in the browser. Firefox Error Message: Unable to connect Firefox can't establish a connection to the server at mydomain.myserver:8443. what am I missing? thanks in advance, Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 6 classloader errors
I am porting a Java servlet from Tomcat 5.5.20 to Tomcat 6 and I seem to be having classloader issues. The application works under 5, but under 6 I get the following stack trace.HELP! Peter Jul 3, 2007 4:13:46 PM org.apache.catalina.core.AprLifecycleListener init INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-6-sun-1.6.0.00/jre/lib/i386/client:/usr/lib/jvm/java-6-sun-1.6.0.00/jre/lib/i386:/usr/lib/jvm/java-6-sun-1.6.0.00/jre/../lib/i386:/usr/lib/jvm/java-6-sun-1.6.0.00/jre/lib/i386/client::/usr/lib/jvm/java-6-sun-1.6.0.00/jre/lib/i386::/usr/lib/mozilla-thunderbird:/usr/lib/mozilla-thunderbird:/usr/java/packages/lib/i386:/lib:/usr/lib Jul 3, 2007 4:13:46 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Jul 3, 2007 4:13:46 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 423 ms Jul 3, 2007 4:13:46 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jul 3, 2007 4:13:46 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.13 Jul 3, 2007 4:13:46 PM org.apache.catalina.core.ApplicationContext log INFO: Marking servlet IRM as unavailable Jul 3, 2007 4:13:46 PM org.apache.catalina.core.ApplicationContext log SEVERE: Error loading WebappClassLoader delegate: false repositories: /WEB-INF/classes/ -- Parent Classloader: [EMAIL PROTECTED] org.apache.tapestry.ApplicationServlet java.lang.ClassNotFoundException: org.apache.tapestry.ApplicationServlet at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1358) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1204) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1083) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:981) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4042) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4348) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:566) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Jul 3, 2007 4:13:46 PM org.apache.catalina.core.StandardContext loadOnStartup SEVERE: Servlet /IRM threw load() exception java.lang.ClassNotFoundException: org.apache.tapestry.ApplicationServlet at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1358) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1204) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1083) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:981) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4042) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4348) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:566) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) at
Re: Tomcat 6 classloader errors
Hi Chuck, Thanks for the reply! The Tapestry libraries are in $CATALINA_BASE/shared/lib. Caldarale, Charles R wrote: From: Peter Stavrinides [mailto:[EMAIL PROTECTED] Subject: Tomcat 6 classloader errors I am porting a Java servlet from Tomcat 5.5.20 to Tomcat 6 and I seem to be having classloader issues. The application works under 5, but under 6 I get the following stack trace. [EMAIL PROTECTED] org.apache.tapestry.ApplicationServlet java.lang.ClassNotFoundException: org.apache.tapestry.ApplicationServlet Where did you put the Tapestry JAR? It's never been part of the Tomcat distribution, so you'll need to place it where the webapp classloader (or the common classloader) can find it. Note that the classloading hierarchy in Tomcat 6 is different from that in 5.5: http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 6 classloader errors
Apologies, thanks for your help! ... at the moment I cant open the link, but I will check it out in a minute. Thanks again. Peter Caldarale, Charles R wrote: From: Peter Stavrinides [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 6 classloader errors The Tapestry libraries are in $CATALINA_BASE/shared/lib. You're not bothering to read the TC 6 classloading doc - there is no shared/lib anymore. Here's the link, again: http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Retrieve list of all sessions
You might want to use something like this: //String,Visit is the sessionid and the Visit Object private static ConcurrentHashMapString,Visit visitHistory_ = new ConcurrentHashMapString,Visit(); and implement it as a singleton with synchronized accessor methods. Glen Vermeylen wrote: We use Tomcat 5.5.20. I actually have no synchronization in place whatsoever. I will change to hashtable and see if it solves the problem. Thank you. 2007/3/7, Caldarale, Charles R [EMAIL PROTECTED]: From: Glen Vermeylen [mailto:[EMAIL PROTECTED] Subject: Retrieve list of all sessions I've created a management screen which lists all currently logged in users. This list is kept as a hashmap and is kept in sync with reality in the following way: A HashMap is unsynchronized; does your logic provide the necessary synchronization for insertions, deletions, *and* retrievals? If not, switching to a HashTable might resolve your problem. Or then again, it might just be a bug, but you didn't tell us the version of Tomcat you're using, so searching bugzilla would be rather tedious. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking again
Do you use Java? We are a financial institution, we use a Java Framework based on servlets with SSL, but if you ask my opinion SSL is not the big issue. The vast majority of hacked sites are social engineering attacks. Secure your database (do not store clear text passwords in the database) minimize access of staff, require strong passwords (8 characters and numbers). No strategy or amount of code is foolproof, although yes It is also worth the extra effort to make your application a bit smart, but it is better to focus your attention on preventing social engineering, because no matter how clever you make it if the passwords are easily guessed or users careless its all for nothing. Design your application like a container that reloads its body, that way you can implement security and logging application wide with minimal code. We secure our application like this: on login (after authentication) we store in state for the duration of that session, the users unique id and session id and for logging purposes the current IP. (no cookies etc are used at all, because cookies are stored on the client which is out of our control). We perform a check for each new login to ensure at least the user id and session id does NOT exist in state before allowing the new login. We do not allow two concurrent logins with the same account. If you wish to implement session id switching you have to destroy the users old session and recreate it and update the session id in state (to me again, just my humble opinion, not so important)... it is far more useful to use a session timer that times out after a few minutes of inactivity, it will automatically call a sign out but you can keep the users details in the server state until the browser closes, if they try to continue activity, then you ask them to sign in again and add their new session id back into your state object. When the browser closes a session listener cleans out the session so the users details are discarded. Again paranoid coding is not going to prevent social engineering, educating users might... by far the most effective strategy is to tell users to never give out their password, give them a support number and inform them about what the support personnel is and isn't allowed to ask them for. Lastly tell users exactly what type of email they will and won't receive from your organization. When they login to your site tell them they should ALWAYS check that the domain name appears correctly in the address bar. John Caron wrote: Hello: Our application is serving large amounts of scientific data over HTTP. The user needs to login to access the data. We would like to use session ids to reduce the login overhead. We cant afford the overhead of HTTPS encryption of teh data (3 times slower ?). We realize this makes us vulnerable to session hijacking. Still, we arent transferring financial information, so tentatively we think its a reasonable risk. The Wikipedia article (http://en.wikipedia.org/wiki/Session_hijacking) suggest a couple of things that help, that seem reasonable to me: # Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users who's IP address is liable to change during a browsing session. # Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web). I would like to implement one or both of these in Tomcat: 1) IP checking and 2) session id switching. I guess others have thought about this. Does anyone have any advice or pointers (or code!) to get started. Thanks for any help. John Caron Unidata/UCAR - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring a common authentication realm
Greg thanks for this, sounds like it has potential, and It wont be a problem with separate machines, but one problem I foresee though is the new IE7 browser which disables cookies on the client by default, have you tested it? Christopher, I am currently using the Authorization header but the server tries to authenticate before it serves the page so it still prompts for the username and password, I haven't looked at the REMOTE_USER field though, I would be curious to look at some documentation on it. Peter Gregor Schneider wrote: Peter, I think this can be done with mod_auth_cookie_myql. You will, however, have to write your own little SSO-Servlet / JSP which updates the MySQL-DB with the JSSOSessionID-Cookie provided by Tomcat. Apache will then read the Cookie from the database, check, if this cookie is present on the client-side (browser) and grant access to the protected area within Apache. Works absolutely smooth for us (however: Apache / Tomcat reside on the same machine, although we have 2 machines behind a hardware-loadbalancer). Check out http://www.freshports.org/www/mod_auth_cookie_mysql2 I've posted this on the apache-userlist already, you also might want to check out http://comments.gmane.org/gmane.comp.apache.user/65363 In the above solution authorization is handled by Tomcat (Form based Authorization). Hope I got your problem right HTH Greg -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Configuring a common authentication realm
I don't know if this is possible, but this is the scenario: I have an Apache web server with Basic authentication configured to use a Postgres database. Web application A (written in Perl) uses it. Web application B (written in Java) runs on Tomcat 5.5.20 on a different physical server, it uses a JDBC realm with basic authentication once again to connect to the same database and authenticate users. The user cannot distinguish between the two applications, they have a common appearance. What I need to do is authenticate users once (on either server / application), and allow the users to navigate from one application to the other (I don't want to ask for passwords again). Can the servers share a realm or is there a connector component or something I can use. Thanks for your help, Peter -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring a common authentication realm
Christopher, thanks for your reply. I do mention however that two separate physical servers exist and the webapps are on two separate web servers as well... they appear under the same host to users because the URL's are dynamically rewritten on the front end. The DNS is entirely separate, so to share a login across the two would require that I pass authentication information between the two web servers somehow, do you understand? Also, sharing a session is not possible in this case because the Perl application is stateless, for this reason also it uses Apache basic authentication, so I cant use forms authentication or the problem would be easily solved with a common sign-in as you suggested, but unfortunately thats not an option. Peter Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter, Peter Stavrinides wrote: I have an Apache web server with Basic authentication configured to use a Postgres database. Web application A (written in Perl) uses it. Web application B (written in Java) runs on Tomcat 5.5.20 on a different physical server, it uses a JDBC realm with basic authentication once again to connect to the same database and authenticate users. What I need to do is authenticate users once (on either server / application), and allow the users to navigate from one application to the other (I don't want to ask for passwords again). Can the servers share a realm or is there a connector component or something I can use. What you are talking about is not realm-sharing since the concept of a realm really only exists on the Tomcat side. You really want some sort of cooperative login or something like that. First, you have to decide which type of authentication you prefer. For instance, if the user really cannot tell the difference between the webapps, does that mean that the URL spaces are the same? (i.e. the perl webapp lives in /cool-product/whatever/*.pl and the Java stuff lives in /cool-product/whatever/*.jsp)? If that's the case, then you can probably configure Tomcat to use Basic authentication which is already being used by Apache httpd to do the authentication for your other application. The same path (/cool-product) will result in the WWW-Auth information being sent to both applications. Since you have the same database for authentication in both webapps, either one can be the first to do authentication, and then the other app should respect the other's WWW-auth information. There are other ways, but this sounds like the most painless given your setup. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFt2nu9CaO5/Lv0PARAk8PAKCx6FT2r7wGaBX0TrhgcsdHY+Q07ACgk6uy +jtEpw9Nts3/zOgFTilzFCU= =mye9 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Peter Stavrinides Albourne Partners (Cyprus) Ltd Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Why has Tomcat Undeployed my Applications?
Hi I am running Tomcat 5.5 and Tapestry on windows. I store my eclipse workspaces and the application files on another server (Linux). I deploy my xml configuration files in: C:\Tomcat\conf\Catalina\localhost When the Linux server was rebooted, Tomcat subsequently undeployed all my applications, is there a reason for this? I am a bit lost, and no expert using Tomcat.does Tomcat backup the files anywhere? They are no longer in the directory. Any help would be much appreciated! Thanks Peter
RE: Why has Tomcat Undeployed my Applications?
Hi Antonio Thanks very much for your help what you have said makes perfect sense. I will try it! Thanks Peter -Original Message- From: Antonio Petrelli [mailto:[EMAIL PROTECTED] Sent: 20 June 2006 16:11 To: Tomcat Users List Subject: Re: Why has Tomcat Undeployed my Applications? Peter Stavrinides ha scritto: I deploy my xml configuration files in: C:\Tomcat\conf\Catalina\localhost Why here? Your context information should be put either in the server.xml file or in webapp-root/META-INF/context.xml The directory that you used is temporary, AFAIK. HTH Antonio - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
