Re: Wondering about tomcat-users.xml could not be found

[Christopher Schultz]

Christoph,

On 11/17/23 03:55, Christoph Kukulies wrote:
Am 16.11.2023 um 20:12 schrieb Christopher Schultz 


What is the user-owner of the JVM process?


root      125216  0.0  0.0      0     0 ?        I    09:42   0:00 
[kworker/0:0-events]
root      125221  0.0  0.0      0     0 ?        I    09:42   0:00 
[kworker/0:2]
tomcat    125222  166  9.2 3551824 363244 ?      Ssl  09:42   0:16 
/usr/lib/jvm/default-java/bin/java 
-Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties 
-Djava.util.logging.mana
root      125246  0.0  0.0      0     0 ?        I    09:42   0:00 
[kworker/u4:2-flush-8:0]


Ugh. I *really* hope this is Docker. Add even if it is, /stop running 
Tomcat as root/.


Check that all of the above would be both readable and executable by 
that user:


ls -ld /var
ls -ld /var/lib
ls -ld /var/lib/tomcat9
ls -ld /var/lib/tomcat9/conf


root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld /var
drwxr-xr-x 15 root root 4096 Oct 23 16:31 */var*
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld /var/lib
drwxr-xr-x 63 root root 4096 Nov 10 10:28 */var/lib*
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld 
/var/lib/tomcat9

drwxr-xr-x 6 root root 4096 Nov 17 09:42 */var/lib/tomcat9*
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld 
/var/lib/tomcat9/conf
lrwxrwxrwx 1 tomcat tomcat 12 Sep 11  2019 */var/lib/tomcat9/conf*-> 
*/etc/tomcat9*

root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld /etc/tomcat9
drwxr-xr-x 4 root root 4096 Nov 16 12:17 */etc/tomcat9*
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config#


Permissions look good, even if the process-owner isn't root.

... and of course that the JVM user can read 
/var/lib/tomcat9/conf/tomcat-users.xml which I assume is true since 
you said you already checked it.


What is the cwd of the JVM process?


root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# pwdx 125222
125222: /var/lib/tomcat9


TIL: pwdx is a thing

Okay, so that all checks out. cwd is /var/lib/tomcat9 and the "allegedly 
relative path" is conf/tomcat-users.xml, which points to where the file 
actually lives on the disk.


The first message ("reloading") has the full path, and the second 
message ("file not found") only mentions a relative path. I wonder if 
that is the difference.





Could it be that the second path relates to a missing env-Variable 
$CATALINA_BASE or $CATALINA_HOME?


root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# cat 
/proc/125222/environ | tr '\0' '\n'

USER=tomcat
HOME=/var/lib/tomcat
CATALINA_HOME=/usr/share/tomcat9
CATALINA_TMPDIR=/tmp
JAVA_OPTS=-Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources 
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027

PWD=/var/lib/tomcat9
JAVA_HOME=/usr/lib/jvm/default-java

> CATALINA_BASE=/var/lib/tomcat9

Well, that all checks out. USER looks weird, but I'm assuming there's a 
"sudo java ..." somewhere in the launch command.


It seems the situation is straightened out since I changed the ownership 
of the file tomcat-users.xml

-rw-r- 1 tomcat tomcat   2756 Jan 15  2022 tomcat-users.xml


So... who is the owner, now? If the process is really running as "root" 
then it should be able to read even file on the filesystem.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Wondering about tomcat-users.xml could not be found

[Christoph Kukulies]

> Am 16.11.2023 um 20:19 schrieb l...@kreuser.name:
> 
> Hi Chris*,
> 
> 
>> Am 16.11.2023 um 20:12 schrieb Christopher Schultz 
>> :
>> 
>> Christoph,
>> 
>> On 11/15/23 10:32, Christoph Kukulies wrote:
>>> I'm running tomcat9 under Ubuntu 22.04 with an haproxy 2.8 in front of it.
>>> I'm wondering about the following in the logs:
>>> Nov 15 16:19:23 mail tomcat9[832]: Reloading memory user database 
>>> [UserDatabase] from updated source 
>>> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
>>> Nov 15 16:19:23 mail tomcat9[832]: The specified user database 
>>> [conf/tomcat-users.xml] could not be found
>>> Nov 15 16:19:33 mail tomcat9[832]: Reloading memory user database 
>>> [UserDatabase] from updated source 
>>> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
>>> Nov 15 16:19:33 mail tomcat9[832]: The specified user database 
>>> [conf/tomcat-users.xml] could not be found
>>> Nov 15 16:19:43 mail tomcat9[832]: Reloading memory user database 
>>> [UserDatabase] from updated source 
>>> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
>>> Nov 15 16:19:43 mail tomcat9[832]: The specified user database 
>>> [conf/tomcat-users.xml] could not be found
>>> Nov 15 16:19:53 mail tomcat9[832]: Reloading memory user database 
>>> [UserDatabase] from updated source 
>>> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
>>> Nov 15 16:19:53 mail tomcat9[832]: The specified user database 
>>> [conf/tomcat-users.xml] could not be found
>>> File /var/lib/tomcat9/conf/tomcat-users.xml is definitely there.
>>> It occurs every 10 seconds.
>>> Don't know who is causing this and why. Permissions? Ownership wrong?
>>> -rw-r- 1 root root   2756 Jan 15  2022 tomcat-users.xml
>>> Believe the ownership was wrong. Maybe it came from migrating an old 
>>> installation.
>>> What are the correct perms/ownership in /var/lib/tomcat9 and below?
>> 
>> What is the user-owner of the JVM process?


root  125216  0.0  0.0  0 0 ?I09:42   0:00 
[kworker/0:0-events]
root  125221  0.0  0.0  0 0 ?I09:42   0:00 [kworker/0:2]
tomcat125222  166  9.2 3551824 363244 ?  Ssl  09:42   0:16 
/usr/lib/jvm/default-java/bin/java 
-Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties 
-Djava.util.logging.mana
root  125246  0.0  0.0  0 0 ?I09:42   0:00 
[kworker/u4:2-flush-8:0]


>> 
>> Check that all of the above would be both readable and executable by that 
>> user:
>> 
>> ls -ld /var
>> ls -ld /var/lib
>> ls -ld /var/lib/tomcat9
>> ls -ld /var/lib/tomcat9/conf

root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld /var
drwxr-xr-x 15 root root 4096 Oct 23 16:31 /var
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld /var/lib
drwxr-xr-x 63 root root 4096 Nov 10 10:28 /var/lib
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld /var/lib/tomcat9
drwxr-xr-x 6 root root 4096 Nov 17 09:42 /var/lib/tomcat9
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld 
/var/lib/tomcat9/conf
lrwxrwxrwx 1 tomcat tomcat 12 Sep 11  2019 /var/lib/tomcat9/conf -> /etc/tomcat9
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# ls -ld /etc/tomcat9
drwxr-xr-x 4 root root 4096 Nov 16 12:17 /etc/tomcat9
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# 

>> 
>> ... and of course that the JVM user can read 
>> /var/lib/tomcat9/conf/tomcat-users.xml which I assume is true since you said 
>> you already checked it.
>> 
>> What is the cwd of the JVM process?
>> 
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# pwdx 125222
125222: /var/lib/tomcat9

>> The first message ("reloading") has the full path, and the second message 
>> ("file not found") only mentions a relative path. I wonder if that is the 
>> difference.
>> 
> 
> 
> Could it be that the second path relates to a missing env-Variable 
> $CATALINA_BASE or $CATALINA_HOME?
> 
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# cat 
/proc/125222/environ | tr '\0' '\n'
USER=tomcat
HOME=/var/lib/tomcat
OLDPWD=/
CATALINA_HOME=/usr/share/tomcat9
SYSTEMD_EXEC_PID=125222
LOGNAME=tomcat
JOURNAL_STREAM=8:1778827
CACHE_DIRECTORY=/var/cache/tomcat9
JDK_JAVA_OPTIONS= --add-opens=java.base/java.lang=ALL-UNNAMED 
--add-opens=java.base/java.io=ALL-UNNAMED 
--add-opens=java.base/java.util=ALL-UNNAMED 
--add-opens=java.base/java.util.concurrent=ALL-UNNAMED 
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
CATALINA_TMPDIR=/tmp
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
INVOCATION_ID=84b60xxxa420e09ed
JAVA_OPTS=-Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources 
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
LANG=en_US.UTF-8
PWD=/var/lib/tomcat9
JAVA_HOME=/usr/lib/jvm/default-java
CATALINA_BASE=/var/lib/tomcat9
root@mail:/var/lib/tomcat9/webapps/ROOT/WEB-INF/config# 
> Peter

It seems the situation is straightened out since I changed the ownership of the 
file 

Re: Wondering about tomcat-users.xml could not be found

[Simon Matter]

Hi,

> I'm running tomcat9 under Ubuntu 22.04 with an haproxy 2.8 in front of it.
>
> I'm wondering about the following in the logs:
>
> Nov 15 16:19:23 mail tomcat9[832]: Reloading memory user database
> [UserDatabase] from updated source
> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
> Nov 15 16:19:23 mail tomcat9[832]: The specified user database
> [conf/tomcat-users.xml] could not be found
> Nov 15 16:19:33 mail tomcat9[832]: Reloading memory user database
> [UserDatabase] from updated source
> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
> Nov 15 16:19:33 mail tomcat9[832]: The specified user database
> [conf/tomcat-users.xml] could not be found
> Nov 15 16:19:43 mail tomcat9[832]: Reloading memory user database
> [UserDatabase] from updated source
> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
> Nov 15 16:19:43 mail tomcat9[832]: The specified user database
> [conf/tomcat-users.xml] could not be found
> Nov 15 16:19:53 mail tomcat9[832]: Reloading memory user database
> [UserDatabase] from updated source
> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
> Nov 15 16:19:53 mail tomcat9[832]: The specified user database
> [conf/tomcat-users.xml] could not be found
>
>
>
> File /var/lib/tomcat9/conf/tomcat-users.xml is definitely there.
>
> It occurs every 10 seconds.
>
> Don't know who is causing this and why. Permissions? Ownership wrong?
>
> -rw-r- 1 root root   2756 Jan 15  2022 tomcat-users.xml

Is your Tomcat running as root? I hope not, but if it's running as user
tomcat or some other unprivileged user, it won't be able to read your
tomcat-users.xml as long as the user is not member of group root.

Regards,
Simon


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Wondering about tomcat-users.xml could not be found

[Christopher Schultz]

Peter,

On 11/16/23 14:19, l...@kreuser.name wrote:

Hi Chris*,



Am 16.11.2023 um 20:12 schrieb Christopher Schultz 
:

Christoph,

On 11/15/23 10:32, Christoph Kukulies wrote:

I'm running tomcat9 under Ubuntu 22.04 with an haproxy 2.8 in front of it.
I'm wondering about the following in the logs:
Nov 15 16:19:23 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:23 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:33 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:33 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:43 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:43 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:53 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:53 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
File /var/lib/tomcat9/conf/tomcat-users.xml is definitely there.
It occurs every 10 seconds.
Don't know who is causing this and why. Permissions? Ownership wrong?
-rw-r- 1 root root   2756 Jan 15  2022 tomcat-users.xml
Believe the ownership was wrong. Maybe it came from migrating an old 
installation.
What are the correct perms/ownership in /var/lib/tomcat9 and below?


What is the user-owner of the JVM process?

Check that all of the above would be both readable and executable by that user:

ls -ld /var
ls -ld /var/lib
ls -ld /var/lib/tomcat9
ls -ld /var/lib/tomcat9/conf

... and of course that the JVM user can read 
/var/lib/tomcat9/conf/tomcat-users.xml which I assume is true since you said 
you already checked it.

What is the cwd of the JVM process?

The first message ("reloading") has the full path, and the second message ("file not 
found") only mentions a relative path. I wonder if that is the difference.




Could it be that the second path relates to a missing env-Variable 
$CATALINA_BASE or $CATALINA_HOME?


Unlikely. Tomcat always determines the values for catalina.home and 
catalina.base before launching the JVM. After that, only those system 
properties are consulted.


But it's possible there is some sloppy code somewhere that is using 
cwd-relative paths.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Wondering about tomcat-users.xml could not be found

[logo]

Hi Chris*,


> Am 16.11.2023 um 20:12 schrieb Christopher Schultz 
> :
> 
> Christoph,
> 
> On 11/15/23 10:32, Christoph Kukulies wrote:
>> I'm running tomcat9 under Ubuntu 22.04 with an haproxy 2.8 in front of it.
>> I'm wondering about the following in the logs:
>> Nov 15 16:19:23 mail tomcat9[832]: Reloading memory user database 
>> [UserDatabase] from updated source 
>> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
>> Nov 15 16:19:23 mail tomcat9[832]: The specified user database 
>> [conf/tomcat-users.xml] could not be found
>> Nov 15 16:19:33 mail tomcat9[832]: Reloading memory user database 
>> [UserDatabase] from updated source 
>> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
>> Nov 15 16:19:33 mail tomcat9[832]: The specified user database 
>> [conf/tomcat-users.xml] could not be found
>> Nov 15 16:19:43 mail tomcat9[832]: Reloading memory user database 
>> [UserDatabase] from updated source 
>> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
>> Nov 15 16:19:43 mail tomcat9[832]: The specified user database 
>> [conf/tomcat-users.xml] could not be found
>> Nov 15 16:19:53 mail tomcat9[832]: Reloading memory user database 
>> [UserDatabase] from updated source 
>> [file:/var/lib/tomcat9/conf/tomcat-users.xml]
>> Nov 15 16:19:53 mail tomcat9[832]: The specified user database 
>> [conf/tomcat-users.xml] could not be found
>> File /var/lib/tomcat9/conf/tomcat-users.xml is definitely there.
>> It occurs every 10 seconds.
>> Don't know who is causing this and why. Permissions? Ownership wrong?
>> -rw-r- 1 root root   2756 Jan 15  2022 tomcat-users.xml
>> Believe the ownership was wrong. Maybe it came from migrating an old 
>> installation.
>> What are the correct perms/ownership in /var/lib/tomcat9 and below?
> 
> What is the user-owner of the JVM process?
> 
> Check that all of the above would be both readable and executable by that 
> user:
> 
> ls -ld /var
> ls -ld /var/lib
> ls -ld /var/lib/tomcat9
> ls -ld /var/lib/tomcat9/conf
> 
> ... and of course that the JVM user can read 
> /var/lib/tomcat9/conf/tomcat-users.xml which I assume is true since you said 
> you already checked it.
> 
> What is the cwd of the JVM process?
> 
> The first message ("reloading") has the full path, and the second message 
> ("file not found") only mentions a relative path. I wonder if that is the 
> difference.
> 


Could it be that the second path relates to a missing env-Variable 
$CATALINA_BASE or $CATALINA_HOME?

Peter

> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Wondering about tomcat-users.xml could not be found

[Christopher Schultz]

Christoph,

On 11/15/23 10:32, Christoph Kukulies wrote:

I'm running tomcat9 under Ubuntu 22.04 with an haproxy 2.8 in front of it.

I'm wondering about the following in the logs:

Nov 15 16:19:23 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source 
[file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:23 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:33 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source 
[file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:33 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:43 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source 
[file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:43 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:53 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source 
[file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:53 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found




File /var/lib/tomcat9/conf/tomcat-users.xml is definitely there.

It occurs every 10 seconds.

Don't know who is causing this and why. Permissions? Ownership wrong?

-rw-r- 1 root root   2756 Jan 15  2022 tomcat-users.xml

Believe the ownership was wrong. Maybe it came from migrating an old 
installation.


What are the correct perms/ownership in /var/lib/tomcat9 and below?


What is the user-owner of the JVM process?

Check that all of the above would be both readable and executable by 
that user:


 ls -ld /var
 ls -ld /var/lib
 ls -ld /var/lib/tomcat9
 ls -ld /var/lib/tomcat9/conf

... and of course that the JVM user can read 
/var/lib/tomcat9/conf/tomcat-users.xml which I assume is true since you 
said you already checked it.


What is the cwd of the JVM process?

The first message ("reloading") has the full path, and the second 
message ("file not found") only mentions a relative path. I wonder if 
that is the difference.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Wondering about tomcat-users.xml could not be found

[Christoph Kukulies]

I'm running tomcat9 under Ubuntu 22.04 with an haproxy 2.8 in front of it.

I'm wondering about the following in the logs:

Nov 15 16:19:23 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:23 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:33 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:33 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:43 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:43 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:53 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:53 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found

  


File /var/lib/tomcat9/conf/tomcat-users.xml is definitely there. 

It occurs every 10 seconds.

Don't know who is causing this and why. Permissions? Ownership wrong?

-rw-r- 1 root root   2756 Jan 15  2022 tomcat-users.xml

Believe the ownership was wrong. Maybe it came from migrating an old 
installation.

What are the correct perms/ownership in /var/lib/tomcat9 and below?

--
Christoph





smime.p7s
Description: S/MIME cryptographic signature

Re: question about tomcat manager Server Status page

[Ivano Luberti]

Thanks Christopher

Il 08/09/2023 17:51, Christopher Schultz ha scritto:

Ivano,

On 9/8/23 11:17, Ivano Luberti wrote:

Hi, looking at Server Status and Complete Server Status Page

I can see the following line:

Max threads: 200 Current thread count: 11 Current threads busy: 1 
Keep alive sockets count: 1


But looking at the thread list under the line I can count 24 lines.

So what is the number of thread currently instantiated by tomcat? 11 
or 24?


This is a good question. When I check my localhost Manager running 
8.5.x, I see this:


Max threads: -1 Current thread count: 4 Current threads busy: 1 Keep 
alive sockets count: 1


The number of threads shown in the http-nio-host-port section shows 5 
threads, 4 in the R state and one in the S state.


When running jstack against my JVM, I can see that there are only 4 
exec threads running.


So I think the claim that there are only 11 threads in your JVM is 
correct. I believe the 24 lines you are seeing are something buggy in 
the Manager's view. I'll see if I can play around with it a little bit 
to see what's happening.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno 
2003 n. 196

per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa 



dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959 | fax: +39 050/8932061

web: www.archicoop.it
linkedin: www.linkedin.com/in/ivanoluberti
facebook: www.facebook.com/archimedeinformaticapisa/

Re: question about tomcat manager Server Status page

[Christopher Schultz]

Ivano,

On 9/8/23 11:17, Ivano Luberti wrote:

Hi, looking at Server Status and Complete Server Status Page

I can see the following line:

Max threads: 200 Current thread count: 11 Current threads busy: 1 Keep 
alive sockets count: 1


But looking at the thread list under the line I can count 24 lines.

So what is the number of thread currently instantiated by tomcat? 11 or 24?


This is a good question. When I check my localhost Manager running 
8.5.x, I see this:


Max threads: -1 Current thread count: 4 Current threads busy: 1 Keep 
alive sockets count: 1


The number of threads shown in the http-nio-host-port section shows 5 
threads, 4 in the R state and one in the S state.


When running jstack against my JVM, I can see that there are only 4 exec 
threads running.


So I think the claim that there are only 11 threads in your JVM is 
correct. I believe the 24 lines you are seeing are something buggy in 
the Manager's view. I'll see if I can play around with it a little bit 
to see what's happening.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

question about tomcat manager Server Status page

[Ivano Luberti]

Hi, looking at Server Status and Complete Server Status Page

I can see the following line:

Max threads: 200 Current thread count: 11 Current threads busy: 1 Keep 
alive sockets count: 1


But looking at the thread list under the line I can count 24 lines.

So what is the number of thread currently instantiated by tomcat? 11 or 24?



--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno 
2003 n. 196

per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa 



dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959 | fax: +39 050/8932061

web: www.archicoop.it
linkedin: www.linkedin.com/in/ivanoluberti
facebook: www.facebook.com/archimedeinformaticapisa/

Re: Question about Tomcat 8.5.77 and CVE-2022-0778

[Mark Thomas]

On 21/03/2022 16:26, Matthew Mellon wrote:
Tomcat 8.5.77 was published on March 17. The Windows distribution 
contains tcnative-1.dll, version 1.2.31.


Tcnative-1.dll appears to be statically linked to OpenSSL, and was built 
in 2021, prior to the fix for CVE-2022-0778 being published by OpenSSL.


The tcnative source tree was updated to “recommend” a new version of 
OpenSSL six days ago, but the DLL in the 8.5.77 release doesn’t appear 
to have been built with this change.


I believe this means that if an APR connector is enabled, that the 
Windows distribution of Tomcat 8.5.77 is exposed to a pretty severe DOS 
attack vector. I emailed secur...@tomcat.apache.org 
 about this, believing that that was 
the responsible way to bring this to light, but received a pretty nasty 
email in response that told me that this mailing list was the correct forum.


CVE-2022-0778 is public. You posted a question to the Apache Tomcat 
security team that did not concern an undisclosed security vulnerability 
in Apache Tomcat. This happens sufficiently often that we have a canned 
response for when this happens. For the record this is the content of 
that canned response:



To whom it may concern,

You recently contacted the Apache Tomcat security team. As explained
in [1], the e-mail address you used should only be used for
reporting undisclosed security vulnerabilities in Apache Tomcat and
managing the process of fixing such vulnerabilities. Your e-mail does
not meet that criteria.

You may wish read some information on how the ASF works [2] before
proceeding with your enquiry via the appropriate channel which will
almost certainly be the Apache Tomcat users mailing list. [3]

The Apache Tomcat security team

[1] http://tomcat.apache.org/security.html
[2] http://apache.org/foundation/how-it-works.html
[3] https://tomcat.apache.org/lists.html#tomcat-users


Would it be possible to get a canonical version of Tomcat (e.g. 8.5.78) 
built that contains the remediation for CVE-2022-0778?


There is a Tomcat Native 1.2.32 release in progress at the moment that 
includes convenience Windows binaries built with OpenSSL 1.1.1n.


That release vote looks like it is going to pass so that release should 
be available on the download pages sometime tomorrow.


Tomcat releases are usually monthly with the process starting at the 
beginning of the month. I'd therefore expect to see an 8.5.78 release 
roughly around the second week of April that included the Tomcat Native 
1.2.32 release.



Is there anything I can do to help?


Test the Tomcat Native 1.2.32 release. Details on the dev@ list.

The changes since 1.2.31 are minor and don't include any code changes so 
the likelihood of a regression is low. However, the more people that 
test a release and VOTE on it the better.


Test the 8.5.78 release when it happens. Watch the dev@ list for details.

Some other options:

Disable the APR/Native library so Tomcat uses NIO+JSSE instead.

Update to Tomcat Native 1.2.32 once released (single DLL for Windows 
that is a drop-in replacement).


Build 1.2.31 from source using OpenSSL 1.1.1n. The build process we use 
is documented at [1]. The hoop jumping is mainly to ensure that the 
resulting binaries will run on all currently supported Windows versions 
without requiring that additional run times etc are installed. Given 
that 1.2.32 is so close to release, it may not be worth the time 
required to follow this option.


Mark


[1] 
https://cwiki.apache.org/confluence/display/TOMCAT/Building+the+Tomcat+Native+Connector+binaries+for+Windows




*Matthew Mellon **CISSP**
*/Chief Information Security Officer/

828.265.2907 ext 5058  | www.ecrs.com 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question about Tomcat 8.5.77 and CVE-2022-0778

[Matthew Mellon]

Tomcat 8.5.77 was published on March 17. The Windows distribution contains 
tcnative-1.dll, version 1.2.31.

Tcnative-1.dll appears to be statically linked to OpenSSL, and was built in 
2021, prior to the fix for CVE-2022-0778 being published by OpenSSL.

The tcnative source tree was updated to "recommend" a new version of OpenSSL 
six days ago, but the DLL in the 8.5.77 release doesn't appear to have been 
built with this change.

I believe this means that if an APR connector is enabled, that the Windows 
distribution of Tomcat 8.5.77 is exposed to a pretty severe DOS attack vector. 
I emailed secur...@tomcat.apache.org about 
this, believing that that was the responsible way to bring this to light, but 
received a pretty nasty email in response that told me that this mailing list 
was the correct forum.

Would it be possible to get a canonical version of Tomcat (e.g. 8.5.78) built 
that contains the remediation for CVE-2022-0778? Is there anything I can do to 
help?

Matthew Mellon CISSP
Chief Information Security Officer
828.265.2907 ext 5058  |   www.ecrs.com

[cid:image001.png@01D83D1E.16997AA0]

Re: a question about tomcat thread

[Mark Thomas]

On 24/08/17 21:39, Christopher Schultz wrote:
> Mark,
> On 8/23/17 4:26 PM, Mark Thomas wrote:
>> On 23/08/17 21:17, Christopher Schultz wrote:



>>> Max threads >= current thread count Current thread count >=
>>> current thread busy Current thread count >= Keeped alive sockets
>>> count
> 
>> That is true for BIO, but not for any of the other connections
>> which are all non-blocking between requests. With those connectors
>> you can have up to maxConnections open sockets in HTTP keep-alive
>> waiting for data to arrive.
> 
> Yes, but the keep-alive connections are not using a thread from any
> pool. It's not clear to me whether "keeped alive sockets count"
> actually counts the sockets or the threads. I don't use the manager
> application for anything other than JMX :)

I'd assumed sockets rather than threads but I don't know for sure.

/me goes to look at source code...

It is sockets.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: a question about tomcat thread

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/23/17 4:26 PM, Mark Thomas wrote:
> On 23/08/17 21:17, Christopher Schultz wrote:
>> To whom it may concern,
>> 
>> On 8/22/17 10:28 PM, ophusky wrote:
>>> Server version: Apache Tomcat/8.0.35 Server built:   May 11
>>> 2016 21:57:08 UTC Server number:  8.0.35.0 OS Name:
>>> Linux OS Version: 3.2.35 Architecture:   amd64 JVM
>>> Version: 1.8.0_45-b14 JVM Vendor: Oracle Corporation
>> 
>> Thanks!
>> 
>>> 1. [root@app41 manager]# curl -s
>>> http://127.0.0.1/manager/status |grep -P -o 'Max
>>> threads:.*? ' Max threads: 700 Current thread count: 478
>>> Current thread busy: 17 Keeped alive sockets count: 5 2.
>>> [root@app41 manager]# pgrep jsvc 25446 25447 [root@app41 
>>> manager]# ps -Lf 25447 | wc -l 541
>> 
>> Okay.
>> 
>>> I want to figure out the meaning of "Current thread count" 
>>> "Current thread busy" "Keeped alive sockets count" and
>>> relationship between 1 and 2.
>> 
>> Max threads >= current thread count Current thread count >=
>> current thread busy Current thread count >= Keeped alive sockets
>> count
> 
> That is true for BIO, but not for any of the other connections
> which are all non-blocking between requests. With those connectors
> you can have up to maxConnections open sockets in HTTP keep-alive
> waiting for data to arrive.

Yes, but the keep-alive connections are not using a thread from any
pool. It's not clear to me whether "keeped alive sockets count"
actually counts the sockets or the threads. I don't use the manager
application for anything other than JMX :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZnzmKAAoJEBzwKT+lPKRY+fUP/ibWat/2gh/6sW+dM33HB9RX
lbv9crEOoc9VKxqiEkxYfkAXvHSlYMgNS8o1frjnvYucCvxYUp9RqkgH6KcZxtkA
imItAIXg5eg7ZZ5odpSrNqlG70S6ZM7mO8cWZWi9UCU0r84DQawBXxT6QRjkv3JI
+AqewX5KVP8CUItd/DT3YIfUvkGiLOPMCYuo8TJ4imXy5FySx2DTXArzHkC2LQ9p
bsu1fj5qtGS2IkQgLYQ0lzNxW3saDaqdm0CBMRzNsbNatz6pAsy432jmTZRPbHqE
xPuTuK+xEyHQaxiHae+PC85Mju93BjOa6txPB1IKMb9e8ihCK8CMXz9h81oirdU0
FrAiGtG8HJPwQ2W99tB4uKHYWvA5s104a9WQh1Cj//V0TKsx53Tp0f5H6qPPX+cP
MZDKGkHbhOLbsvyS1urcZ67uESIbAGvKcVHXk9FFta2O0GGzqvbAkN6sbc045JkJ
VVpQ6x/3o7YIxdLQj77n+h3AoLaXX6Cq3M/C/9byZXd0eP4OlOEdnkXnze1wfMJW
6Ova+D+D3tuvHJQjsyMkHfi3Fi72FGrZGdH5azIyn+UioxcE2x6f3RhT7bV9cqqc
0MBtGPfE6Bts7s6wN4bvhhTPPO13pV8J0c5sKpAE+MQkBuP+J9A2PRKoaKBYZfdn
8xC/wmJ2Lbeu41CWrMYm
=qLz/
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: a question about tomcat thread

[Mark Thomas]

On 23/08/17 21:17, Christopher Schultz wrote:
> To whom it may concern,
> 
> On 8/22/17 10:28 PM, ophusky wrote:
>> Server version: Apache Tomcat/8.0.35 Server built:   May 11 2016
>> 21:57:08 UTC Server number:  8.0.35.0 OS Name:Linux OS
>> Version: 3.2.35 Architecture:   amd64 JVM Version:
>> 1.8.0_45-b14 JVM Vendor: Oracle Corporation
> 
> Thanks!
> 
>> 1. [root@app41 manager]# curl -s http://127.0.0.1/manager/status
>> |grep -P -o 'Max threads:.*? ' Max threads: 700 Current thread
>> count: 478 Current thread busy: 17 Keeped alive sockets count:
>> 5 2. [root@app41 manager]# pgrep jsvc 25446 25447 [root@app41
>> manager]# ps -Lf 25447 | wc -l 541
> 
> Okay.
> 
>> I want to figure out the meaning of "Current thread count"
>> "Current thread busy" "Keeped alive sockets count" and relationship
>> between 1 and 2.
> 
> Max threads >= current thread count
> Current thread count >= current thread busy
> Current thread count >= Keeped alive sockets count

That is true for BIO, but not for any of the other connections which are
all non-blocking between requests. With those connectors you can have up
to maxConnections open sockets in HTTP keep-alive waiting for data to
arrive.

Mark

> 
>> I have read the document
>> http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Server_Stat
> us
>>  if "Current thread busy" mean  "Parse and Prepare Request"  and
>> "Service"
> 
> Also "Finishing"
> 
> ? "Keeped alive sockets count" mean  "Keep-Alive"?
> 
> Yes.
> 
> One question you didn't ask, but shows data for was "why does my
> process have 541 threads when Tomcat says it's got 478 threads". The
> answer is that Tomcat and the JVM are both running threads that are
> not servicing requests.
> 
> Take a thread dump of your JVM to see what those other threads are
> doing, and you'll see things like the "Finalizer" thread, various
> threads for GC, JIT, AWT (if graphics subsystem has been launched),
> the main thread itself, etc.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: a question about tomcat thread

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To whom it may concern,

On 8/22/17 10:28 PM, ophusky wrote:
> Server version: Apache Tomcat/8.0.35 Server built:   May 11 2016
> 21:57:08 UTC Server number:  8.0.35.0 OS Name:Linux OS
> Version: 3.2.35 Architecture:   amd64 JVM Version:
> 1.8.0_45-b14 JVM Vendor: Oracle Corporation

Thanks!

> 1. [root@app41 manager]# curl -s http://127.0.0.1/manager/status
> |grep -P -o 'Max threads:.*? ' Max threads: 700 Current thread
> count: 478 Current thread busy: 17 Keeped alive sockets count:
> 5 2. [root@app41 manager]# pgrep jsvc 25446 25447 [root@app41
> manager]# ps -Lf 25447 | wc -l 541

Okay.

> I want to figure out the meaning of "Current thread count"
> "Current thread busy" "Keeped alive sockets count" and relationship
> between 1 and 2.

Max threads >= current thread count
Current thread count >= current thread busy
Current thread count >= Keeped alive sockets count

> I have read the document
> http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Server_Stat
us
>  if "Current thread busy" mean  "Parse and Prepare Request"  and 
> "Service"

Also "Finishing"

? "Keeped alive sockets count" mean  "Keep-Alive"?

Yes.

One question you didn't ask, but shows data for was "why does my
process have 541 threads when Tomcat says it's got 478 threads". The
answer is that Tomcat and the JVM are both running threads that are
not servicing requests.

Take a thread dump of your JVM to see what those other threads are
doing, and you'll see things like the "Finalizer" thread, various
threads for GC, JIT, AWT (if graphics subsystem has been launched),
the main thread itself, etc.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZneLHAAoJEBzwKT+lPKRYjSoQALTyOs9Qs980nogOtLEJebE4
Ry/qff22vgDaR1rvJdxIDeu0RJVgliYdMZ1vr9G9ZCJHnkoL6rcjr4YUeTGt/VIT
DbpKCSFFszrg3QPQAxZD/QajACfedcPWNw0HXWy4Sc32tGdt+hh5L3iP89K1ig0U
HexwnLKm9LLl1P0ntRsPlcqBTijHsOdzdiJ1iEU/IkToJ0NH5pLY7vG0fysFKe0m
PyY/+Ndyt549+30J1YluLxqNi2pvd6syiD2YBcrqm17ZKzNbkOyY/Y7vqgsVnfda
ytsnq/maUxUgBQNCBx/nKPrfso8lBU3jNlhf6hSGCFJF6h6KVrmRmtFyZjeA1QMK
8AD0Nr0FiWChR3q6OvkdiS2JwhYzsi2UNseYoPtaxy71kjjrenaerW5wv0r+CPkX
Cw+DiAV5hZdp1APJZkSZaQxu1ii2sxJtQdHJ1sqZb8f6t5S4kD6wwoGeeuKWYq//
xXje9tlH8ONTw/oBteIIkF1bTLmPp1d04W8RMZv5keeuQ60lSIm4a6dJIeYzvubP
gnE++zCm1eoHOy/p2V+dQEHe//P7hrVkJ3qAzmbIxmADCrjNxJpFko5uD/nli0uG
FOZl315dBDIwJtri3KuPMtDqDziy3JKzlSlSTUSPlrP7dD77S44XfHEASBsTNULd
+OCGM5xsg2ksovWSH2QI
=kbDs
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

a question about tomcat thread

[ophusky]

Server version: Apache Tomcat/8.0.35
Server built:   May 11 2016 21:57:08 UTC
Server number:  8.0.35.0
OS Name:Linux
OS Version: 3.2.35
Architecture:   amd64
JVM Version:1.8.0_45-b14
JVM Vendor: Oracle Corporation
_
1.
[root@app41 manager]# curl -s http://127.0.0.1/manager/status |grep -P -o 'Max 
threads:.*? '
Max threads: 700 Current thread count: 478 Current thread busy: 17 Keeped alive 
sockets count: 5
2.
[root@app41 manager]# pgrep jsvc
25446
25447
[root@app41 manager]# ps -Lf 25447 | wc -l
541

I want to figure out the meaning of "Current thread count"  "Current thread 
busy" "Keeped alive sockets count"   and  relationship between 1 and 2.
I have read the document 
http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Server_Status  
if "Current thread busy" mean  "Parse and Prepare Request"  and  "Service" , 
"Keeped alive sockets count" mean  "Keep-Alive"?


please help me  thx~

Re: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 5/22/17 3:19 PM, André Warnier (tomcat) wrote:
> On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote:
>> Here attached is my server.xml host configure: 
>> _
___
>>
>>
>> 

>> > unpackWARs="true" autoDeploy="false" deployOnStartup="true">
>> 
>> > directory="logs" prefix="localhost_access_log." suffix=".txt" 
>> pattern="%h %l %u %t %r %s %b" /> 
>> 
>>   
>> _
___
>>
>
>> 
> With the above configuration, this is what happens :
> 
> 1) Any request coming in to your server, which has a Host: HTTP
> header which is not "recognised" by Tomcat, will be processed by
> this "defaultlocalhost" virtual Host. See : 
> http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes
>
>  2) this default virtual Host, as defined above, has an 
> appBase="webapps", just like the other Host which you defined. That
> is because "webapps" is the *default* value for this attribute,
> and you did not specify it otherwise in your "defaultlocalhost". 
> See :
> http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes

+1
> 
this is most likely the problem here.

Try  or something similar.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkkdt8ACgkQHPApP6U8
pFhxfA//UqEK1RpuKiLi8YiwLGzIuwVXOUF4uCYC+gq9P6DbxqDWYcKMdqFaXULo
4NowG1hO1IoW2+Kd8ilH44ip5/DoZu8v+4Ir1NYIEmNlXQ3IvNcLuZGlLHVH7QaJ
7ES3tOrR+vcoP+kdE7hbsWu1Oz1Kyns3fuL2v9lxiCRX22RQGrznsx1dJbuJCpIs
nvmjvONxyGRSRHV88qGX+WymCkdGmhr0x1pN59JzqptCh9yqxg3aPmYA0Z1vvMQe
uSUfWBZw5K0G/h/A7jGPpwI33PZqNI5AnIJg0qFizto5B+EnMtQOHgi5Nac7oBey
SeA84bopU1zMzSf+g4HGsqO7iVqENp9ZPCg3eZ4SpXajV4d39L928eCCH7n0qPlm
ppOEuBlt/w2DTwyo0i5Wa0hbBdjPttFiQ07/H5nGkYWphAno6qwn7FwPkBCT1IlQ
DHeVkJ7am96yPZF0WPuIypd3gdsvzWAZJQsnjYEvysMNBQx2Nihfh+LgKV47Ft+M
GAPpTz6yHvi0NpaAGMnvzh4khZFVoRB1A0B4GoV05xNxidHuGnXAHoVMBCuUl9gD
I80IOCLonzCjOofHO9TK6zDHdusKFQPFMsBPEmFVOVbl7KGy+7Dx7RZRt9SfTMfY
JSU18NYB1JuO/FFnygB8jm8kYw1Ng5uLV8ZXNFeHN1/pFa5eFt4=
=bSQc
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Cai, Charles [COMRES/RTC/RTC]]

Charles Cai | T +1 440 329 4888

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Monday, May 22, 2017 3:19 PM
To: users@tomcat.apache.org
Subject: Re: Question about Tomcat Virtual Host to prevent 
Improper-Input-Handling attack

On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote:
> Hi there,
>
> __
> __
> Server Specs:
> Server version: Apache Tomcat/7.0.54
> Server built:   May 19 2014 10:26:15
> Server number:  7.0.54.0
> OS Name:Windows Server 2012
> OS Version: 6.2
> Architecture:   amd64
> JVM Version:1.8.0_121-b13
> JVM Vendor: Oracle Corporation
> __
> __
>
> I'm currently on the process of trying fix a site vulnerability, basically it 
> is one type of the "Improper Input Handling" attack.
>
> Let's say my website is www.mywebsite.com and there is hacker's 
> website www.hacker.com
>
> whenever there is a request send to www.mywebsite.com with modified "Host" 
> header point to www.hacker.com, my site will create a redirect to 
> www.mywebsite.com along with whatever the url it was. e.g.
>
> Normal:
> Host: www.mywebsite.com
> GET  www.mywebsite.com/get/some/resources/
> Response 200 ok
>
> Hack:
> Host: www.hacker.com (#been manually modified) GET  
> www.mywebsite.com/get/some/resources/
> Response 302
> Send another Redirect to www.hacker.com/get/some/resources My website 
> is running on Tomcat 7, I tried some solution with set up the virtual host by 
> point the unknown host to a defaultlocalhost which supposed to do nothing. 
> but it still send the redirect for some reason.
>
> Here attached is my server.xml host configure:
> __
> __  jvmRoute="jvm1">   unpackWARs="true" autoDeploy="false" deployOnStartup="true">
>
>   directory="logs"
> prefix="localhost_access_log." suffix=".txt"
> pattern="%h %l %u %t %r %s %b" />
>
>
>
>
> __
> __ So, my question is, Am I on the right track to prevent this 
> kind of attack ? If yes, what I did wrong that still not working? (The 
> ultimate goal is, if it is not the legit Host that been passed in, the 
> request should be discard/ignored/return 404 but not redirect with 
> 302)
>

Hi.
The first thing is, as far as I know, Tomcat *by itself* will not generate this 
redirect response.
But an application deployed inside Tomcat might do that, perhaps.

With the above configuration, this is what happens :

 > 

 >
 >

1) Any request coming in to your server, which has a Host: HTTP header which is 
not "recognised" by Tomcat, will be processed by this "defaultlocalhost" 
virtual Host.
See :  http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes

2) this default virtual Host, as defined above, has an appBase="webapps", just 
like the other Host which you defined.
That is because "webapps" is the *default* value for this attribute, and you 
did not specify it otherwise in your "defaultlocalhost".
See : http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes

3) thus, if your normal application corresponding to the URI 
get/some/resources/) is deployed under (tomcat_dir)/webapps, then your 
application will be called when anyone sends the following HTTP request to your 
server :

GET get/some/resources/ HTTP/1.1
Host: evil.hackers.com (or whatever is not "www.mywebsite.com")

What your application then does with this call, is up to your application.
If it is some kind of framework, it might very well decide to return a redirect 
response.
But that is not tomcat code.

If you want to protect against this, then you should provide your 
"defaultlocalhost" with a real appBase, different from the standard "webapps", 
and maybe put a default application there which returns a lit cluster bomb to 
the evil hacker.
(or more reasonably, a "not found" response; which tomcat will do by itself if 
there is nothing there that matches the request URI).

Note that in addition, with your above configuration, there should be warnings 
in the tomcat logfile, because your application will be deployed twice : once 
for the "defaultlocalhost" Host, and once for the "www.mywebsite.com" Host.



> Thank you in advance.
>
> More references about the attack here :
> http://www.skeletonsc

Re: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

[tomcat]

On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote:

Hi there,


Server Specs:
Server version: Apache Tomcat/7.0.54
Server built:   May 19 2014 10:26:15
Server number:  7.0.54.0
OS Name:Windows Server 2012
OS Version: 6.2
Architecture:   amd64
JVM Version:1.8.0_121-b13
JVM Vendor: Oracle Corporation


I'm currently on the process of trying fix a site vulnerability, basically it is one type 
of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website 
www.hacker.com

whenever there is a request send to www.mywebsite.com with modified "Host" 
header point to www.hacker.com, my site will create a redirect to www.mywebsite.com along 
with whatever the url it was. e.g.

Normal:
Host: www.mywebsite.com
GET  www.mywebsite.com/get/some/resources/
Response 200 ok

Hack:
Host: www.hacker.com (#been manually modified)
GET  www.mywebsite.com/get/some/resources/
Response 302
Send another Redirect to www.hacker.com/get/some/resources
My website is running on Tomcat 7, I tried some solution with set up the 
virtual host by point the unknown host to a defaultlocalhost which supposed to 
do nothing. but it still send the redirect for some reason.

Here attached is my server.xml host configure:




 
   

   
   

So, my question is, Am I on the right track to prevent this kind of attack ? If 
yes, what I did wrong that still not working? (The ultimate goal is, if it is 
not the legit Host that been passed in, the request should be 
discard/ignored/return 404 but not redirect with 302)



Hi.
The first thing is, as far as I know, Tomcat *by itself* will not generate this redirect 
response.

But an application deployed inside Tomcat might do that, perhaps.

With the above configuration, this is what happens :

> 

>
>

1) Any request coming in to your server, which has a Host: HTTP header which is not 
"recognised" by Tomcat, will be processed by this "defaultlocalhost" virtual Host.

See :  http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes

2) this default virtual Host, as defined above, has an appBase="webapps", just like the 
other Host which you defined.
That is because "webapps" is the *default* value for this attribute, and you did not 
specify it otherwise in your "defaultlocalhost".

See : http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes

3) thus, if your normal application corresponding to the URI get/some/resources/) is 
deployed under (tomcat_dir)/webapps, then your application will be called when anyone 
sends the following HTTP request to your server :


GET get/some/resources/ HTTP/1.1
Host: evil.hackers.com (or whatever is not "www.mywebsite.com")

What your application then does with this call, is up to your application.
If it is some kind of framework, it might very well decide to return a redirect 
response.
But that is not tomcat code.

If you want to protect against this, then you should provide your "defaultlocalhost" with 
a real appBase, different from the standard "webapps", and maybe put a default application 
there which returns a lit cluster bomb to the evil hacker.
(or more reasonably, a "not found" response; which tomcat will do by itself if there is 
nothing there that matches the request URI).


Note that in addition, with your above configuration, there should be warnings in the 
tomcat logfile, because your application will be deployed twice : once for the 
"defaultlocalhost" Host, and once for the "www.mywebsite.com" Host.





Thank you in advance.

More references about the attack here :
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling

Original Post on stackoverflow:  
https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack

Charles Cai | Web Application Developer | RIDGID
Emerson Commercial & Residential Solutions |
charles@emerson.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Cai, Charles [COMRES/RTC/RTC]]

Hi there, 


Server Specs:
Server version: Apache Tomcat/7.0.54
Server built:   May 19 2014 10:26:15
Server number:  7.0.54.0
OS Name:Windows Server 2012
OS Version: 6.2
Architecture:   amd64
JVM Version:1.8.0_121-b13
JVM Vendor: Oracle Corporation


I'm currently on the process of trying fix a site vulnerability, basically it 
is one type of the "Improper Input Handling" attack.

Let's say my website is www.mywebsite.com and there is hacker's website 
www.hacker.com

whenever there is a request send to www.mywebsite.com with modified "Host" 
header point to www.hacker.com, my site will create a redirect to 
www.mywebsite.com along with whatever the url it was. e.g.

Normal:
Host: www.mywebsite.com 
GET  www.mywebsite.com/get/some/resources/
Response 200 ok

Hack:
Host: www.hacker.com (#been manually modified) 
GET  www.mywebsite.com/get/some/resources/
Response 302 
Send another Redirect to www.hacker.com/get/some/resources 
My website is running on Tomcat 7, I tried some solution with set up the 
virtual host by point the unknown host to a defaultlocalhost which supposed to 
do nothing. but it still send the redirect for some reason.

Here attached is my server.xml host configure:

  



  

  
  

So, my question is, Am I on the right track to prevent this kind of attack ? If 
yes, what I did wrong that still not working? (The ultimate goal is, if it is 
not the legit Host that been passed in, the request should be 
discard/ignored/return 404 but not redirect with 302)

Thank you in advance.

More references about the attack here : 
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html 
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling 

Original Post on stackoverflow:  
https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-prevent-improper-input-handling-attack
 

Charles Cai | Web Application Developer | RIDGID
Emerson Commercial & Residential Solutions |
charles@emerson.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: questions about tomcat 7 executor with rest services

[Brian Millett]

Thanks

> On Oct 12, 2015, at 5:01 PM, Mark Thomas  wrote:
> 
> On 12 October 2015 21:26:30 BST, Brian Millett  wrote:
>> I’m looking for some insight / info into using executor thread pool for
>> a tomcat 7 server that handles many REST services.   
>> Wondering if a large maxThreads in an Executor would have better
>> through put than the same maxThreads for a normal connector?
> 
> Nope. Internally the Connector uses an executor.
> 
>> What scenario would encourage the use of an Executor over a normal
>> connector? 
> 
> Sharing a common thread pool between multiple connectors. Usually when you 
> want to limit concurrent requests across http and http. 
> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

questions about tomcat 7 executor with rest services

[Brian Millett]

I’m looking for some insight / info into using executor thread pool for a 
tomcat 7 server that handles many REST services.   
Wondering if a large maxThreads in an Executor would have better through put 
than the same maxThreads for a normal connector?

What scenario would encourage the use of an Executor over a normal connector? 

Thanks.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: questions about tomcat 7 executor with rest services

[Mark Thomas]

On 12 October 2015 21:26:30 BST, Brian Millett  wrote:
>I’m looking for some insight / info into using executor thread pool for
>a tomcat 7 server that handles many REST services.   
>Wondering if a large maxThreads in an Executor would have better
>through put than the same maxThreads for a normal connector?

Nope. Internally the Connector uses an executor.

>What scenario would encourage the use of an Executor over a normal
>connector? 

Sharing a common thread pool between multiple connectors. Usually when you want 
to limit concurrent requests across http and http. 

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat Rest Verbs initial settings allowed

[Rob Silver]

Thank you for verifying that ! It helps a lot I know the TRACE and OPTIONS
may be a different story - Trace at least can be disabled. I greatly
appreciate your response!


On Fri, Aug 8, 2014 at 7:50 PM, Rob Silver rss...@gmail.com wrote:

 Is it true that by default on a Apache Tomcat 7.025 server RESTFUL verbs
 are enabled
 as part of the HTTP protocol Tomcat uses?
 Anotherwards if I hade a restful web application - perhaps a spring mvc one
 would it work out of the box as far as security constraints go?
 I have not yet seen any way to control a Tomcat server not to accept
 DELETE, PUT etc.. in addition to standard GET / POST http verbs.
 mailer-dae...@apache.org
 2:07 PM (5 hours ago)

Re: Question about Tomcat Rest Verbs initial settings allowed

[Mark Thomas]

On 09/08/2014 13:31, Christopher Schultz wrote:
 Rob,
 
 On 8/8/14, 7:50 PM, Rob Silver wrote:
 Is it true that by default on a Apache Tomcat 7.025 server RESTFUL
 verbs are enabled as part of the HTTP protocol Tomcat uses?
 
 Tomcat does not filter HTTP verbs other than TRACE out of the box. If
 you implement HttpServlet.service() then you can accept any verb you want.
 
 Anotherwards if I hade a restful web application - perhaps a spring
 mvc one would it work out of the box as far as security constraints
 go?
 
 Security constraints and HTTP verbs are not really related.

Huh? Security constraints allow you to define the HTTP verbs they apply to.

Note: It is generally a bad idea to do this (because of HTTP verb
tampering) unless you are very careful and understand exactly what you
are doing.

Mark

 I have not yet seen any way to control a Tomcat server not to
 accept DELETE, PUT etc.. in addition to standard GET / POST http
 verbs.
 
 What have you tried?
 
 -chris
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat Rest Verbs initial settings allowed

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/10/14, 4:44 AM, Mark Thomas wrote:
 On 09/08/2014 13:31, Christopher Schultz wrote:
 Rob,
 
 On 8/8/14, 7:50 PM, Rob Silver wrote:
 Is it true that by default on a Apache Tomcat 7.025 server
 RESTFUL verbs are enabled as part of the HTTP protocol Tomcat
 uses?
 
 Tomcat does not filter HTTP verbs other than TRACE out of the
 box. If you implement HttpServlet.service() then you can accept
 any verb you want.
 
 Anotherwards if I hade a restful web application - perhaps a
 spring mvc one would it work out of the box as far as security
 constraints go?
 
 Security constraints and HTTP verbs are not really related.
 
 Huh? Security constraints allow you to define the HTTP verbs they
 apply to.

The OP was asking about built-in Tomcat restrictions against any of
this stuff. While security constraints can be applied to certain HTTP
verbs, one has to do that kind of thing oneself, I would therefore
expect that the OP would be aware of any self-imposed constraints.

 Note: It is generally a bad idea to do this (because of HTTP verb 
 tampering) unless you are very careful and understand exactly what
 you are doing.

+1

Apache httpd's LimitExcept is a great feature. It's too bad web.xml
is not quite so explicit about that kind of thing.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT51tIAAoJEBzwKT+lPKRY+mEP/05oXA80tUaaOL3bELheHQ1k
QUy3czP8rsd2HVWi7T738ssBwu0W7zCt2xzXM+eIDRmi537FijfyCwEQTM+TZAC/
+MepJ6Mi7jTyI0sDo28xXfe9VN2aZaxqOdQmGX9zrJ+Wp1041KTFIxHohpXUdq1d
vrXrX9I1IPCIPyoKtGPChJXbXh6No+XPzfCRLho/Q3YIkZoPK3yqkx0ZPAsBfWww
o0Sb0bkd78uSwgXuuOod/hdatOXxF/BDR6DPoSSIRuQ+mvqdioFDA1vMYc16G73P
Hd8DgwkYVCFndLpX8FsUHBA+uakIn9EmvuZS1ud4cM1aJoqi/hh/QQJO7Al8CzR2
CVeYlaV9cpI1SPheNCbDWK57ayrzpKriE/oaoJLbhSVtvT4iY/G5uIUHazSWl7Q1
0odEhKFSW/pR1HmO6aDsbYmZvede9i9hQBFgZSOhyaeWmvAXb8sp3S03ctiZAl5i
NF+w6bq0KO7oMhqYlAfGQEffvHyH1+CRD+PRt4UK24m1UtnNLQqVg7lYh9tXnq9z
I5KwVPmAamhH6WoLP28itOsN0ZasPFfHoWtDxV/Ws78z6kV0kVtd4ZOgbYquSpD+
lMHwJVpRqZxiqZDkBImrmFs6QztFBvZg3Swxp5grwdVFJLEutK09EDhDdPtWLEir
4kJWtpYx+1fg8kTg4Nwa
=VQGe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat Rest Verbs initial settings allowed

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Rob,

On 8/8/14, 7:50 PM, Rob Silver wrote:
 Is it true that by default on a Apache Tomcat 7.025 server RESTFUL 
 verbs are enabled as part of the HTTP protocol Tomcat uses?

Tomcat does not filter HTTP verbs other than TRACE out of the box. If
you implement HttpServlet.service() then you can accept any verb you want.

 Anotherwards if I hade a restful web application - perhaps a spring
 mvc one would it work out of the box as far as security constraints
 go?

Security constraints and HTTP verbs are not really related.

 I have not yet seen any way to control a Tomcat server not to
 accept DELETE, PUT etc.. in addition to standard GET / POST http
 verbs.

What have you tried?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT5hSMAAoJEBzwKT+lPKRYcUUP/iARKwpe3bxsQtYGCk/McFLx
Tklcnz54d1yUFEg6GjsJbVoyX2Z+6cqahZaM8KvFPu1egX8oXB7263Xk5DRAyYvQ
KXLAYzlfM2D9uDrNxPYy1evle4325YwoNreZyChjLTpL2qk8fdyzczoujsKNVHfL
KR2kvwF68rew/C5qrx16XUq5waZGhZixP0IAA9pEGn2eHxGxN5dp6i97Hid7DTiX
jTDdv7eFetOxIqBYEMLMCVvcrAqcgPsjrUX+he7QLwGqr8NpOMGb4zNC1QvGXlsz
GwOdpLkTgymbdrQpXVxsH8TscoeBba9otqX76PcnbJFIrGMnonpIvPStkOvXDEL5
RCcS91PDFdWpkRURt/raSx5n5+SMkP8l8PW5VPHliJ+FLkmdCZpkv1dSSyCiXluC
v2uoh18HTHWu7oqcHFHivnDWMjV+XhYsl8yW7fy9n4WKxKy94GMoGwP3LAW4UquB
DaowRsGf5OYJcVI1XSvWL3aeo8l0MF91kXzh/e9GKznSHRGMubv+LEYYzSrl8bej
1HUyIJIBIu1BpK/JA0r1movLcvrnqklEaygzOZ6dJM4+gsvzg0adWe7tZFcdMfUx
f4bdGnWYU+URAprfprK0PVZu1csk9XiRZkD4MuhSUEBCRicIPzGJ50r9AAV11RUG
SE7xll5x3oHj4PzFbG1e
=fOsB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question about Tomcat Rest Verbs initial settings allowed

[Rob Silver]

Is it true that by default on a Apache Tomcat 7.025 server RESTFUL verbs
are enabled
as part of the HTTP protocol Tomcat uses?
Anotherwards if I hade a restful web application - perhaps a spring mvc one
would it work out of the box as far as security constraints go?
I have not yet seen any way to control a Tomcat server not to accept
DELETE, PUT etc.. in addition to standard GET / POST http verbs.
mailer-dae...@apache.org
2:07 PM (5 hours ago)

Re: About tomcat 8.0.0 dev documentation

[Mark Thomas]

Ram Laxman ram.laxman241...@yahoo.com wrote:

Hi there, 

  I want to know how to access the tomcat dev 8.0.0 documentation  
  which having actual URL  
  http://ci.apache.org/projects/tomcat/tomcat8/docs/index.html 
  but unable to access it. 
  When I try to access it from Google cached copy,    
  the screen I have attached here.  
  Thanks!!

As you have already been told, that is the output of the continuous integration 
system. There are no Tomcat 8 docs anywhere else because there has not been a 
release of Tomcat 8.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Some questions about Tomcat ISAPI Connector and its documentation

[Konstantin Preißer]

Hello Konstantin Kolinko and André Warnier,

thank you both for your replies.


 -Original Message-
 From: André Warnier [mailto:a...@ice-sa.com]
 Sent: Sunday, March 11, 2012 12:14 AM
 To: Tomcat Users List
 Subject: Re: Some questions about Tomcat ISAPI Connector and its
 documentation
 
 That is probably what isapi_redirector does anyway (forward the request
 to Tomcat, and let
 Tomcat send the 404 response (which may be customised)).

In such a case, the ISAPI connector seems to sends its own 404 error message 
(which can't be customized I think).


 But perhaps the log message in the isapi_redirector log is there for
 the following reason
 : when Tomcat is hosted on a separate host, it may be nice, on the
 IIS/isapi_redirector
 host, to have a log entry recording this.  Just in case the IIS-side
 logs are being
 watched closely, and the Tomcat logs less so.
 After all, someone using a URL including WEB-INF or META-INF, is quite
 likely to be
 someone who /is/ trying to hack the system.
 
 That kind of overlaps the warning in red text that is present on the
 connectors how-to
 pages, like :
 
 However, you should be very careful when you implement the following
 configuration style,
 because by doing so you are in fact providing a back-door to IIS, and
 allowing it to
 serve files out of a Tomcat context without Tomcat's knowledge, thus
 bypassing any
 security restrictions which Tomcat itself and the Tomcat context
 (webapp) may place on
 those files.

That's right; however, it seems that the warning only appears when the request 
is actually mapped to the ISAPI connector - if it is not mapped to it, it does 
not prevent accessing directories called WEB-INF (e.g. when trying to have 
IIS serve the static files and Tomcat serve only Servlets/JSPs).

 Does this log message bother you ? why would you want to /not/ have it
 ?
 

It does not bother me - I just wondered why the ISAPI would to this checks, 
when Tomcat already does it. :)


Regards,
Konstantin Preißer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Some questions about Tomcat ISAPI Connector and its documentation

[Konstantin Preißer]

Hi all,

I have some questions about the documentation of the ISAPI Connector 1.2.32 
(and about the connector itself).


1. In the Reference Guide for IIS 
(http://tomcat.apache.org/connectors-doc/reference/iis.html), the registry 
options are listed. For the option enable_chunked_encoding which controls if 
chunked encoding is used, there is the note:

This option is considered experimental and its support must be compile time 
enabled. Use isapi_redirect.dll with chunked support enabled.

Is enabling chunked encoding still considered experimental? I'm using it since 
one year or so on IIS 7 and never encountered any problems with it (besides one 
or two bugs which I reported and got fixed). Also, I'm not sure if the phrase 
its support must be compile time enabled currently still applies, as it seems 
that the binaries are always compiled with support for chunked encoding since 
1.2.30 or so.


I would consider chunked encoding support as a requirement for optimal 
performance, because without supporting it, each time a response is sent to a 
client without knowing the Content-Length in advance, the TCP connection has to 
be closed (and re-opened when another request should be performed), which is 
why I always enable chunked encoding in the ISAPI connector.

If there are no problems with the chunked encoding reported, maybe the docs 
could be changed to remove the experimental note? Maybe even the default 
value for  enable_chunked_encoding in the connector itself could be changed 
from false to true? 


2. I observed that when a request is made to IIS which is mapped to Tomcat, and 
the request path contains the string WEB-INF, like
http://www.example.com/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf
then the ISAPI connector logs a statement like this:

[Sat Mar 10 22:34:58.030 2012] [11744:10792] [emerg] 
handle_notify_event::jk_isapi_plugin.c (1997): 
[/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf] points to the web-inf or 
meta-inf directory. Somebody tries to hack into the site!!!

If I remember correctly, in some earlier versions of the ISAPI connector (or 
IIS), in such cases the TCP connection from IIS to the client would also be 
closed without any reply; however, in the current version, a 404 reply is sent 
from the ISAPI connector.

I'm wondering why the ISAPI redirector checks if WEB-INF is occurring in the 
path, because Tomcat seems to already check if a request is made to the WEB-INF 
or META-INF directory of an web application, and if so, sends back a normal 404 
response. Is this a kind of relict from earlier times? Because I would expect 
that the ISAPI redirector just passes the request to Tomcat and let Tomcat 
decide how requests to forbidden directories are handled, without writing an 
emergency log entry. 


Thanks!

Regards,
Konstantin Preißer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Some questions about Tomcat ISAPI Connector and its documentation

[André Warnier]

Konstantin Preißer wrote:
...


2. I observed that when a request is made to IIS which is mapped to Tomcat, and the 
request path contains the string WEB-INF, like
http://www.example.com/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf
then the ISAPI connector logs a statement like this:

[Sat Mar 10 22:34:58.030 2012] [11744:10792] [emerg] 
handle_notify_event::jk_isapi_plugin.c (1997): 
[/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf] points to the web-inf or 
meta-inf directory. Somebody tries to hack into the site!!!

If I remember correctly, in some earlier versions of the ISAPI connector (or 
IIS), in such cases the TCP connection from IIS to the client would also be 
closed without any reply; however, in the current version, a 404 reply is sent 
from the ISAPI connector.

I'm wondering why the ISAPI redirector checks if WEB-INF is occurring in the path, because Tomcat seems to already check if a request is made to the WEB-INF or META-INF directory of an web application, and if so, sends back a normal 404 response. Is this a kind of relict from earlier times? Because I would expect that the ISAPI redirector just passes the request to Tomcat and let Tomcat decide how requests to forbidden directories are handled, without writing an emergency log entry. 

That is probably what isapi_redirector does anyway (forward the request to Tomcat, and let 
Tomcat send the 404 response (which may be customised)).
But perhaps the log message in the isapi_redirector log is there for the following reason 
: when Tomcat is hosted on a separate host, it may be nice, on the IIS/isapi_redirector 
host, to have a log entry recording this.  Just in case the IIS-side logs are being 
watched closely, and the Tomcat logs less so.
After all, someone using a URL including WEB-INF or META-INF, is quite likely to be 
someone who /is/ trying to hack the system.


That kind of overlaps the warning in red text that is present on the connectors how-to 
pages, like :


However, you should be very careful when you implement the following configuration style, 
because by doing so you are in fact providing a back-door to IIS, and allowing it to 
serve files out of a Tomcat context without Tomcat's knowledge, thus bypassing any 
security restrictions which Tomcat itself and the Tomcat context (webapp) may place on 
those files.


Does this log message bother you ? why would you want to /not/ have it ?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Some questions about Tomcat ISAPI Connector and its documentation

[Konstantin Kolinko]

2012/3/11 Konstantin Preißer verlag.preis...@t-online.de:
 Hi all,

 I have some questions about the documentation of the ISAPI Connector 1.2.32 
 (and about the connector itself).


 1. In the Reference Guide for IIS 
 (http://tomcat.apache.org/connectors-doc/reference/iis.html), the registry 
 options are listed. For the option enable_chunked_encoding which controls 
 if chunked encoding is used, there is the note:

 This option is considered experimental and its support must be compile time 
 enabled. Use isapi_redirect.dll with chunked support enabled.

 Is enabling chunked encoding still considered experimental? I'm using it 
 since one year or so on IIS 7 and never encountered any problems with it 
 (besides one or two bugs which I reported and got fixed). Also, I'm not sure 
 if the phrase its support must be compile time enabled currently still 
 applies, as it seems that the binaries are always compiled with support for 
 chunked encoding since 1.2.30 or so.


 I would consider chunked encoding support as a requirement for optimal 
 performance, because without supporting it, each time a response is sent to a 
 client without knowing the Content-Length in advance, the TCP connection has 
 to be closed (and re-opened when another request should be performed), which 
 is why I always enable chunked encoding in the ISAPI connector.

 If there are no problems with the chunked encoding reported, maybe the docs 
 could be changed to remove the experimental note? Maybe even the default 
 value for  enable_chunked_encoding in the connector itself could be changed 
 from false to true?


 2. I observed that when a request is made to IIS which is mapped to Tomcat, 
 and the request path contains the string WEB-INF, like
 http://www.example.com/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf
 then the ISAPI connector logs a statement like this:

 [Sat Mar 10 22:34:58.030 2012] [11744:10792] [emerg] 
 handle_notify_event::jk_isapi_plugin.c (1997): 
 [/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf] points to the web-inf or 
 meta-inf directory. Somebody tries to hack into the site!!!

 If I remember correctly, in some earlier versions of the ISAPI connector (or 
 IIS), in such cases the TCP connection from IIS to the client would also be 
 closed without any reply; however, in the current version, a 404 reply is 
 sent from the ISAPI connector.

 I'm wondering why the ISAPI redirector checks if WEB-INF is occurring in 
 the path, because Tomcat seems to already check if a request is made to the 
 WEB-INF or META-INF directory of an web application, and if so, sends back a 
 normal 404 response. Is this a kind of relict from earlier times? Because I 
 would expect that the ISAPI redirector just passes the request to Tomcat and 
 let Tomcat decide how requests to forbidden directories are handled, without 
 writing an emergency log entry.

Regarding this 2.nd question - see also this recent issue:

https://issues.apache.org/bugzilla/show_bug.cgi?id=51769
False positive: Somebody try to hack into the site!!!
 Fixed in r1187916, will be part of version 1.2.33.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question about Tomcat Windows service configuration

[Naveen Alex]

Hi,

I am stuck with an issue on Tomcat 6.x version.

I have two folder under /webapps/ folder called appstore and
'static-content. appstore has a UI which will write files to a folder in
static-content directory under webapps.

Everything works fine when i run tomcat as a standalone version but when i
run it as a windows services, the application called appstore is not able
to create any folders or files under static-content.

I tried giving security manager options in the registry but still it doesnt
work. Pls help me out. Cant understand why it works for standalone or not
as a windows service.



Thanks and regards,
Naveen Alex

Re: Question about Tomcat Windows service configuration

[Konstantin Kolinko]

2011/12/31 Naveen Alex naveen.a...@gmail.com:
 Hi,

 I am stuck with an issue on Tomcat 6.x version.

 I have two folder under /webapps/ folder called appstore and
 'static-content. appstore has a UI which will write files to a folder in
 static-content directory under webapps.

 Everything works fine when i run tomcat as a standalone version but when i
 run it as a windows services, the application called appstore is not able
 to create any folders or files under static-content.

1. Do you know that you can configure Service to use a user's account
when it runs? That can be done in the Windows Control Panel or in the
Tomcat Service configuration program (tomcat6w.exe).

If you not not configure it to use a user's account it will use a
special system account called LocalService and that might not have
necessary permissions.

2. UAC of Windows Vista and later can interfere with the above.
Especially if you have installed Tomcat to C:\Program Files. (IIRC it
is possible to circumvent it by assigning some permissions to the
installation folder, but the FAQ does not mention it)

See
http://wiki.apache.org/tomcat/FAQ/Windows


 I tried giving security manager options in the registry but still it doesnt
 work. Pls help me out. Cant understand why it works for standalone or not
 as a windows service.

What do you mean by security manager? Java security manager is quite
a different beast.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat Windows service configuration

[Naveen Alex]

Thanks for the reply. I tried that and it doesnt work.

I have assigned an admin user to run the service and all the admin
permissions to the webapps folder. I have the tomcat folder outside of the
program files in windows.

Not sure why it doesnt work. Any other suggestions?


Thanks and regards,
Naveen Alex



On Sat, Dec 31, 2011 at 4:44 AM, Konstantin Kolinko
knst.koli...@gmail.comwrote:

 2011/12/31 Naveen Alex naveen.a...@gmail.com:
  Hi,
 
  I am stuck with an issue on Tomcat 6.x version.
 
  I have two folder under /webapps/ folder called appstore and
  'static-content. appstore has a UI which will write files to a folder in
  static-content directory under webapps.
 
  Everything works fine when i run tomcat as a standalone version but when
 i
  run it as a windows services, the application called appstore is not
 able
  to create any folders or files under static-content.

 1. Do you know that you can configure Service to use a user's account
 when it runs? That can be done in the Windows Control Panel or in the
 Tomcat Service configuration program (tomcat6w.exe).

 If you not not configure it to use a user's account it will use a
 special system account called LocalService and that might not have
 necessary permissions.

 2. UAC of Windows Vista and later can interfere with the above.
 Especially if you have installed Tomcat to C:\Program Files. (IIRC it
 is possible to circumvent it by assigning some permissions to the
 installation folder, but the FAQ does not mention it)

 See
 http://wiki.apache.org/tomcat/FAQ/Windows

 
  I tried giving security manager options in the registry but still it
 doesnt
  work. Pls help me out. Cant understand why it works for standalone or not
  as a windows service.

 What do you mean by security manager? Java security manager is quite
 a different beast.

 Best regards,
 Konstantin Kolinko

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question about Tomcat Windows service configuration

[Caldarale, Charles R]

 From: Naveen Alex [mailto:naveen.a...@gmail.com] 
 Subject: Re: Question about Tomcat Windows service configuration

 I have the tomcat folder outside of the program files in windows.

How far outside?  On a local drive, or a network mounted one?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat Windows service configuration

[Naveen Alex]

Hi chuck,

Its on the system d drive itself.

On Saturday, December 31, 2011, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:
 From: Naveen Alex [mailto:naveen.a...@gmail.com]
 Subject: Re: Question about Tomcat Windows service configuration

 I have the tomcat folder outside of the program files in windows.

 How far outside?  On a local drive, or a network mounted one?

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail and
its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-- 
Thanks and regards,
Naveen Alex

About tomcat 6.0 and jcom lib

[国清 mack Lu]

Hi all
   I have a problem about the tomcat6.0.32 server config when I use the jcom 
lib to do the print job.
   when I use the unpack version and click startup.bat to start the server in 
windows xp ,I can use the JCOM lib to do the print job.
but when I start the tomcat (Install version) width windows service,I can use 
it too ,but can not use the remote printer to do the
print job.
   I think the reason is about the system envirenment and the tomcat server 
config.
   Can any one help me?
   THX!

2011-06-17 



mack Lu 

Question about Tomcat 6.020 appBase Vs autoDeploy?

[Pascal Vachon]

Hi,

I'm new to Tomcat, but I managed to install Tomcat 6.020 which I use on a 
development server (production server will come soon).
I have three development environments on this server, which are DEV, TEST 
and STAGE.

Here's what my directory looks like: 
\Tomcat 6.0\webapps\WebAppMan\dev
\Tomcat 6.0\webapps\WebAppMan\test
\Tomcat 6.0\webapps\WebAppMan\stage

Here's the host line in my server.xml file: 
Host name=xwebapp-man-mobile-dev.domain.com appBase=webapps/WebAppMan 
unpackWARs=true autoDeploy=true

As you can see, my appBase is set to webapps/WebAppMan, because I wanted 
to have URLs like this (identifying the development environment used):
https://xwebapp-man-mobile-dev.domain.com/dev/...
https://xwebapp-man-mobile-dev.domain.com/test/...
https://xwebapp-man-mobile-dev.domain.com/stage/...

However, even if autoDeploy is set to true, it doesn't seem to work inside 
nested folders.
It works If I place a .WAR file inside the webapps/WebAppMan folder, but 
it doesn't work if I place it inside the webapps/WebAppMan/dev folder 
for example.

The problem with that, is that I want to give developpers read/write 
access to everything inside the dev, test and stage folders... but I 
don't want to give them access to the WebAppMan folder.
They told me they have to use the autoDeploy feature to correctly install 
their applications... and I want them to install these inside the dev, 
test or stage folders (not inside the root folder WebAppMan).

I could change my appBase to point directly in the dev folder like 
appBase=webapps/WebAppMan/dev... but that would mean I would also have 
to do this for the test and stage environment.
I would then have to create three DNS hosts instead of one (ex: 
xwebapp-man-mobile-dev, xwebapp-man-mobile-test, 
xwebapp-man-mobile-stage).  I tried to avoid that, cause we have a naming 
convention here that the DNS host name is identifying the dev server or 
the prod server, and the folder name is identifying the environment used 
on that server.

Is there a way to keep my logic in place... and still satisfy the 
developers demand (be able to deploy applications themselves using a .WAR 
file)?
Again, I'm new to Tomcat, so sorry if this looks like a weird question.

Thanks!
_
Pascal Vachon
Senior Analyst Programmer
Canam Group
Phone: 418-228-8031 #2567 | Fax: 418-227-8697
Email: pascal.vac...@canamgroup.ws
Web Site: Canam Group



  Do you really need to print this email? Think green! 

Re: Question about Tomcat 6.020 appBase Vs autoDeploy?

[Mark Thomas]

On 21/12/2009 18:50, Pascal Vachon wrote:
 Is there a way to keep my logic in place... and still satisfy the 
 developers demand (be able to deploy applications themselves using a .WAR 
 file)?
 Again, I'm new to Tomcat, so sorry if this looks like a weird question.

You can use virtual hosting. See
http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html

You can give your developers read/write to the dev host's appBase but
not the other appBase directories.

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat 6.020 appBase Vs autoDeploy?

[Pascal Vachon]

Thanks for your quick answer... but doesn't that require a different DNS 
host name for my three development environments? (ex: 
xwebapp-man-mobile-dev, xwebapp-man-mobile-test, 
xwebapp-man-mobile-stage).

Engine name=Catalina defaultHost=ren
Host name=renappBase=renapps/
Host name=stimpy appBase=stimpyapps/
/Engine


Like I mentionned in my question,  I would like to use the same DNS host 
name for my three development environments... but use a different folder 
for each one of them in my URL.
I just don't know how to make the autoDeploy works inside nested folders.

Pascal



From:
Mark Thomas ma...@apache.org
To:
Tomcat Users List users@tomcat.apache.org
Date:
12/21/2009 01:57 PM
Subject:
Re: Question about Tomcat 6.020 appBase Vs autoDeploy?



On 21/12/2009 18:50, Pascal Vachon wrote:
 Is there a way to keep my logic in place... and still satisfy the 
 developers demand (be able to deploy applications themselves using a 
.WAR 
 file)?
 Again, I'm new to Tomcat, so sorry if this looks like a weird question.

You can use virtual hosting. See
http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html

You can give your developers read/write to the dev host's appBase but
not the other appBase directories.

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat 6.020 appBase Vs autoDeploy?

[Mark Thomas]

On 21/12/2009 19:08, Pascal Vachon wrote:
 Thanks for your quick answer... but doesn't that require a different DNS 
 host name for my three development environments?

Yes.

 Like I mentionned in my question,  I would like to use the same DNS host 
 name for my three development environments... but use a different folder 
 for each one of them in my URL.
 I just don't know how to make the autoDeploy works inside nested folders.

You can't do what you are trying to do without separate hosts.

Mark

Aside: Nest folders can be achieved using the # syntax. E.g.:
dev#app1.war

but this does not let you limit developers to just the dev directory.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: doubts about tomcat form based authentication

[Curtis Garman]

I'm interested in what others have to say about this too...for
instance there is no provision for disabling an account either...if
the account exists you can login with it.

I'm not sure I understand the second part of your question about
authorization...do yo mean authorization or authentication?...if you
really mean authentication, it sounds to me like you don't have
something set up correctly...you should be getting a 403 access denied
in both firefox and ie if login fails. Authorization has nothing to do
with form based authentication and would be handled by the container
based on the roles you create.

Curtis

On Tue, Oct 20, 2009 at 1:50 AM, Nirvann jatin.kulka...@yahoo.com wrote:

 I am trying to explore the form based authentication provided by container. I
 have some doubts regarding same.
 The first thing is what mechanism can be used to handle authorization
 errors. For authentication we have control of jsp pages (Login and Login
 error pages). But there is nothing to let users know that they are failing
 role based authorization.
 Secondly, a subquestion of first, how does the container signal an
 authorization error. I tried with IE and Mozilla. In IE I get a 404 resource
 not found. In mozilla it just displays a blank page.

 regards,
 nirvan.

 --
 View this message in context: 
 http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25970503.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





-- 
Curtis Garman
Web Programmer
Heartland Community College

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: doubts about tomcat form based authentication

[Nirvann]

Curtis Garman wrote:
 
 I'm interested in what others have to say about this too...for
 instance there is no provision for disabling an account either...if
 the account exists you can login with it.
 
 I'm not sure I understand the second part of your question about
 authorization...do yo mean authorization or authentication?...if you
 really mean authentication, it sounds to me like you don't have
 something set up correctly...you should be getting a 403 access denied
 in both firefox and ie if login fails. Authorization has nothing to do
 with form based authentication and would be handled by the container
 based on the roles you create.
 
 Curtis
 

I mean't authorization. Consider a scenario as follows. There are two users,
admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has
rights to both the pages but user can access only userPage.jsp. Lets assume
that the user logs in as user (not admin) and accesses userPage.jsp. It is
fine upto this point because user has access to userPage.jsp. But what
happens if the user tries to access adminPage.jsp for which he is not
authorized. As you have indicated it should fail through 403 access denied.
But, I am getting HTTP 404 - File not found in IE and blank page in
Mozilla. 

-- 
View this message in context: 
http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25975955.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: doubts about tomcat form based authentication

[Markus Schönhaber]

Nirvann:

 I mean't authorization. Consider a scenario as follows. There are two users,
 admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has
 rights to both the pages but user can access only userPage.jsp. Lets assume
 that the user logs in as user (not admin) and accesses userPage.jsp. It is
 fine upto this point because user has access to userPage.jsp. But what
 happens if the user tries to access adminPage.jsp for which he is not
 authorized. As you have indicated it should fail through 403 access denied.
 But, I am getting HTTP 404 - File not found in IE and blank page in
 Mozilla. 

In a situation like the one you describe my Tomcat responds with 403
response code and the standard access denied page (I did not change it
in web.xml).
So, I second Curtis' guess that you did something wrong.

BTW: What IE shows you is of very little use, unless you turn off
friendly error messages.

-- 
Regards
  mks



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: doubts about tomcat form based authentication

[Curtis Garman]

I would also google making internet explorer display your error page
...this is something I learned in the apache cookbook...IE will
display it's own error message if your error page isn't at least 512
bytes...anyway you might want to research this a little

Did you define a custom 403 page? Are you sure you aren't getting the
404 looking for your 403 page? I'm not sure what else to tell you
because I've never had this problem. It might help if you post some of
your configuration/code

Curtis

2009/10/20 Markus Schönhaber tomcat-us...@list-post.mks-mail.de:
 Nirvann:

 I mean't authorization. Consider a scenario as follows. There are two users,
 admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has
 rights to both the pages but user can access only userPage.jsp. Lets assume
 that the user logs in as user (not admin) and accesses userPage.jsp. It is
 fine upto this point because user has access to userPage.jsp. But what
 happens if the user tries to access adminPage.jsp for which he is not
 authorized. As you have indicated it should fail through 403 access denied.
 But, I am getting HTTP 404 - File not found in IE and blank page in
 Mozilla.

 In a situation like the one you describe my Tomcat responds with 403
 response code and the standard access denied page (I did not change it
 in web.xml).
 So, I second Curtis' guess that you did something wrong.

 BTW: What IE shows you is of very little use, unless you turn off
 friendly error messages.

 --
 Regards
  mks



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





-- 
Curtis Garman
Web Programmer
Heartland Community College

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: doubts about tomcat form based authentication

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nirvann,

On 10/20/2009 2:50 AM, Nirvann wrote:
 The first thing is what mechanism can be used to handle authorization
 errors. For authentication we have control of jsp pages (Login and Login
 error pages). But there is nothing to let users know that they are failing
 role based authorization.

Tomcat should be issuing a 403 error, which you ought to be able to
capture using web.xml's error-page configuration.

 Secondly, a subquestion of first, how does the container signal an
 authorization error.

See above.

 I tried with IE and Mozilla. In IE I get a 404 resource
 not found. In mozilla it just displays a blank page.

If this is the case, then you probably have some kind of broken
configuration. 404 is not appropriate for forbidden, but if you are
trying to forward to a page that doesn't exist, the 404 might be masking
the 403 error.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrd3VwACgkQ9CaO5/Lv0PAqTACeJ5MKYK7PsUGlsQ9gQCl7j6Zc
uNwAoIIw/WB+QO5L1XuFs3YIZB9OOZ5R
=lDTg
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: doubts about tomcat form based authentication

[Curtis Garman]

On Tue, Oct 20, 2009 at 10:55 AM, Christopher Schultz
ch...@christopherschultz.net wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Nirvann,

 On 10/20/2009 2:50 AM, Nirvann wrote:
 The first thing is what mechanism can be used to handle authorization
 errors. For authentication we have control of jsp pages (Login and Login
 error pages). But there is nothing to let users know that they are failing
 role based authorization.

 Tomcat should be issuing a 403 error, which you ought to be able to
 capture using web.xml's error-page configuration.

 Secondly, a subquestion of first, how does the container signal an
 authorization error.

 See above.

 I tried with IE and Mozilla. In IE I get a 404 resource
 not found. In mozilla it just displays a blank page.

 If this is the case, then you probably have some kind of broken
 configuration. 404 is not appropriate for forbidden, but if you are
 trying to forward to a page that doesn't exist, the 404 might be masking
 the 403 error.

Exactly...this is quite possible

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAkrd3VwACgkQ9CaO5/Lv0PAqTACeJ5MKYK7PsUGlsQ9gQCl7j6Zc
 uNwAoIIw/WB+QO5L1XuFs3YIZB9OOZ5R
 =lDTg
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





-- 
Curtis Garman
Web Programmer
Heartland Community College

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: doubts about tomcat form based authentication

[Nirvann]

Sorry guys to have bothered you with my silly mistake. Actually, I had
configured 403 error page in web.xml file but the page was not at proper
location. Hence I was getting 404 file not found. Now I can access the role
error page for authorization error. Thanks a lot for all your insights.

regards,
nirvan.
-- 
View this message in context: 
http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25984106.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: doubts about tomcat form based authentication

[Josh Gooding]

The way I solved the issue was removing he user from the tomcat role table.
Tomcat itself will then not allow you to login.  I am using a Realm
authentication as well.  In the user table I specified what role the user
had (either plain user, manager, admin, or a trainer), then based off of
that, the tomcat role table was populated at create new user time.  It
will throw your 403 error (which mine does)

- Josh

On Tue, Oct 20, 2009 at 7:18 PM, Nirvann jatin.kulka...@yahoo.com wrote:


 Sorry guys to have bothered you with my silly mistake. Actually, I had
 configured 403 error page in web.xml file but the page was not at proper
 location. Hence I was getting 404 file not found. Now I can access the role
 error page for authorization error. Thanks a lot for all your insights.

 regards,
 nirvan.
 --
 View this message in context:
 http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25984106.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: configuration about tomcat for work with mysql/J connector

[Je suis la poubelle]

 Most Mysql+JSP tutorials found on the web aren't uptodate as they're
still teaching people to use org.gjt.mm.mysql.Driver but it's better to
use com.mysql.jdbc.Driver, cf:
http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-configuration-properties.html

 But otherwise it's ok.


On Fri, Mar 20, 2009 at 1:40 AM, Rusty Wright rusty.wri...@gmail.comwrote:

 http://lmgtfy.com/?q=tomcat+mysql+tutorial

 E.g.,

 http://www.roseindia.net/mysql/mysqldatabase.shtml

configuration about tomcat for work with mysql/J connector

[Tomas Rodriguez]

Hi all
I'm new in Tomcat and java, I installed already Tomcat 6.0 for windows 2000, 
I have to mysql server and the connector/j for work together mysql and 
Tomcat.
I declare a variable for connector mysql/j in panel 
control/system/advance(enviroment variable) , this variable have the mysql 
connector path,
I test the tomcat doing http://localhost:8080 and every is ok, but my 
problem is.


How Can I know that my connector java work with mysql without any problem?, 
what file I'll need change in the directory tomcat .
please somebody can help me, I wanna learn tomcat for developer a project 
very important to me.


thanks
have  a great day.
sincerely
TOMAS 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: configuration about tomcat for work with mysql/J connector

[Rusty Wright]

http://lmgtfy.com/?q=tomcat+mysql+tutorial

E.g.,

http://www.roseindia.net/mysql/mysqldatabase.shtml


Tomas Rodriguez wrote:

Hi all
I'm new in Tomcat and java, I installed already Tomcat 6.0 for windows 
2000, I have to mysql server and the connector/j for work together mysql 
and Tomcat.
I declare a variable for connector mysql/j in panel 
control/system/advance(enviroment variable) , this variable have the 
mysql connector path,
I test the tomcat doing http://localhost:8080 and every is ok, but my 
problem is.


How Can I know that my connector java work with mysql without any 
problem?, what file I'll need change in the directory tomcat .
please somebody can help me, I wanna learn tomcat for developer a 
project very important to me.


thanks
have  a great day.
sincerely
TOMAS

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

about tomcat-users.xml

[nocturna_gr]

Hi,
i am not sure i have understood right about the tomcat-users.xml file...
Where are the basic roles defined? 
I had some problems getting the admin and manager account working and
added a standard role, which however doesn't appear in the admin web
interface. Why is that?
What does the role1 do?

Thanks

-- 
View this message in context: 
http://www.nabble.com/about-tomcat-users.xml-tp20504868p20504868.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: about tomcat-users.xml

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

To whom it may concern,

nocturna_gr wrote:
 i am not sure i have understood right about the tomcat-users.xml file...
 Where are the basic roles defined? 

There are no basic roles defined for Tomcat in general. The
tomcat-users.xml file allows you to define roles on the fly simply be
mentioning them as roles to be associated with each user.

In web.xml, you may explicitly define roles using the security-role
and role-name elements, but this is not required.

 I had some problems getting the admin and manager account working and
 added a standard role, which however doesn't appear in the admin web
 interface. Why is that?

standard probably has no meaning to the admin application, so it is
not displayed anywhere.

 What does the role1 do?

That's just an example role.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkd24EACgkQ9CaO5/Lv0PC1BwCeJP1WmBev4DiAOLOmTFfuU3sj
kCsAn10sB7urMr+VopUgg/XGqWD+vqiI
=AL63
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Question about Tomcat context

[Peter Crowther]

 From: Jerome Lepage - AKEROZ [mailto:[EMAIL PROTECTED]
 I have developped a web application on Tomcat (5.0.28).
 My webapp use Hibernate 3 and i have a Singleton pattern too.

 I want have my webapp deployed N time in same Tomcat Server.
 But i don't want to share context, hibernate and Singleton
 from one webapp to other.
 (Like database access is not the same)

Have you tried just deploying it N times, making sure all the jars are in 
WEB-INF/lib?  Each webapp should get its own classloader, and hence will have 
its own copies of Hibernate and your singleton.  I *think* they'll have 
different contexts, too, but I've not tried this.

By the way: if you start getting out of memory errors as you deploy more 
copies, make sure you have enough perm space configured in your JVM options.  
Hibernate can generate a lot of classes, and lots of copies of these classes 
can consume a lot of perm space.

- Peter

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat context

[Serge Fonville]

Hi Jerome.

If you save everything that is specific to the context in that context, they
operate as separate.
Regards,

Serge Fonville

On Fri, Oct 24, 2008 at 12:02 PM, Jerome Lepage - AKEROZ 
[EMAIL PROTECTED] wrote:


 Hi, Thanks for quick answers

 My app is a Cms
 The sources, wars, deploy method is the same.
 Only a Environement String (pointing to a specific config dir) is
 différent with Context.

 I don't want to they share anything at all, because is not same customers
 for each context.
 So for security reason, i don't want to share (even i loose memory and
 space).

 My customers don't have access to tomcat at all (except the app off
 course).
 I will deploy, upgrade, remove, etc.. so if easyer it's better, but i don't
 really care about that.

 I have already separate context for previous version of my app.
 But i'm (was) not sure for sharing rules of tomcat in Singleton or
 Hibernate case.
 (Because the goal of a singleton by definition is to have unique instance)
 I was affraid in test, who i have see my Log4J logs in wrong directory
 (maybe it's because is in common/lib dir)

 So if i understand well, if the library(s) is not in common/lib but in
 WEB-INF/lib they don't share context ?

 Thanks again for your time and answers..

 Jerome Lepage
 AKEROZ


 - Original Message -
 From: Serge Fonville [EMAIL PROTECTED]
 To: Tomcat Users List users@tomcat.apache.org
 Sent: Friday, October 24, 2008 11:37 AM
 Subject: Re: Question about Tomcat context


 First a few questions;
 What does the app do
 Do the deployed applications differ
 What is the reason you want them separate
 Do they share anything, reaml,db,files,
 Do you need to be able to update them easily (all in one go)
 How do you intend to deploy them, war, copy, remote
 Is it an option to upgrade to Tomcat 6.0

 That said:

 By simply copying the same files to different contexts you have the same
 application available multiple times under different URLs.

 Regards,

 Serge Fonville

 On Fri, Oct 24, 2008 at 11:25 AM, Jerome Lepage - AKEROZ 
 [EMAIL PROTECTED] wrote:

 
  Hi @ll,
 
  I have developped a web application on Tomcat (5.0.28).
  My webapp use Hibernate 3 and i have a Singleton pattern too.
 
  I want have my webapp deployed N time in same Tomcat Server.
  But i don't want to share context, hibernate and Singleton from one
 webapp
  to other.
  (Like database access is not the same)
 
  I have see in tomcat doc, the share context parameters but i don't have
  tried at this time.
  (Or maybe in différent tomcat vhost)
 
  My question is, is it possible or not, and if yes how (almost a direction
  or a clue will be perfect).
 
  Thanks by advance for your time.
 
  Jerome Lepage
  AKEROZ

Re: Question about Tomcat context

[Jerome Lepage - AKEROZ]

Hi, Thanks to you too for your answers.

 Have you tried just deploying it N times, making sure all the jars are in 
 WEB-INF/lib?
 Each webapp should get its own classloader, and hence will have its own copies
 of Hibernate and your singleton.  I *think* they'll have different contexts, 
 too,
 but I've not tried this.

No i don't have tried at this time, i'm in beta version so i try to 
anticipate this problem before i was at this part :)
Ok i will try, thanks

 By the way: if you start getting out of memory errors as you deploy more 
 copies,
 make sure you have enough perm space configured in your JVM options.  
 Hibernate can generate a lot of classes, and lots of copies of these classes 
 can
 consume a lot of perm space.

I'm glade to discuss about that.
I'm aware that hibernate is a big giant library wich use lot of memory.
But when i launch tomcat with this env vars :
JAVA_OPTS=-XX:MaxPermSize=512m -Xms24m -Xmx512m

Tomcat looks like not really care about the memory i grant to JVM.
It's seems that tomcat have the memory but don't give to the différents contexts
I have a poor Free memory at each time...

Is it something i miss or not ?

Thanks again to you

Jerome Lepage
AKEROZ

RE: Question about Tomcat context

[Peter Crowther]

 From: Jerome Lepage - AKEROZ [mailto:[EMAIL PROTECTED]
 But when i launch tomcat with this env vars :
 JAVA_OPTS=-XX:MaxPermSize=512m -Xms24m -Xmx512m

Well, yes :-).  That should give you enough perm space.

 Tomcat looks like not really care about the memory i grant to JVM.
 It's seems that tomcat have the memory but don't give to the
 différents contexts
 I have a poor Free memory at each time...

I'm simplifying here - you're better off reading the JVM docs or waiting for 
Chuck* to tell me I'm wrong ;-).  Any Java virtual machine will only collect 
garbage a) when you tell it (and sometimes not then), or b) when it runs out of 
free memory and needs to allocate something.  Low free memory is not 
necessarily a problem - the JVM may just be being lazy about garbage collection.

- Peter

* who has forgotten more about Java virtual machines than I will ever learn

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat context

[Serge Fonville]

First a few questions;
What does the app do
Do the deployed applications differ
What is the reason you want them separate
Do they share anything, reaml,db,files,
Do you need to be able to update them easily (all in one go)
How do you intend to deploy them, war, copy, remote
Is it an option to upgrade to Tomcat 6.0

That said:

By simply copying the same files to different contexts you have the same
application available multiple times under different URLs.

Regards,

Serge Fonville

On Fri, Oct 24, 2008 at 11:25 AM, Jerome Lepage - AKEROZ 
[EMAIL PROTECTED] wrote:


 Hi @ll,

 I have developped a web application on Tomcat (5.0.28).
 My webapp use Hibernate 3 and i have a Singleton pattern too.

 I want have my webapp deployed N time in same Tomcat Server.
 But i don't want to share context, hibernate and Singleton from one webapp
 to other.
 (Like database access is not the same)

 I have see in tomcat doc, the share context parameters but i don't have
 tried at this time.
 (Or maybe in différent tomcat vhost)

 My question is, is it possible or not, and if yes how (almost a direction
 or a clue will be perfect).

 Thanks by advance for your time.

 Jerome Lepage
 AKEROZ

Question about Tomcat context

[Jerome Lepage - AKEROZ]

Hi @ll,

I have developped a web application on Tomcat (5.0.28).
My webapp use Hibernate 3 and i have a Singleton pattern too.

I want have my webapp deployed N time in same Tomcat Server.
But i don't want to share context, hibernate and Singleton from one webapp to 
other.
(Like database access is not the same)

I have see in tomcat doc, the share context parameters but i don't have tried 
at this time.
(Or maybe in différent tomcat vhost)

My question is, is it possible or not, and if yes how (almost a direction or a 
clue will be perfect).

Thanks by advance for your time.

Jerome Lepage
AKEROZ

Re: Question about Tomcat context

[Jerome Lepage - AKEROZ]

Hi, Thanks for quick answers

My app is a Cms
The sources, wars, deploy method is the same.
Only a Environement String (pointing to a specific config dir) is différent 
with Context.

I don't want to they share anything at all, because is not same customers for 
each context.
So for security reason, i don't want to share (even i loose memory and space).

My customers don't have access to tomcat at all (except the app off course).
I will deploy, upgrade, remove, etc.. so if easyer it's better, but i don't 
really care about that.

I have already separate context for previous version of my app.
But i'm (was) not sure for sharing rules of tomcat in Singleton or Hibernate 
case.
(Because the goal of a singleton by definition is to have unique instance)
I was affraid in test, who i have see my Log4J logs in wrong directory (maybe 
it's because is in common/lib dir)

So if i understand well, if the library(s) is not in common/lib but in 
WEB-INF/lib they don't share context ?

Thanks again for your time and answers..

Jerome Lepage
AKEROZ


- Original Message - 
From: Serge Fonville [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Friday, October 24, 2008 11:37 AM
Subject: Re: Question about Tomcat context


First a few questions;
What does the app do
Do the deployed applications differ
What is the reason you want them separate
Do they share anything, reaml,db,files,
Do you need to be able to update them easily (all in one go)
How do you intend to deploy them, war, copy, remote
Is it an option to upgrade to Tomcat 6.0

That said:

By simply copying the same files to different contexts you have the same
application available multiple times under different URLs.

Regards,

Serge Fonville

On Fri, Oct 24, 2008 at 11:25 AM, Jerome Lepage - AKEROZ 
[EMAIL PROTECTED] wrote:


 Hi @ll,

 I have developped a web application on Tomcat (5.0.28).
 My webapp use Hibernate 3 and i have a Singleton pattern too.

 I want have my webapp deployed N time in same Tomcat Server.
 But i don't want to share context, hibernate and Singleton from one webapp
 to other.
 (Like database access is not the same)

 I have see in tomcat doc, the share context parameters but i don't have
 tried at this time.
 (Or maybe in différent tomcat vhost)

 My question is, is it possible or not, and if yes how (almost a direction
 or a clue will be perfect).

 Thanks by advance for your time.

 Jerome Lepage
 AKEROZ

RE: Question about Tomcat context

[Caldarale, Charles R]

 From: Peter Crowther [mailto:[EMAIL PROTECTED]
 Subject: RE: Question about Tomcat context

  From: Jerome Lepage - AKEROZ [mailto:[EMAIL PROTECTED]
  JAVA_OPTS=-XX:MaxPermSize=512m -Xms24m -Xmx512m

For server environments, you usually want to set Xms to the same value as Xmx 
to avoid heap thrashing.  Make sure you have enough RAM on the system to 
support not only the Java heap and PermGen spaces, but also the C heap, code 
space, and library/OS overhead.  If you don't have enough RAM, you'll get into 
paging, and your performance will disappera.

  It's seems that tomcat have the memory but don't give to the
  différents contexts

Heap memory is shared across all webapps, since they're all running in the same 
JVM; there's no way to provide separate heap space for each webapp.

 I'm simplifying here - you're better off reading the JVM docs
 or waiting for Chuck* to tell me I'm wrong ;-).

Nothing wrong here.

 Low free memory is not necessarily a problem - the
 JVM may just be being lazy about garbage collection.

Try using JConsole to watch the heap and PermGen while Tomcat's running; this 
will show if you are approaching a tight situation on memory space. (JVisualVM 
can also be used, but it's not as detailed.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: about tomcat default error page

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

李征,

李征 wrote:
 i use apache with tomcat.
 i don't want tomcat to generate its default error page when a error happens.
 instead, i want to show my error page which i set in the apache conf file.
 
 i know that  i can use error-page to do this, but i don't want to do it 
 twice -- both apache and tomcat.

You can just use ErrorDocument within a Location section in your
httpd.conf. I do this for errors like 403 and 500, so I'd imagine it
would work with other error codes as well. I believe Apache httpd simply
ignores the body of the TC response and replaces it with its own.

Hmm... I see that I /have/ configured the error pages in both Apache
httpd /and/ Tomcat, so I'm not sure which of the configurations is
really active.

Honestly, I don't see what the big deal is about double-configuring
these error pages.

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkj8i8gACgkQ9CaO5/Lv0PDKxACfdBMxP7COYYAZTLiCVBD6C3kN
qycAoLd/8UL02Locmbp/dielGM+oZy7v
=t5pi
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

回复： about tomcat default error page

[李征]

you are right and thank you for your advice
OS: centos4.6
APACHE-MOD_SSL: 1.3.37-2.8.28
TOMCAT: 4.1.29
MOD_JK: 1.2.15

i will look at mod_jk document again.
maybe i can find something i need





发件人： André Warnier [EMAIL PROTECTED]
收件人： Tomcat Users List users@tomcat.apache.org
已发送： 2008/10/17(周五), 下午6:05:25
主题： Re: about tomcat default error page

Hi 李征,
I don't know the answer to your question, but here is a recommendation :
To avoid delays in answering your question, it is always helpful to
specify :
- on which platform this happens (Windows, Unix, Linux,..)
- what version of Apache
- what version of Tomcat
- what connector you use between them (mod_jk, proxy_ajp,..) and its
version.

In this case, it matters very much, because the exact answer to your
question may be very dependent on this information.

If you do not specify it, then whoever is the expert will have to ask
you first, and because of time differences you might not see his
question before tomorrow, and then when you answer he may not see your
answer before his own tomorrow,.. and presto 48 hours have gone by.

Now if the versions of all the above that you use are fairly recent, and
you use the mod_jk connector, then you may want to look at the latest
release notes of mod_jk.  I am not sure, but I think I remember seeing
something that was more or less around that subject.

André


李征 wrote:
 i use apache with tomcat.
 i don't want tomcat to generate its default error page when a error happens.
 instead, i want to show my error page which i set in the apache conf file.
 
 i know that  i can use error-page to do this, but i don't want to do it 
 twice -- both apache and tomcat.
 is there any configuration that makes tomcat do nothing about the error and 
 just simplely pass the reponse code to apache.
 
 thanks in advance.
 
 __
 赶快注册雅虎超大容量免费邮箱?
 http://cn.mail.yahoo.com


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

__
赶快注册雅虎超大容量免费邮箱?
http://cn.mail.yahoo.com

about tomcat default error page

[李征]

i use apache with tomcat.
i don't want tomcat to generate its default error page when a error happens.
instead, i want to show my error page which i set in the apache conf file.

i know that  i can use error-page to do this, but i don't want to do it twice 
-- both apache and tomcat.
is there any configuration that makes tomcat do nothing about the error and 
just simplely pass the reponse code to apache.

thanks in advance.

__
赶快注册雅虎超大容量免费邮箱?
http://cn.mail.yahoo.com

Re: about tomcat default error page

[André Warnier]

Hi 李征,
I don't know the answer to your question, but here is a recommendation :
To avoid delays in answering your question, it is always helpful to
specify :
- on which platform this happens (Windows, Unix, Linux,..)
- what version of Apache
- what version of Tomcat
- what connector you use between them (mod_jk, proxy_ajp,..) and its
version.

In this case, it matters very much, because the exact answer to your
question may be very dependent on this information.

If you do not specify it, then whoever is the expert will have to ask
you first, and because of time differences you might not see his
question before tomorrow, and then when you answer he may not see your
answer before his own tomorrow,.. and presto 48 hours have gone by.

Now if the versions of all the above that you use are fairly recent, and
you use the mod_jk connector, then you may want to look at the latest
release notes of mod_jk.  I am not sure, but I think I remember seeing
something that was more or less around that subject.

André


李征 wrote:
 i use apache with tomcat.
 i don't want tomcat to generate its default error page when a error happens.
 instead, i want to show my error page which i set in the apache conf file.
 
 i know that  i can use error-page to do this, but i don't want to do it 
 twice -- both apache and tomcat.
 is there any configuration that makes tomcat do nothing about the error and 
 just simplely pass the reponse code to apache.
 
 thanks in advance.
 
 __
 赶快注册雅虎超大容量免费邮箱?
 http://cn.mail.yahoo.com


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

problem about tomcat session management

[Zufeng Huang]

Hi all,
   
  Recently, I am suffering a problem about tomcat session management. It is a 
sign-in service, sometimes the user A logs in, system sets user¡¯s information 
in session and then a piece of JSP codes to read the user¡¯s name from session, 
but the user gets another user¡¯s name in browser. I cannot repeat this problem 
in our network environment, but our customers meet(NOT ALWAYS).
   
  Our service environment: centos V4, jdk1.5.0_07, tomcat5.5.15. Other skills 
we used include struts, dwr, hibernate, and etc.
   
  If need the service codes, let me know. Thanks for any help and suggestion.
   

   

problem about tomcat session management

[Zufeng Huang]

Hi all,
   
  Recently, I am suffering a problem about tomcat session management. It is a 
sign-in service, sometimes the user A logs in, system sets user¡¯s information 
in session and then a piece of JSP codes to read the user¡¯s name from session, 
but the user gets another user¡¯s name in browser. I cannot repeat this problem 
in our network environment, but our customers meet(NOT ALWAYS).
   
  Our service environment: centos V4, jdk1.5.0_07, tomcat5.5.15. Other skills 
we used include struts, dwr, hibernate, and etc.
   
  If need the service codes, let me know. Thanks for any help and suggestion.
   

   

Re: problem about tomcat session management

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Zufeng,

Zufeng Huang wrote:
| Recently, I am suffering a problem about tomcat session management.
| It is a sign-in service, sometimes the user A logs in, system sets
| user¡¯s information in session and then a piece of JSP codes to read
| the user¡¯s name from session, but the user gets another user¡¯s name
| in browser. I cannot repeat this problem in our network environment,
| but our customers meet(NOT ALWAYS).

This is almost certainly an application error. You should make sure that
you are not storing references to HttpServletRequest or HttpSession
objects /anywhere/ that might be shared with another thread.
Specifically, check that your servlets do not have any class-level members.

| Our service environment: centos V4, jdk1.5.0_07, tomcat5.5.15.

You might want to upgrade to Tomcat 5.5.26, which is the latest 5.5.x
version available.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgu6TMACgkQ9CaO5/Lv0PBXygCgmCIc2dG4YnBHBn0jCrKW02hx
prMAoKhVNE1XxgDUpTS7PEzmaKVLnDSZ
=jMBi
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: problem about tomcat session management

[Bill Barker]

Christopher Schultz [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Zufeng,

 Zufeng Huang wrote:
 | Recently, I am suffering a problem about tomcat session management.
 | It is a sign-in service, sometimes the user A logs in, system sets
 | user¡¯s information in session and then a piece of JSP codes to read
 | the user¡¯s name from session, but the user gets another user¡¯s name
 | in browser. I cannot repeat this problem in our network environment,
 | but our customers meet(NOT ALWAYS).

 This is almost certainly an application error. You should make sure that
 you are not storing references to HttpServletRequest or HttpSession
 objects /anywhere/ that might be shared with another thread.
 Specifically, check that your servlets do not have any class-level 
 members.


Actually, since the OP can't reproduce it on his network, I'd vote for an 
up-stream proxy server returning a cached view of the page.  Of course 
Tomcat will take care of this for protected pages if you are using Container 
Auth, but it doesn't sound like this app is doing that.

 | Our service environment: centos V4, jdk1.5.0_07, tomcat5.5.15.

 You might want to upgrade to Tomcat 5.5.26, which is the latest 5.5.x
 version available.


Always a good suggestion, since there are quite a few fixes from 5.5.15 :).

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iEYEARECAAYFAkgu6TMACgkQ9CaO5/Lv0PBXygCgmCIc2dG4YnBHBn0jCrKW02hx
 prMAoKhVNE1XxgDUpTS7PEzmaKVLnDSZ
 =jMBi
 -END PGP SIGNATURE-

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[eborisow]

Gabe Wong wrote:
 
 I guess I misunderstood your objective. You are not interested in 
 manipulating the user name.
 You just want to check if the stripped user name is in a specific role?
 
Gabe,

Yeah, I guess that sums it up better than my original post.  I thought that
maybe if I could just manipulate the principal name that I could just pass
that along to hasRoles and everything would work similarly.

If you have any other ideas on how I could do that, I would be grateful.

Thanks,
Eric
-- 
View this message in context: 
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14997483p15041571.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[Gabe Wong]

eborisow wrote:

Gabe Wong wrote:
  
I guess I misunderstood your objective. You are not interested in 
manipulating the user name.

You just want to check if the stripped user name is in a specific role?



Gabe,

Yeah, I guess that sums it up better than my original post.  I thought that
maybe if I could just manipulate the principal name that I could just pass
that along to hasRoles and everything would work similarly.

If you have any other ideas on how I could do that, I would be grateful.

Thanks,
Eric
  
Since the hasRole is being called, can you not do a super.hasRole 
against the stripped user name of the Principal.

If so won't that suffice?


--
Regards

Gabe Wong
NGASI AppServer Manager
JAVA AUTOMATION and SaaS Enablement
a href=http://www.ngasi.comhttp://www.ngasi.com/a
NEW! 8.0 - Centrally manage multiple physical servers


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[eborisow]

Gabe Wong wrote:
 

 Since the hasRole is being called, can you not do a super.hasRole 
 against the stripped user name of the Principal.
 If so won't that suffice?
 
 
Gabe,

Yeah, I was thinking that.  The hasRole though takes two parameters... a
Principal and the role name.  I could not find any easy way to manipulate
the existing object name.  I also looked into creating a GenericPrincipal,
but that requires a password parameter.  The one thing I haven't tried is
'fudging' it by passing a user name and password that I know exists and see
if that works.  Although, that won't help me in the future when I don't know
the password.

Thanks,
Eric
-- 
View this message in context: 
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14997483p15054271.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[Gabe Wong]

eborisow wrote:

Gabe Wong wrote:
  
   
Since the hasRole is being called, can you not do a super.hasRole 
against the stripped user name of the Principal.

If so won't that suffice?




Gabe,

Yeah, I was thinking that.  The hasRole though takes two parameters... a
Principal and the role name.  I could not find any easy way to manipulate
the existing object name.  I also looked into creating a GenericPrincipal,
but that requires a password parameter.  The one thing I haven't tried is
'fudging' it by passing a user name and password that I know exists and see
if that works.  Although, that won't help me in the future when I don't know
the password.

  
Short of hacking Tomcat, another possibility, is if you can access the 
LDAP data - perhaps a thread
that populates a Database with the names with the group. Then check the 
data as the hasRole method is called.



--
Regards

Gabe Wong
NGASI AppServer Manager
JAVA AUTOMATION and SaaS Enablement
a href=http://www.ngasi.comhttp://www.ngasi.com/a
NEW! 8.0 - Centrally manage multiple physical servers


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[eborisow]

Gabe Wong wrote:
 
 
 Check the syntax as it was just done on the fly.
 
 
Here's the latest.  I created a class that extends JNDIRealm and I can see
some debug messages in my constructor, but I don't see my authenticate
method getting invoked.  I just wanted to see if I could override the
authenticate method before I started messing around with the name.  Here is
my code:

public Principal authenticate(String arg0, String arg1)
{
System.out.println(Starting authenticate);
Principal principal = super.authenticate(arg0, arg1);
System.out.println(Principal Name:  + principal.getName());
System.out.println(Finished authenticate);

return principal;
}

Does anyone see what I'm doing wrong?

Thanks,
Eric
-- 
View this message in context: 
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14997483p15019894.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[Gabe Wong]

eborisow wrote:

Gabe Wong wrote:
  

Check the syntax as it was just done on the fly.




Here's the latest.  I created a class that extends JNDIRealm and I can see
some debug messages in my constructor, but I don't see my authenticate
method getting invoked.  I just wanted to see if I could override the
authenticate method before I started messing around with the name.  Here is
my code:

public Principal authenticate(String arg0, String arg1)
{
System.out.println(Starting authenticate);
Principal principal = super.authenticate(arg0, arg1);
System.out.println(Principal Name:  + principal.getName());
System.out.println(Finished authenticate);

return principal;
}

  
Could be how logging output is setup. The constructor may be created 
before output gets redirected elsewhere.
Look in the other log files under the logs directory. Also is the realm 
configured in server.xml or context.xml?



--
Regards

Gabe Wong
NGASI AppServer Manager
JAVA AUTOMATION and SaaS Enablement
a href=http://www.ngasi.comhttp://www.ngasi.com/a
NEW! 8.0 - Centrally manage multiple physical servers


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[eborisow]

Gabe Wong wrote:
 
 Could be how logging output is setup. The constructor may be created 
 before output gets redirected elsewhere.
 Look in the other log files under the logs directory. Also is the realm 
 configured in server.xml or context.xml?
 
 
Gabe,br/br/

Here's the thing.  I also added logging (just System.out for right now) to
the hasRole method and I saw the output from that method.br/br/

The realm is defined in the server.xml.br/br/

Thanks,
Eric
-- 
View this message in context: 
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14997483p15027940.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[Gabe Wong]

eborisow wrote:

Gabe Wong wrote:
  
Could be how logging output is setup. The constructor may be created 
before output gets redirected elsewhere.
Look in the other log files under the logs directory. Also is the realm 
configured in server.xml or context.xml?





Gabe,br/br/

Here's the thing.  I also added logging (just System.out for right now) to
the hasRole method and I saw the output from that method.br/br/

The realm is defined in the server.xml.br/br/
  
Do you have the following set - tomcatAuthentication=false in the AJP 
connector in the server.xml


I believe as the user is already authenticated via IIS, the authenticate method 
is not called in this situation.
So you may try overriding:
protected Principal getPrincipal(String username)



--
Regards

Gabe Wong
NGASI AppServer Manager
JAVA AUTOMATION and SaaS Enablement
a href=http://www.ngasi.comhttp://www.ngasi.com/a
NEW! 8.0 - Centrally manage multiple physical servers


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[eborisow]

Gabe Wong wrote:
 
 I believe as the user is already authenticated via IIS, the authenticate
 method is not called in this situation.
 So you may try overriding:
  protected Principal getPrincipal(String username)
 
Gabe,br/br/

Thanks for sticking with this.  I did try getPrincipal as well and it
doesn't look like that is being called either.  It seems that the only
method that is getting called is hasRole.  I guess the question is how could
I manipulate the login name there?  If I use getName on the Principal that
is passed in, it returns my NTLM login name.  I can manipulate the name, but
then how could I appropriately call super.hasRoles since GenericPrincipal
requires a password.br/br/

Here is the code:
public boolean hasRole(Principal principal, String roleName)
{
System.out.println(Starting hasRole);
System.out.println(Principal name:  + principal.getName());
int slash = principal.getName().indexOf('\\');
String newUser = slash  0 ? principal.getName().substring(slash+1) :
principal.getName();
System.out.println(New user is:  + newUser);
System.out.println(Checking for role name:  + roleName);

// need to create a new Principal here, I think
boolean userHasRole = super.hasRole(newPrincipal, roleName);
System.out.println(User has role:  + userHasRole);
return userHasRole;
}

Thanks,
Eric
-- 
View this message in context: 
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14997483p15033183.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[Martin Gainty]

the DirContext is abstract so you will need to construct either
a file based directory context (FileDirContext) such as what you see
http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/naming/
resources/FileDirContext.html

or a ProxyDirContext such as what you see here
http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/naming/
resources/ProxyDirContext.html

then pass in that constructed context to the authenticate method
public java.security.Principal
authenticate(javax.naming.directory.DirContext context,
java.lang.String username,
java.lang.String credentials)
 throws javax.naming.NamingException
Return the Principal associated with the specified username and credentials,
if there is one; otherwise return null.

then you pass in the constructed Principal to hasRole method illustrated
here

public boolean hasRole(java.security.Principal principal,
   java.lang.String role)

Return true if the specified Principal has the specified security role,
within the context of this Realm; otherwise return false. This method can be
overridden by Realm implementations, but the default is adequate when an
instance of GenericPrincipal is used to represent authenticated Principals
from this Realm.

NAMES: You cannot change to any names unknown to your (NTLM) authentication
algorithm
http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalin
a/realm/RealmBase.html#authenticate(java.lang.String,%20java.lang.String)

Martin
- Original Message -
From: eborisow [EMAIL PROTECTED]
To: users@tomcat.apache.org
Sent: Tuesday, January 22, 2008 8:43 PM
Subject: Re: Question about Tomcat/IIS and NTLM authentication




 Gabe Wong wrote:
 
  I believe as the user is already authenticated via IIS, the authenticate
  method is not called in this situation.
  So you may try overriding:
   protected Principal getPrincipal(String username)
 
 Gabe,br/br/

 Thanks for sticking with this.  I did try getPrincipal as well and it
 doesn't look like that is being called either.  It seems that the only
 method that is getting called is hasRole.  I guess the question is how
could
 I manipulate the login name there?  If I use getName on the Principal that
 is passed in, it returns my NTLM login name.  I can manipulate the name,
but
 then how could I appropriately call super.hasRoles since GenericPrincipal
 requires a password.br/br/

 Here is the code:
 public boolean hasRole(Principal principal, String roleName)
 {
 System.out.println(Starting hasRole);
 System.out.println(Principal name:  + principal.getName());
 int slash = principal.getName().indexOf('\\');
 String newUser = slash  0 ? principal.getName().substring(slash+1) :
 principal.getName();
 System.out.println(New user is:  + newUser);
 System.out.println(Checking for role name:  + roleName);

 // need to create a new Principal here, I think
 boolean userHasRole = super.hasRole(newPrincipal, roleName);
 System.out.println(User has role:  + userHasRole);
 return userHasRole;
 }

 Thanks,
 Eric
 --
 View this message in context:
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14
997483p15033183.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.


 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[eborisow]

mgainty wrote:
 
 NAMES: You cannot change to any names unknown to your (NTLM)
 authentication
 algorithm
 http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalin
 a/realm/RealmBase.html#authenticate(java.lang.String,%20java.lang.String)
 
 Martin
 
 
Martin,

Thanks for the reply.  So, does what I'm thinking sound do-able?  I want to
use NTLM authentication which is returning:

DOMAIN\username

but, then I want to check to see if that user is in a role (group) from
LDAP.  The format for that user is something like:

Group dn: cn=manager,ou=groups,dc=mycompany,dc=com
member: cn=username,ou=people,dc=mycompany,dc=com

So, I want to go from my user autheticated as DOMAIN\username to finding out
if that user is contained in my LDAP group.  Does that sound possible?

Thanks,
Eric
-- 
View this message in context: 
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14997483p15033776.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[Gabe Wong]

eborisow wrote:


mgainty wrote:
  

NAMES: You cannot change to any names unknown to your (NTLM)
authentication
algorithm
http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalin
a/realm/RealmBase.html#authenticate(java.lang.String,%20java.lang.String)

Martin




Martin,

Thanks for the reply.  So, does what I'm thinking sound do-able?  I want to
use NTLM authentication which is returning:

DOMAIN\username

but, then I want to check to see if that user is in a role (group) from
LDAP.  The format for that user is something like:

Group dn: cn=manager,ou=groups,dc=mycompany,dc=com
member: cn=username,ou=people,dc=mycompany,dc=com

So, I want to go from my user autheticated as DOMAIN\username to finding out
if that user is contained in my LDAP group.  Does that sound possible?
  
I guess I misunderstood your objective. You are not interested in 
manipulating the user name.

You just want to check if the stripped user name is in a specific role?

--
Regards

Gabe Wong
NGASI AppServer Manager
JAVA AUTOMATION and SaaS Enablement
a href=http://www.ngasi.comhttp://www.ngasi.com/a
NEW! 8.0 - Centrally manage multiple physical servers


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Question about Tomcat/IIS and NTLM authentication

[eborisow]

Hi,

I am using Tomcat 5.5 and have successfully setup a Realm containing
users/groups from my Active Directory domain.  I can login (to the /manager
app, for example) with no problem.  Now, I would like to use IIS and NTLM
authentication so the user is not prompted for login.  I have unchecked the
anonymous access in IIS.  On the Tomcat side, I can see the user data coming
from IIS.  Here is the problem...  the user principal that is passed by IIS
is my-domain\username.  Unfortunately, through LDAP, there is no
attribute that contains that value.  The username matches the samAccountName
in AD, but that's about it.  So, my question is... how can I remove the
domain name from what Tomcat is getting or somehow be able to manipulate the
incoming user name prior to the Realm search?

If someone has been able to get this working and could provide some help,
that would be great.

Thanks,
Eric
-- 
View this message in context: 
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14997483p14997483.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[Mark Thomas]

eborisow wrote:

If someone has been able to get this working and could provide some help,
that would be great.


Haven't tried it but you should be able to create a custom Realm by 
extending the existing JNDIRealm and manipulating the user name, probably 
by overriding the authenticate() methods.


Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[eborisow]

markt-2 wrote:
 
 
 Haven't tried it but you should be able to create a custom Realm by 
 extending the existing JNDIRealm and manipulating the user name, probably 
 by overriding the authenticate() methods.
 
 
Ok, thanks Mark... that gives me a place to start.
-- 
View this message in context: 
http://www.nabble.com/Question-about-Tomcat-IIS-and-NTLM-authentication-tp14997483p15006094.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about Tomcat/IIS and NTLM authentication

[Gabe Wong]

Mark Thomas wrote:

eborisow wrote:
If someone has been able to get this working and could provide some 
help,

that would be great.


Haven't tried it but you should be able to create a custom Realm by 
extending the existing JNDIRealm and manipulating the user name, 
probably by overriding the authenticate() methods.



The specific code my look like so:

import org.apache.catalina.realm.*;
import java.security.Principal;
import java.sql.*;
import java.util.*;
import java.io.*;

public class CustomTomcatRealm
   extends JDBCRealm {
public synchronized Principal authenticate(String username, String 
credentials) {

  Principal p = super.authenticate(username,credentials);
   if (p != null){
  String newName = //whatever;
   ArrayList roles = getRoles(newName);
  p = new GenericPrincipal(this, newName, credentials, roles);
}
return p;
}

}

Check the syntax as it was just done on the fly.

--
Regards

Gabe Wong
NGASI AppServer Manager
JAVA AUTOMATION and SaaS Enablement
a href=http://www.ngasi.comhttp://www.ngasi.com/a
NEW! 8.0 - Centrally manage multiple physical servers


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

any doubt about tomcat contexts... help me please

[Anderson Borges Coutinho]

 Hi., a nice day for all,.
 i have four applications at my tomcat 5.5 server, those applications are 4
war files, and i need share one java object between contexts...
can you help me ?
thanks

-- 
Anderson Borges Coutinho

Re: Question about tomcat bugzilla which is resolved but not fixed.

[Mark Thomas]

Dan wrote:
 Hi,
 I notice that this issue has been marked fixed, but the comments on there
 indicate that  the bug isnt actually fixed, and that the problem remains. 
 Indeed, looking in the source of 5.5.25 it does not seem to contain the code
 in the patch in this issue.

The actual patch applied is here.
http://marc.info/?l=tomcat-devm=110740182826539w=2

 Can anyone answer why not? 

Only generally. I haven't looked at the patch in detail but Bill knows what
he is doing. I suspect the proposed patch worked but didn't do things in
the correct manner given how the Handler was designed.

 I wonder if i should attempt to patch the
 current 5.5.25 and try this fix to see if it solves our problem?  Any other
 suggestions?

You could try but I doubt it would work any better than Bill's patch.

 ( The problem we have is threads in tomcat stuck in socketRead up to the
 maxThreads, yet no similar connections on apache webserver. (modjk))

Can you reproduce this for one thread with a single request? A reliable
test case is what is really needed to track any further problems down.

Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Question about tomcat bugzilla which is resolved but not fixed.

[Bill Barker]

Mark Thomas [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
 Dan wrote:
 Hi,
 I notice that this issue has been marked fixed, but the comments on there
 indicate that  the bug isnt actually fixed, and that the problem remains.
 Indeed, looking in the source of 5.5.25 it does not seem to contain the 
 code
 in the patch in this issue.

 The actual patch applied is here.
 http://marc.info/?l=tomcat-devm=110740182826539w=2

 Can anyone answer why not?

 Only generally. I haven't looked at the patch in detail but Bill knows 
 what
 he is doing. I suspect the proposed patch worked but didn't do things in
 the correct manner given how the Handler was designed.


The committed patch actually errors out sooner then the patch in 33374. 
Also, the committed patch works for e.g. ChannelNioSocket as well.

Also, the failure to throw an IOException back to the servlet was fixed in a 
later patch.

 I wonder if i should attempt to patch the
 current 5.5.25 and try this fix to see if it solves our problem?  Any 
 other
 suggestions?

 You could try but I doubt it would work any better than Bill's patch.


Actually, my patch should prevent that patch from doing much of anything at 
all.  But feel free to knock yourself out ;).

 ( The problem we have is threads in tomcat stuck in socketRead up to the
 maxThreads, yet no similar connections on apache webserver. (modjk))


Some firewalls forget to close the socket to the backend when it is closed 
on the frontend.  A work-around is to set a connectionTimeout on the 
Connector / element similar to what is configured on the Apache side. 
Personally, on a system that I actually care about the maxThreads value, I 
prefer to set the connectionTimeout only on the Tomcat side and configure to 
use CPING/CPONG on the Apache side.

 Can you reproduce this for one thread with a single request? A reliable
 test case is what is really needed to track any further problems down.

 Mark


 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Advice about Tomcat on x86_64 architecture..

[Peter Crowther]

 From: Swapnil.Kale [mailto:[EMAIL PROTECTED] 
 Yes i did install the exe and not the zip file. which was creating a
 problem.
 Now i uninstalled it and using the zip file, startup.bat , 
 the tomcat runs smoothly.

That's a fairly common picture.  Windows services are wonderful in
theory, but they do make life awkward sometimes!

 One thing i'm still wondering is the uninstall did not clear 
 the registry
 entries under Wow6432Node where i had entered the JVM param/ 
 options for Xms Xmx.

My guesses: Whoever wrote the uninstaller didn't expect someone to run
the 32-bit service installer code on a 64-bit system, so was clearing
the entries from the 64-bit registry not the 32-bit portion of the
registry.

 So 
 1) if i run the default startup script what is the heap size that is
 allocated on 64 bit jvm/ OS?

No size is specified, so the size will be the default size for the JVM
you're using.  Defaults are documented on Sun's web site for the Sun
JVM.

 2) How do I specify those sizes using the script?

Put in a line that sets JAVA_OPTS.  For example (from one of my own
startup scripts):

set JAVA_OPTS=-Xms128m -Xmx512m

- Peter

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Advice about Tomcat on x86_64 architecture..

[Swapnil.Kale]

Thanks a lot :) It helped a lot. All the problems are gone now. 
Thanks again!
Swapnil


Peter Crowther wrote:
 
 From: Swapnil.Kale [mailto:[EMAIL PROTECTED] 
 Yes i did install the exe and not the zip file. which was creating a
 problem.
 Now i uninstalled it and using the zip file, startup.bat , 
 the tomcat runs smoothly.
 
 That's a fairly common picture.  Windows services are wonderful in
 theory, but they do make life awkward sometimes!
 
 One thing i'm still wondering is the uninstall did not clear 
 the registry
 entries under Wow6432Node where i had entered the JVM param/ 
 options for Xms Xmx.
 
 My guesses: Whoever wrote the uninstaller didn't expect someone to run
 the 32-bit service installer code on a 64-bit system, so was clearing
 the entries from the 64-bit registry not the 32-bit portion of the
 registry.
 
 So 
 1) if i run the default startup script what is the heap size that is
 allocated on 64 bit jvm/ OS?
 
 No size is specified, so the size will be the default size for the JVM
 you're using.  Defaults are documented on Sun's web site for the Sun
 JVM.
 
 2) How do I specify those sizes using the script?
 
 Put in a line that sets JAVA_OPTS.  For example (from one of my own
 startup scripts):
 
 set JAVA_OPTS=-Xms128m -Xmx512m
 
   - Peter
 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Advice-about-Tomcat-on-x86_64-architecture..-tf4048957.html#a13279694
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Advice about Tomcat on x86_64 architecture..

[Swapnil.Kale]

Hi,
I'm not sure about my thoughts here. 
Please correct if my understanding is wrong.

I tried installing tomcat 32 bit on a 64 bit JVM but it didnt work.

I tried following on the mini how to install tomcat on 64 bit OS but didnt
succeed.

What i found on internet is we need 64 bit executable for tomcat to run to
64 bit jvm and 64 bit OS offcourse

Few Questions : 
1) Can i host 32 bit compiled war file on 64 bit Tomcat / JVM ? If my
tomcat installation succeeds
2) What if i recompile the war on 64 bit jvm and host it on 64 bit Tomcat?
I've read that the size of the primitive datatypes in 64 bit is different,
so if i use Java web start and launch the application from remote machine
32 bit using JNLP, will it work on that 32 bit machine? having 64 bit
machine compiled jars?

If I host the 32 bit compiled war on 64 bit Tomcat / 64 bit JVM,
What am i gonna miss/gain? except the lot of heap memory

The picture is still not clear, Can you throw some light on this?

help appreciated. 

Swapnil






Caldarale, Charles R wrote:
 
 From: prt [mailto:[EMAIL PROTECTED] 
 Subject: Re: Advice about Tomcat on x86_64 architecture..
 
 Are you sure about that is no need to compile the Tomcat on 64 Bit ?
 
 Definitely.
 
 What about the all application, 
 I can develop and compile on 32 bit and then transfer class 
 files to the server ?
 
 Correct.  One of the key attributes of Java is platform independence.
 
  - Chuck
 
 
 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.
 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Advice-about-Tomcat-on-x86_64-architecture..-tf4048957.html#a13254957
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Advice about Tomcat on x86_64 architecture..

[Peter Crowther]

 From: Swapnil.Kale [mailto:[EMAIL PROTECTED] 
 I tried installing tomcat 32 bit on a 64 bit JVM but it didnt work.

That is very unexpected.  *Tomcat* is pure Java.  I can do a file copy
of my entire Tomcat installation and my apps from my 32-bit development
box to my 64-bit staging box (and back again) and Tomcat starts and runs
without error.  Note that I'm using the zip download and starting it
from the batch file; I do *not* install a Windows service, and I do
*not* use any native libraries.

 1) Can i host 32 bit compiled war file on 64 bit Tomcat / JVM ? If my
 tomcat installation succeeds

Yes.  I do this regularly.  The bytecodes emitted by the compiler are
identical whether the compiler runs on a virtual machine on a 32-bit,
64-bit, 36-bit or any other physical hardware.

 2) What if i recompile the war on 64 bit jvm and host it on 
 64 bit Tomcat?

Yes.  I do this more rarely (my dev box is my usual compile
environment), but it works.  I repeat: the bytecodes emitted by the
compiler are identical whether the compiler runs on a virtual machine on
a 32-bit, 64-bit, 36-bit or any other physical hardware.

 I've read that the size of the primitive datatypes in 64 bit 
 is different,
Whoever wrote that is wrong.  Java is not C.  Java primitive sizes are
standard, regardless of the physical machine.

 so if i use Java web start and launch the application from 
 remote machine
 32 bit using JNLP, will it work on that 32 bit machine? 
 having 64 bit machine compiled jars?

Yes.

 If I host the 32 bit compiled war on 64 bit Tomcat / 64 bit JVM,
 What am i gonna miss/gain? except the lot of heap memory

Nothing.

 The picture is still not clear, Can you throw some light on this?

The correct Java virtual machine must be installed for the operating
system and hardware.

Java bytecode in .class, .jar and .war files is portable.  Tomcat is
portable.

Native code is not portable.  The code for installing Tomcat as a
Windows service is not portable.

If you have installed Tomcat from something other than the zip file (or
the .tar.gz file) on the Apache Tomcat site, you may have some native
code that you were not expecting.  Install from the zip file, start
Tomcat via startup.bat and see whether the problem is still there.

- Peter

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Advice about Tomcat on x86_64 architecture..

[Swapnil.Kale]

Thanks a ton Peter,
The picture is pretty clear now. 
Yes i did install the exe and not the zip file. which was creating a
problem.
Now i uninstalled it and using the zip file, startup.bat , the tomcat runs
smoothly.

One thing i'm still wondering is the uninstall did not clear the registry
entries under Wow6432Node where i had entered the JVM param/ options for Xms
Xmx.

So 
1) if i run the default startup script what is the heap size that is
allocated on 64 bit jvm/ OS?
2) How do I specify those sizes using the script?

Thanks again!

:) Swap.



Peter Crowther wrote:
 
 From: Swapnil.Kale [mailto:[EMAIL PROTECTED] 
 I tried installing tomcat 32 bit on a 64 bit JVM but it didnt work.
 
 That is very unexpected.  *Tomcat* is pure Java.  I can do a file copy
 of my entire Tomcat installation and my apps from my 32-bit development
 box to my 64-bit staging box (and back again) and Tomcat starts and runs
 without error.  Note that I'm using the zip download and starting it
 from the batch file; I do *not* install a Windows service, and I do
 *not* use any native libraries.
 
 1) Can i host 32 bit compiled war file on 64 bit Tomcat / JVM ? If my
 tomcat installation succeeds
 
 Yes.  I do this regularly.  The bytecodes emitted by the compiler are
 identical whether the compiler runs on a virtual machine on a 32-bit,
 64-bit, 36-bit or any other physical hardware.
 
 2) What if i recompile the war on 64 bit jvm and host it on 
 64 bit Tomcat?
 
 Yes.  I do this more rarely (my dev box is my usual compile
 environment), but it works.  I repeat: the bytecodes emitted by the
 compiler are identical whether the compiler runs on a virtual machine on
 a 32-bit, 64-bit, 36-bit or any other physical hardware.
 
 I've read that the size of the primitive datatypes in 64 bit 
 is different,
 Whoever wrote that is wrong.  Java is not C.  Java primitive sizes are
 standard, regardless of the physical machine.
 
 so if i use Java web start and launch the application from 
 remote machine
 32 bit using JNLP, will it work on that 32 bit machine? 
 having 64 bit machine compiled jars?
 
 Yes.
 
 If I host the 32 bit compiled war on 64 bit Tomcat / 64 bit JVM,
 What am i gonna miss/gain? except the lot of heap memory
 
 Nothing.
 
 The picture is still not clear, Can you throw some light on this?
 
 The correct Java virtual machine must be installed for the operating
 system and hardware.
 
 Java bytecode in .class, .jar and .war files is portable.  Tomcat is
 portable.
 
 Native code is not portable.  The code for installing Tomcat as a
 Windows service is not portable.
 
 If you have installed Tomcat from something other than the zip file (or
 the .tar.gz file) on the Apache Tomcat site, you may have some native
 code that you were not expecting.  Install from the zip file, start
 Tomcat via startup.bat and see whether the problem is still there.
 
   - Peter
 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Advice-about-Tomcat-on-x86_64-architecture..-tf4048957.html#a13257088
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Advice about Tomcat on x86_64 architecture..

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Swapnil,

Swapnil.Kale wrote:
 I tried installing tomcat 32 bit on a 64 bit JVM but it didnt work.

What OS? Sounds like Windows.

It's possible that you lack the 32-bit support libraries required by the
32-bit JVM. Is there a 32-bit support package that needs to be installed?

 I tried following on the mini how to install tomcat on 64 bit OS but didnt
 succeed.

Get the JVM working, first.

 What i found on internet is we need 64 bit executable for tomcat to run to
 64 bit jvm and 64 bit OS offcourse

If you are using tcnative, yes, you will need to match your
architecture. Tomcat itself is 100% Java, so if the JVM runs, Tomcat
will run. Other connectors and stuff may need tweaking, such as
tcnative, APR module, isapi redirector, or tomcat.exe -- the MS Windows
service binary. All of these are optional.

 Few Questions : 
 1) Can i host 32 bit compiled war file on 64 bit Tomcat / JVM ? If my
 tomcat installation succeeds

Absolutely. Your WAR is not architecture-specific. Remember write once,
run anywhere? This is what that means.

 2) What if i recompile the war on 64 bit jvm and host it on 64 bit Tomcat?

Again, the WAR is architecture-neutral, as is Tomcat. Only the OS and
JVM have 32-bit and 64-bit versions.

 I've read that the size of the primitive datatypes in 64 bit is different,

You have read incorrectly. Java's primitive types are defined to have
specific sizes, regardless of the architecture of the machine on which
it is running. The JVM may choose to use differently-sized data under
the covers, but your Java code will be unaware of any such issues.

Hope that clears a few things up,
- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHFnGX9CaO5/Lv0PARAvDgAJ4mYnQiC0tGUNYwSwBC9hvr0JkISACgsdKH
M8aJEnVv0AXVAaC7pSZei5s=
=ToKc
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Confusion about tomcat security bulletin

[CHENG Jianhua]

Dear All,
 
Our company have an application use tomcat 5.0.27 and can't upgrade the
version.
I'm very concern about the security issue relate to this version.
 
Now I have some confusion about tomcat security bulletin
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-5.html  .
For example:


Fixed in Apache Tomcat 5.5.23, 5.0.HEAD 

important: Information disclosure CVE-2005-2090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090  

Requests with multiple content-length headers should be rejected
as invalid. When multiple components (firewalls, caches, proxies and
Tomcat) process a sequence of requests where one or more requests
contain multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length leader to use an attacker can poision a web-cache,
perform an XSS attack and obtain senstive information from requests
other then their own. Tomcat now returns 400 for requests with multiple
content-length headers. 

Affects: 5.0.0-5.0.30, 5.5.0-5.5.22



--
This issue does affect 5.0.27, but Fixed in Apache Tomcat 5.5.23,
5.0.HEAD .  Does 5.0.HEAD include 5.0.27 itself?
 If so does it mean when I get new release 5.0.27 from tomcat website
then the issue will be fixed? And if new issue has been report such as
moderate: Cross-site scripting CVE-2007-1355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355   , it
also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get
5.0.27 from tomcat website agagin to fixed this issue?
 
 
Look forward your answer and Thans a lot!
 
Best regards,
Cheng Jianhua
 
 

RE: Confusion about tomcat security bulletin

[CHENG Jianhua]

Rainer,

OK, I see now.

Thank you very much! 

Best regards,
Cheng Jianhua
 

-Original Message-
From: Rainer Jung [mailto:[EMAIL PROTECTED] 
Sent: 2007年8月1日 16:35
To: Tomcat Users List
Subject: Re: Confusion about tomcat security bulletin

5.0.HEAD is the most actual, non-released version of the 5.0 code branch. So 
this means, the problem will be fixed in any new 5.0 release.

Currently there are no plans do do a new 5.0 release. So if security is a real 
concern for you, you should upgrade to at least 5.5 (which shouldn't be a big 
deal) or to 6.0.

If you can't upgrade and you must fix the issue, you will need to build from 
the source (which is a little painful for TC 5.0).

Regards,

Rainer

CHENG Jianhua wrote:
 Dear All,
  
 Our company have an application use tomcat 5.0.27 and can't upgrade 
 the version.
 I'm very concern about the security issue relate to this version.
  
 Now I have some confusion about tomcat security bulletin 
 http://tomcat.apache.org/security-5.html
 http://tomcat.apache.org/security-5.html  .
 For example:
 --
 --
 
 Fixed in Apache Tomcat 5.5.23, 5.0.HEAD   
 
   important: Information disclosure CVE-2005-2090 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090
 
   Requests with multiple content-length headers should be rejected as 
 invalid. When multiple components (firewalls, caches, proxies and
 Tomcat) process a sequence of requests where one or more requests 
 contain multiple content-length headers and several components do not 
 reject the request and make different decisions as to which 
 content-length leader to use an attacker can poision a web-cache, 
 perform an XSS attack and obtain senstive information from requests 
 other then their own. Tomcat now returns 400 for requests with 
 multiple content-length headers.
 
   Affects: 5.0.0-5.0.30, 5.5.0-5.5.22
 
 --
 --
 --
 --
 --
 This issue does affect 5.0.27, but Fixed in Apache Tomcat 5.5.23, 
 5.0.HEAD .  Does 5.0.HEAD include 5.0.27 itself?
  If so does it mean when I get new release 5.0.27 from tomcat website 
 then the issue will be fixed? And if new issue has been report such as
 moderate: Cross-site scripting CVE-2007-1355 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355   , it 
 also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get
 5.0.27 from tomcat website agagin to fixed this issue?
  
  
 Look forward your answer and Thans a lot!
  
 Best regards,
 Cheng Jianhua

-
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: 
[EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]