RE: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

[paul.leo]

After a quick meeting with client this may be a moot point.
On this page:
https://tomcat.apache.org/tomcat-8.5-doc/windows-service-howto.html
I  saw command line references (and as I'm reviewing, it's becoming more
clear that I'm not understanding use)  for:

-User   User account used for running executable. It is used only
for StartMode java or exe and enables running applications as service under
account without LogonAsService privilege.
--Password  Password for user account set by --User parameter

It looks like this is when you install the service.
I was thinking that I would have to specify password somewhere.  I don't
think that's the case.

Sorry to be a little misinformed.



-Original Message-
From: Mark Thomas  
Sent: Wednesday, June 22, 2022 10:33 AM
To: users@tomcat.apache.org
Subject: Re: How to configure Tomcat 8.5.x to run in with a different
windows service user, and what are minimum permissions

On 22/06/2022 17:02, paul@stgconsulting.com wrote:
> Hello all,
> 
> I been tasked with researching options for running Tomcat 8.5.x as a 
> windows service, but with a different user.
> 
> I need to know what minimum rights for user would be, and also how to 
> pass user & password.  I think I see how to pass user and password.  I 
> don't see how to encrypt password though.
> 
> Other options would be appreciated as well.

Any reason running as the default (assuming a recent Tomcat version)
LocalService isn't sufficiently secure?

The minimum permissions would depend on the app but off the top of my head
that will be at least:
- file permissions as documented in the security guide
- run as service
- network access

Exactly where are you looking to encrypt the password?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

[Mark Thomas]

On 22/06/2022 17:02, paul@stgconsulting.com wrote:

Hello all,

I been tasked with researching options for running Tomcat 8.5.x as a windows
service, but with a different user.

I need to know what minimum rights for user would be, and also how to pass
user & password.  I think I see how to pass user and password.  I don't see
how to encrypt password though.

Other options would be appreciated as well.


Any reason running as the default (assuming a recent Tomcat version) 
LocalService isn't sufficiently secure?


The minimum permissions would depend on the app but off the top of my 
head that will be at least:

- file permissions as documented in the security guide
- run as service
- network access

Exactly where are you looking to encrypt the password?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

[paul.leo]

Hello all,

 

I been tasked with researching options for running Tomcat 8.5.x as a windows
service, but with a different user.  

I need to know what minimum rights for user would be, and also how to pass
user & password.  I think I see how to pass user and password.  I don't see
how to encrypt password though.

Other options would be appreciated as well.

 

Best,

Paul

Re: Configure Tomcat development using NetBeans IDE

[John Barrow]

Mark,

Just as a follow up to the two rogue test files

tomcat\test\org\apache\coyote\http2\TestStream.java
tomcat\test\util\TestCookieFilter.java

I copied the util and trailers folders into the java folder and that
didn't make any difference. Also I noticed that, for the
TestStream.java source it mentions

import trailers.ResponseTrailers;

and when I hover over the exception it says that 'package trailers'
doesn't exist, whereas there is a POJC in the trailers folder
(ResponseTrailers.java).

Both these points may be irrelevant or, in the case of the second
point - package = java class as far as import goes, but I mention them
just in case.

John

On Thu, 24 Feb 2022 at 15:13, John Barrow  wrote:
>
> Mark,
>
> I have now got grep working (following a post from another member
> indicating that built into git bash!)
>
> > ant download-test-compile
>
> This is useful to know as I didn't run the tests script until later.
>
> > ant download-validate
>
> This didn't report Checkstyle missing - probably as not needed for
> actual development. Running Checkstyle using
>
> ant -Dexecute.validate=true validate
>
> did then update the libraries folder
>
> > I doubt you'll need a release build
>
> So do I by the sound of it - I will probably come back to the forum
> when looking to commit anything for the first time but I assume that I
> will just upload any changes that, once approved, will form part of
> the next release. Of course I will be able to benefit from the newly
> developed time-delay in the meantime :)
>
> I have passed on your observation "but NetBeans is not taking into
> account the isELIgnored="true" page directive" to the NetBeans
> community
>
> > I'd see if you can disable the JSP validation. If it makes you feel better, 
> > Eclipse's JSP validation has similar issues.
>
> That has no effect! We can drop the issues over JSP as the NetBeans
> community has taken up that baton.
>
> > That is an abstract base class. You won't be able to run it.
>
> Trust me to pick that one! I have only ever written simple unit tests
> so not needed to create any abstract classes in my testing, but I
> should have spent more time looking into your source and then would
> have spotted the 'abstract' keyword!!  In a very weak defence, I tend
> to use interfaces rather than abstract classes. Anyway, thanks for the
> naming conventions, that will prove time-saving. For good measure, I
> ran TestDefaultServlet and that ran the tests successfully.
>
> Thanks for the explanation of the dual 'bin' folders.
>
> > Yes, the Java compiler is smart enough to generate the byte code as if it 
> > was generated with Java 11 so you are fine to stick with Java 17 as long as 
> > the build version is 11.
>
> I have amended my project options to reflect this and rebuilt the
> project to check everything still works - it does!
>
> > Ah. You need to add webapps/examples/WEB-INF/classes as a source folder. 
> > That should fix the two issues above.
>
> I must still be missing a link here, I have added that folder to the
> list of  elements. I also added it to the  since, as
> the project references files inside this folder, it seemed applicable
> to include it. However, it didn't appear to make any difference - i.e.
> NetBeans still couldn't tie the source back to those Java classes.
>
> I have checked that I have typed the paths correctly and I can see the
> trailers.ResponseTrailers (& util.CookieFilter) file(s) in the
> WEB-APP\classes and visible in the project folders (I assume as added
> to ) to back-up paths are valid. NetBeans doesn't let me take
> any action to try and find the file to resolve the [!], I assume
> because it is a free form Ant project and so configuration is
> 'read-only' once loaded (I would have options in Maven to locate the
> missing resource).
>
> I have added my current project.xml and Trailers.ResponseTrailers.jpg
> to the DropBox folder in case either of them helps. My only
> observation is that, as I can't find a corresponding XSD file for
> project.xml, there is another attribute I need to set to indicate that
> these are class files in a different folder to the one the other
> package files are in, but that seems unlikely.
>
> > I think you mean 8000 for remote debugging but otherwise great. If you can 
> > get this working, you are doing really well.
>
> I was using 8080 and appeared to be working although I have not used
> it in anger yet. I had amended the catalina.bat line "set
> JPDA_ADDRESS=localhost:8080, because I connect to Tomcat using
> http://localhost:8080/examples. Your statement concerned me slightly
> in that I now believe that I had made a wrong assumption. Anyway, I
> amended the catalina.bat back and set NetBeans remote debugging to the
> same and it worked as well so I will leave it at 8000. I couldn't find
> anything on the web re Port 8000 vs 8080 (apart from "use which one
> you want"), but I suspect that, ideally, the debugging communications
> should be using a different port 

Re: [OT] Configure Tomcat development using NetBeans IDE

[Christopher Schultz]

John,

On 2/23/22 05:08, John Barrow wrote:

I fall into that historic stereotypical old-school developer type
labelled 'lazy'

You're in good company.

Awww.. the threevirtues dot com website has been hijacked by some stupid 
advertising company. This is why we can't have nice things.


Google for a better reference; I didn't want to post any of them in this 
forum.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure Tomcat development using NetBeans IDE

[John Barrow]

Mark,

I have now got grep working (following a post from another member
indicating that built into git bash!)

> ant download-test-compile

This is useful to know as I didn't run the tests script until later.

> ant download-validate

This didn't report Checkstyle missing - probably as not needed for
actual development. Running Checkstyle using

ant -Dexecute.validate=true validate

did then update the libraries folder

> I doubt you'll need a release build

So do I by the sound of it - I will probably come back to the forum
when looking to commit anything for the first time but I assume that I
will just upload any changes that, once approved, will form part of
the next release. Of course I will be able to benefit from the newly
developed time-delay in the meantime :)

I have passed on your observation "but NetBeans is not taking into
account the isELIgnored="true" page directive" to the NetBeans
community

> I'd see if you can disable the JSP validation. If it makes you feel better, 
> Eclipse's JSP validation has similar issues.

That has no effect! We can drop the issues over JSP as the NetBeans
community has taken up that baton.

> That is an abstract base class. You won't be able to run it.

Trust me to pick that one! I have only ever written simple unit tests
so not needed to create any abstract classes in my testing, but I
should have spent more time looking into your source and then would
have spotted the 'abstract' keyword!!  In a very weak defence, I tend
to use interfaces rather than abstract classes. Anyway, thanks for the
naming conventions, that will prove time-saving. For good measure, I
ran TestDefaultServlet and that ran the tests successfully.

Thanks for the explanation of the dual 'bin' folders.

> Yes, the Java compiler is smart enough to generate the byte code as if it was 
> generated with Java 11 so you are fine to stick with Java 17 as long as the 
> build version is 11.

I have amended my project options to reflect this and rebuilt the
project to check everything still works - it does!

> Ah. You need to add webapps/examples/WEB-INF/classes as a source folder. That 
> should fix the two issues above.

I must still be missing a link here, I have added that folder to the
list of  elements. I also added it to the  since, as
the project references files inside this folder, it seemed applicable
to include it. However, it didn't appear to make any difference - i.e.
NetBeans still couldn't tie the source back to those Java classes.

I have checked that I have typed the paths correctly and I can see the
trailers.ResponseTrailers (& util.CookieFilter) file(s) in the
WEB-APP\classes and visible in the project folders (I assume as added
to ) to back-up paths are valid. NetBeans doesn't let me take
any action to try and find the file to resolve the [!], I assume
because it is a free form Ant project and so configuration is
'read-only' once loaded (I would have options in Maven to locate the
missing resource).

I have added my current project.xml and Trailers.ResponseTrailers.jpg
to the DropBox folder in case either of them helps. My only
observation is that, as I can't find a corresponding XSD file for
project.xml, there is another attribute I need to set to indicate that
these are class files in a different folder to the one the other
package files are in, but that seems unlikely.

> I think you mean 8000 for remote debugging but otherwise great. If you can 
> get this working, you are doing really well.

I was using 8080 and appeared to be working although I have not used
it in anger yet. I had amended the catalina.bat line "set
JPDA_ADDRESS=localhost:8080, because I connect to Tomcat using
http://localhost:8080/examples. Your statement concerned me slightly
in that I now believe that I had made a wrong assumption. Anyway, I
amended the catalina.bat back and set NetBeans remote debugging to the
same and it worked as well so I will leave it at 8000. I couldn't find
anything on the web re Port 8000 vs 8080 (apart from "use which one
you want"), but I suspect that, ideally, the debugging communications
should be using a different port to the application otherwise there
may be conflicts but couldn't find anything to back up that
hypothesis.

> - Patch file in diff -u format attached to a BugZilla issue
> - GitHub pull request
> Happy to provide pointers for either approval if needed.

Unfortunately,II will now probably have to wait a bit for that. I will
soak the changes to the NetBeans configuration files while I explore
Tomcat, once the webapps/examples/WEB-INF/classes issue is sorted and
(hopefully) the NetBeans community has resolved the other exceptions.
That way, if I discover another missing link, I can incorporate it and
upload all the configuration changes at once to minimise confusion.
However, I am away in a weeks time - 5th March (Snowboarding at
last!), and have to catch up with some other chores / tasks before
getting back on the laptop. Hopefully, we can get these last minor

Re: Configure Tomcat development using NetBeans IDE

[Mark Thomas]

On 22/02/2022 17:59, John Barrow wrote:

John,



Thanks for separating this out into a new thread.




As a life-long supporter of Subversion, this was my first foray into
the world of git, but I believe, after a quick crash course, I have
managed to have forked and cloned Tomcat onto my laptop!


This is where using a clone would speed things up as you'd be able to fetch the 
update from Git.


Therefore, you can now assume that I can speed things up :)

I have built Tomcat using Ant.


Great. If you can do this, you are at least 90% of the way there.




While I did get
warnings about deprecated features as expected, I also had quite a
number of other warnings that looked a bit concerning (which you asked
me to submit to you)

e.g. - WARN aQute.bnd.plugin.jpms.JPMSModuleInfoPlugin - Can't find a
module name for imported package: jakarta.websocket


Ah. Yes, those. You can ignore those too. Although thanks for checking 
as looking at your logs I spotted a typo which I've now fixed.



Anyway, to cut a long investigation short, I found two environments
that were out of sync.

As far as I can tell, in nbproject\project.xml, the classpath just
underneath the  element

 output/classes:output/testclasses:${base.path}/junit-4.13.2/junit-4.13.2.jar:${base.path}/easymock-4.3/easymock-4.3.jar:${base.path}/objenesis-3.2/objenesis-3.2.jar:${base.path}/cglib-3.3.0/cglib-nodep-3.3.0.jar:${base.path}/hamcrest/hamcrest-2.2.jar

should look more like

output/classes:output/testclasses:${base.path}/junit-4.13.2/junit-4.13.2.jar:${base.path}/easymock-4.3/easymock-4.3.jar:${base.path}/objenesis-3.2/objenesis-3.2.jar:${base.path}/cglib-3.3.0/cglib-nodep-3.3.0.jar:${base.path}/hamcrest-2.2/hamcrest-2.2.jar:${base.path}/unboundid-ldapsdk-6.0.3/unboundid-ldapsdk-6.0.3.jar


Agreed.


There was a typo in the hamcrest folder name (missing version) and
some of the classes the test sources referred to were missing. I used
the Maven repository to identify the latest versions and downloaded
them.

The reason that the jUnit classes weren't found is that they weren't
being downloaded into the {base.path} folder as part of the 'ant'
script, used to build Tomcat, but looks like only the jars needed to
build the project were (but that's an assumption of mine). I do not
know enough about Ant to try and determine why this may be.


Ant only downloads those files if you try and run the tests via Ant. You 
can trigger those downloads using:


ant download-test-compile

This might also be of interest

ant -projecthelp

Only documented targets are listed and I am fairly sure there are a few 
targets that need to be documented so they appear in that list.



Also, while looking here, should the  be at least
updated to '11' as '1.7' gives a bucketload of exceptions when loaded
into NetBeans?


Agreed.


So, my folder structure now looks like below, with jUnit, easyMock,
hamcrest, odjenesis, unboundid having being downloaded manually. I may
have missed one out of that list as I forgot to take a directory
listing prior to adding the additional folders to compare with.

C:\Community\DownloadedTomcatLibraries\bnd-6.1.0
C:\Community\DownloadedTomcatLibraries\cglib-3.3.0
C:\Community\DownloadedTomcatLibraries\commons-daemon-1.2.4
C:\Community\DownloadedTomcatLibraries\derby-10.15.2.0
C:\Community\DownloadedTomcatLibraries\easymock-4.3
C:\Community\DownloadedTomcatLibraries\ecj-4.22
C:\Community\DownloadedTomcatLibraries\hamcrest-2.2
C:\Community\DownloadedTomcatLibraries\jacoco-0.8.7
C:\Community\DownloadedTomcatLibraries\jaxrpc-1.1-rc4
C:\Community\DownloadedTomcatLibraries\junit-4.13.2
C:\Community\DownloadedTomcatLibraries\migration-1.0.0
C:\Community\DownloadedTomcatLibraries\objenesis-3.2
C:\Community\DownloadedTomcatLibraries\osgi-annotations-1.1.1
C:\Community\DownloadedTomcatLibraries\unboundid-6.0.3
C:\Community\DownloadedTomcatLibraries\unboundid-ldapsdk-6.0.3
C:\Community\DownloadedTomcatLibraries\wsdl4j-1.6.3
C:\Community\DownloadedTomcatLibraries\bnd-6.1.0\biz.aQute.bnd-6.1.0.jar
C:\Community\DownloadedTomcatLibraries\cglib-3.3.0\cglib-nodep-3.3.0.jar


I noticed Checkstyle is missing.

ant download-validate

If you submit a patch it is helpful if you configure and run Checkstyle 
(see section 8 of BUILDING.txt for details)


If you do a release build you'll end up downloading at least one 
additional library - the NSIS installer but unless you want to tweak the 
Windows installer I doubt you'll need a release build.



I still have a handful of red ! against some of the test files.

org.apache.catalina.ant.TestDeployTask
   - I have a red ! flag against this file, but the source file looks
to be fine (no markers against any of the lines to backup the red !
against the file). I will ask the Netbeans community if I can find out
what that means!


Odd. Eclipse does that sometimes. Sometimes opening and closing the file 
fixes it. Sometimes I just delete the warning and it doesn't come back. 
Don't know if 

Re: Configure Tomcat development using NetBeans IDE

[John Barrow]

Hi Greg,

> You should not need to reload tomcat for code unless NetBeans cannot handle 
> hot reload.

I don't believe that there is a problem with NetBeans, it updates the
active code files in the WEB_APP/classes perfectly, but then as
previously discussed in the other thread, there is no file locking
(not possible) and as soon as multiple files need recompiling (in my
case a listener and a class) we risk having an unstable deployment,
albeit for a fraction of a second. Tomcat detects the first file
change and that triggers the reload of the webapp. However, the
listener class (in my case) is still being created / updated and
causes Tomcat to crash (understandably so). Weirdly enough, I never
had an issue until I upgraded to Tomcat 10, but I suspect that was a
fluke of the project I was working on rather than the upgrade. I
mainly create Java Servlets (brilliant API by the way) and so am
installing many small individual class files.

>  I would stop and restart tomcat for method signature changes, new classes 
> etc.  It's quick and stops reload issues.

You are right, Tomcat is ridiculously fast to Start / Stop (2 mouse
clicks for me, 5 seconds). In fact when I first installed Tomcat that
is how I operated until I discovered reloadable - and I fall into that
historic stereotypical old-school developer type labelled 'lazy', true
in my case. I could now halve the number of keystrokes (and shave 5
seconds off my deploy) so now it was F11 (recompile), F5 (browser
refresh). Of course, once you have been tempted by the serpent, it is
so hard to have your candy taken away from you hence me spending a
week attempting to install Tomcat and implement some protection for
this scenario :)

John


On Wed, 23 Feb 2022 at 08:10, Greg Huber  wrote:
>
> There have been lots of emails on this, sorry if I have missed something..
>
> Although I don't use net beans, I use Eclipse with the venerable Sysdeo
> Tomcat Plugin (modified), and from my experience set reloadable =
> "false".  I would stop and restart tomcat for method signature changes,
> new classes etc.  It's quick and stops reload issues.
>
> You should not need to reload tomcat for code unless, net beans cannot
> handle hot reload.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure Tomcat development using NetBeans IDE

[Greg Huber]

There have been lots of emails on this, sorry if I have missed something..

Although I don't use net beans, I use Eclipse with the venerable Sysdeo 
Tomcat Plugin (modified), and from my experience set reloadable = 
"false".  I would stop and restart tomcat for method signature changes, 
new classes etc.  It's quick and stops reload issues.


You should not need to reload tomcat for code unless, net beans cannot 
handle hot reload.



On 22/02/2022 17:59, John Barrow wrote:

Hi,

Firstly, this is actually a continuation of a previous thread
(specifically the email from Make Thomas, dated 21/02/2022 08:10)
discussing the specification for enhancing the reloading of webapps
after changes to the deployed files. This thread is titled ‘ is too quick to respond’ and remains active with
outstanding discussion points. However, in order to try and implement
the suggested changes, I needed to create a development environment
and so the thread quickly shifted into a bunch of configuration issues
which took the thread off topic.

Secondly, this email is quite long as I wanted to describe the steps I
took to get to where I am now (briefly, nearly there, just can't fully
test, unless all of them!). I have also included some suggestions for
alterations to the NetBeans configuration files that I am happy to
commit back to git if my understanding is correct./ deductions are
correct although one of them appears to be an issue with the ant build
and I am not confident enough to research this.

There are a couple of attachments that, as before, I have placed in my
shared Dropbox folder, accessed from

https://www.dropbox.com/sh/2ewipogzr48qcxi/AAAf3Rqv6WoRO9hyMC0W7P2za?dl=0

Mark, your insightful email has proved invaluable and having spent a
couple of days working through this, it has provided the catalyst for
me to be able to start joining the dots to achieving a full
development environment.

So, responding to each of your suggestions has taken me on a massive
learning curve, but

Firstly, I started back with a blank piece of paper.


If your eventual aim is to provide a pull request to address this issue then 
I'd recommend:
  - Fork the Tomcat project in GitHub
  - Checkout your clone

As a life-long supporter of Subversion, this was my first foray into
the world of git, but I believe, after a quick crash course, I have
managed to have forked and cloned Tomcat onto my laptop!


This is where using a clone would speed things up as you'd be able to fetch the 
update from Git.

Therefore, you can now assume that I can speed things up :)

I have built Tomcat using Ant.

Ran the amended 'ant ide-netbeans' script (checked GitHub to see what
changes had been made - the details of this change log request turned
out to be very useful later!)


Hmm. You shouldn't see any warnings about modules. A handful of warnings about 
deprecation are expected. If you still see these warnings then yes, please 
provide a copy so we can take a look.

Launched NetBeans and did a clean > deploy. The results are in my
shared DropBox folder (along with everything else) called "Ant Clean
and Build from Netbeans.txt" and it did actually look to have done a
successful build if you believe the summary line! While I did get
warnings about deprecated features as expected, I also had quite a
number of other warnings that looked a bit concerning (which you asked
me to submit to you)

e.g. - WARN aQute.bnd.plugin.jpms.JPMSModuleInfoPlugin - Can't find a
module name for imported package: jakarta.websocket

At this point, I still had a lot of red [!] against the Tests folder,
just as before and so the version amendment for jUnit didn't appear to
work, although I verified that it is the latest jUnit v4 build from
Mavens repository. As an aside, as I am sure you are aware, NetBeans
didn't support any later versions of jUnit using the Ant framework as
they believe that no-one should be using Ant anymore and should
migrate to Maven / Gradle!

So, rather than push back immediately, I thought I would spend some
time yesterday trying to figure it out, given that you had (by your
change) hinted which of the files might be related to my issue. Also,
your reference to tomcat\res\ide-support\netbeans\README.txt was
enlightening!

Anyway, to cut a long investigation short, I found two environments
that were out of sync.

As far as I can tell, in nbproject\project.xml, the classpath just
underneath the  element

 output/classes:output/testclasses:${base.path}/junit-4.13.2/junit-4.13.2.jar:${base.path}/easymock-4.3/easymock-4.3.jar:${base.path}/objenesis-3.2/objenesis-3.2.jar:${base.path}/cglib-3.3.0/cglib-nodep-3.3.0.jar:${base.path}/hamcrest/hamcrest-2.2.jar

should look more like

Configure Tomcat development using NetBeans IDE

[John Barrow]

Hi,

Firstly, this is actually a continuation of a previous thread
(specifically the email from Make Thomas, dated 21/02/2022 08:10)
discussing the specification for enhancing the reloading of webapps
after changes to the deployed files. This thread is titled ‘ is too quick to respond’ and remains active with
outstanding discussion points. However, in order to try and implement
the suggested changes, I needed to create a development environment
and so the thread quickly shifted into a bunch of configuration issues
which took the thread off topic.

Secondly, this email is quite long as I wanted to describe the steps I
took to get to where I am now (briefly, nearly there, just can't fully
test, unless all of them!). I have also included some suggestions for
alterations to the NetBeans configuration files that I am happy to
commit back to git if my understanding is correct./ deductions are
correct although one of them appears to be an issue with the ant build
and I am not confident enough to research this.

There are a couple of attachments that, as before, I have placed in my
shared Dropbox folder, accessed from

https://www.dropbox.com/sh/2ewipogzr48qcxi/AAAf3Rqv6WoRO9hyMC0W7P2za?dl=0

Mark, your insightful email has proved invaluable and having spent a
couple of days working through this, it has provided the catalyst for
me to be able to start joining the dots to achieving a full
development environment.

So, responding to each of your suggestions has taken me on a massive
learning curve, but

Firstly, I started back with a blank piece of paper.

> If your eventual aim is to provide a pull request to address this issue then 
> I'd recommend:
>  - Fork the Tomcat project in GitHub
>  - Checkout your clone

As a life-long supporter of Subversion, this was my first foray into
the world of git, but I believe, after a quick crash course, I have
managed to have forked and cloned Tomcat onto my laptop!

> This is where using a clone would speed things up as you'd be able to fetch 
> the update from Git.

Therefore, you can now assume that I can speed things up :)

I have built Tomcat using Ant.

Ran the amended 'ant ide-netbeans' script (checked GitHub to see what
changes had been made - the details of this change log request turned
out to be very useful later!)

> Hmm. You shouldn't see any warnings about modules. A handful of warnings 
> about deprecation are expected. If you still see these warnings then yes, 
> please provide a copy so we can take a look.

Launched NetBeans and did a clean > deploy. The results are in my
shared DropBox folder (along with everything else) called "Ant Clean
and Build from Netbeans.txt" and it did actually look to have done a
successful build if you believe the summary line! While I did get
warnings about deprecated features as expected, I also had quite a
number of other warnings that looked a bit concerning (which you asked
me to submit to you)

e.g. - WARN aQute.bnd.plugin.jpms.JPMSModuleInfoPlugin - Can't find a
module name for imported package: jakarta.websocket

At this point, I still had a lot of red [!] against the Tests folder,
just as before and so the version amendment for jUnit didn't appear to
work, although I verified that it is the latest jUnit v4 build from
Mavens repository. As an aside, as I am sure you are aware, NetBeans
didn't support any later versions of jUnit using the Ant framework as
they believe that no-one should be using Ant anymore and should
migrate to Maven / Gradle!

So, rather than push back immediately, I thought I would spend some
time yesterday trying to figure it out, given that you had (by your
change) hinted which of the files might be related to my issue. Also,
your reference to tomcat\res\ide-support\netbeans\README.txt was
enlightening!

Anyway, to cut a long investigation short, I found two environments
that were out of sync.

As far as I can tell, in nbproject\project.xml, the classpath just
underneath the  element

output/classes:output/testclasses:${base.path}/junit-4.13.2/junit-4.13.2.jar:${base.path}/easymock-4.3/easymock-4.3.jar:${base.path}/objenesis-3.2/objenesis-3.2.jar:${base.path}/cglib-3.3.0/cglib-nodep-3.3.0.jar:${base.path}/hamcrest/hamcrest-2.2.jar

should look more like

   output/classes:output/testclasses:${base.path}/junit-4.13.2/junit-4.13.2.jar:${base.path}/easymock-4.3/easymock-4.3.jar:${base.path}/objenesis-3.2/objenesis-3.2.jar:${base.path}/cglib-3.3.0/cglib-nodep-3.3.0.jar:${base.path}/hamcrest-2.2/hamcrest-2.2.jar:${base.path}/unboundid-ldapsdk-6.0.3/unboundid-ldapsdk-6.0.3.jar

There was a typo in the hamcrest folder name (missing version) and
some of the classes the test sources referred to were missing. I used
the Maven repository to identify the latest versions and downloaded
them.

The reason that the jUnit classes weren't found is that they weren't
being downloaded into the {base.path} folder as part of the 'ant'
script, used to build Tomcat, but looks like only the jars 

Re: Configure Tomcat for specific Urls on specific Port

[Martin Grigorov]

Hi,

On Mon, Apr 6, 2020 at 9:32 AM Vijay Roy  wrote:

> Hi  Team ,
>
> We are using tomcat in one of our projects and we have tomcat ports 8080
> and 8081 opened by the following configurations.
>
>server=""
>connectionTimeout="2"
>redirectPort="8443" maxHttpHeaderSize="16384"/>
> server=""
>connectionTimeout="2"
>redirectPort="8443" maxHttpHeaderSize="16384"/>
>
> Now we want to allow only specific url on each port. For eg  urls
> contaning text /request1 should be allowed to access only on port 8080 and
> if  /request1 is sent to port 8081 it should be blocked and vice versa.
>
> Could you please let us know what are the configurations that are required
> if we have configure this behavior in our tomcat.


You could use a simple Servlet Filter that uses #getLocalPort() and
#getRequestURI() to implement simple authorization strategy.
There is nothing Tomcat specific in it. You can reuse it on any Servlet
container.

Regards,
Martin


>
>
> Tomcat Version Used :- 8.5.24
> OS Name:Linux
> OS Version: 3.10.0-1062.12.1.el7.x86_64
>
> Thanks & Regards
> Vijay
>

Configure Tomcat for specific Urls on specific Port

[Vijay Roy]

Hi  Team ,

We are using tomcat in one of our projects and we have tomcat ports 8080
and 8081 opened by the following configurations.




Now we want to allow only specific url on each port. For eg  urls
contaning text /request1 should be allowed to access only on port 8080 and
if  /request1 is sent to port 8081 it should be blocked and vice versa.

Could you please let us know what are the configurations that are required
if we have configure this behavior in our tomcat.

Tomcat Version Used :- 8.5.24
OS Name:Linux
OS Version: 3.10.0-1062.12.1.el7.x86_64

Thanks & Regards
Vijay

RE: Cant configure Tomcat isapi redirect in IIS

[Shpilsky Rita (UniCredit Services)]

This message has been marked as UC group - PUBLIC

Yes I used the official guide and triple checked everything like 10 times. I am 
uninstalling it now and trying to do it from scratch at this point

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Tuesday, April 23, 2019 4:36 PM
To: users@tomcat.apache.org
Subject: Re: Cant configure Tomcat isapi redirect in IIS

On 23/04/2019 20:32, Shpilsky Rita (UniCredit Services) wrote:
> This message has been marked asUC group - PUBLIC
>
>  
>
> Hi,
>
> I have tomcat 9.0.16 installed on windows 2012 server, 64 bit version
>
> I went through all the steps including getting the isapi_redirect.dll
> in
> 64 bit version, but when I try to open one of the applications
> residing in webapps folder of tomcat I get a pop up asking if I want
> to open it instead of executing the. Also I check isapi_redirect log
> file , it doesn't look that its even getting through isapi.
>
> I have tried 100 suggestions from different forums but nothing helped.
> Please let me know what would be a solution

Have you followed the official configuration steps here:
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
?

I know they are correct as I tested them against every supported version of 
Windows from 7 through to Server 2016.

If you have and it still isn't working, it is a case of going through each  
part step by step and double checking until you find the bit you missed. I've 
been there several times and I always (eventually) find the step I missed / got 
wrong.

Note: The troubleshooting section is out of date.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


This e-mail is confidential and may also contain privileged information. If you 
are not the intended recipient you are not authorised to read, print, save, 
process or disclose this message. If you have received this message by mistake, 
please inform the sender immediately and delete this e-mail, its attachments 
and any copies.
Any use, distribution, reproduction or disclosure by any person other than the 
intended recipient is strictly prohibited and the person responsible may incur 
penalties.
Thank you!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cant configure Tomcat isapi redirect in IIS

[Mark Thomas]

On 23/04/2019 20:32, Shpilsky Rita (UniCredit Services) wrote:
> This message has been marked asUC group - PUBLIC
> 
>  
> 
> Hi,
> 
> I have tomcat 9.0.16 installed on windows 2012 server, 64 bit version
> 
> I went through all the steps including getting the isapi_redirect.dll in
> 64 bit version, but when I try to open one of the applications residing
> in webapps folder of tomcat I get a pop up asking if I want to open it
> instead of executing the. Also I check isapi_redirect log file , it
> doesn’t look that its even getting through isapi.
> 
> I have tried 100 suggestions from different forums but nothing helped.
> Please let me know what would be a solution

Have you followed the official configuration steps here:
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
?

I know they are correct as I tested them against every supported version
of Windows from 7 through to Server 2016.

If you have and it still isn't working, it is a case of going through
each  part step by step and double checking until you find the bit you
missed. I've been there several times and I always (eventually) find the
step I missed / got wrong.

Note: The troubleshooting section is out of date.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Cant configure Tomcat isapi redirect in IIS

[Shpilsky Rita (UniCredit Services)]

This message has been marked as UC group - PUBLIC

Hi,
I have tomcat 9.0.16 installed on windows 2012 server, 64 bit version
I went through all the steps including getting the isapi_redirect.dll in 64 bit 
version, but when I try to open one of the applications residing in webapps 
folder of tomcat I get a pop up asking if I want to open it instead of 
executing the. Also I check isapi_redirect log file , it doesn't look that its 
even getting through isapi.
I have tried 100 suggestions from different forums but nothing helped. Please 
let me know what would be a solution



Rita Shpilsky
Associate

US96908 ICT New York

UniCredit Business Integrated Solutions S.C.p.A.
New York Branch
150 East 42nd Street
New York , NY 10017  
USA
Phone: 212-672-5903 - Fax: 212-672-5509
mailto:rita.shpil...@unicredit.eu 
www.unicreditmib.eu
UniCredit. Proud Partner of the UEFA Champions League. And you.



This e-mail is confidential and may also contain privileged information. If you 
are not the intended recipient you are not authorised to read, print, save, 
process or disclose this message. If you have received this message by mistake, 
please inform the sender immediately and delete this e-mail, its attachments 
and any copies.
Any use, distribution, reproduction or disclosure by any person other than the 
intended recipient is strictly prohibited and the person responsible may incur 
penalties.
Thank you!

Re: How to configure Tomcat for OCSP stapling?

[Mark Boon]

Hi Mark Thomas,

Thanks for the pointer. However, that comment you posted there is 4 years old. 
Any news on the matter since then at all? Has OCSP Stapling support for NIO 
connectors since made it into Java 9?

Mark Boon

On 5/30/18, 12:46 AM, "Mark Thomas"  wrote:

On 29/05/18 00:22, Mark Boon wrote:
> My company asked to enable OCSP stapling for our Tomcat server. I found
> the documentation about configuring a Tomcat OCSP Connector here:
> 
> 
https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D8.5-2Ddoc_ssl-2Dhowto.html-23Configuring-5FOCSP-5FConnector=DwIDaQ=uilaK90D4TOVoH58JNXRgQ=_kwXikaSZUUarF811P_o9Q=c9Hngb286HQ3waldNl7R5ScNf7kDJHlpVrzQqNdzrqA=Su_lL2hasSRZW0qqEbINeT1Cg6YL5lUjcf18mJXo0kA=
> 
>  
> 
> However, if I’m not mistaken those are instructions for how to set up an
> OCSP responder. But I think in my case, the OCSP responder is the CA
> that issued the certificate. What I need is to instruct Tomcat so that
> it makes the call to the OCSP responder that is specified in the CA
> signed certificate and ‘staples’ the resulting ticket to the certificate
> before presenting it to the client.
> 
>  
> 
> Does anyone know of a place with instructions how to do something like
> this? Or possibly I’m not quite understanding the process of OCSP
> stapling, in which case any pointers on what it means and how it works
> with Tomcat would be much appreciated.


https://urldefense.proofpoint.com/v2/url?u=https-3A__bz.apache.org_bugzilla_show-5Fbug.cgi-3Fid-3D56148=DwIDaQ=uilaK90D4TOVoH58JNXRgQ=_kwXikaSZUUarF811P_o9Q=c9Hngb286HQ3waldNl7R5ScNf7kDJHlpVrzQqNdzrqA=O87uG9CLTZkFihZww0qxd5jkZV6AaWhZ_KE5Kk2JKhU=

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat for OCSP stapling?

[Mark Thomas]

On 29/05/18 00:22, Mark Boon wrote:
> My company asked to enable OCSP stapling for our Tomcat server. I found
> the documentation about configuring a Tomcat OCSP Connector here:
> 
> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector
> 
>  
> 
> However, if I’m not mistaken those are instructions for how to set up an
> OCSP responder. But I think in my case, the OCSP responder is the CA
> that issued the certificate. What I need is to instruct Tomcat so that
> it makes the call to the OCSP responder that is specified in the CA
> signed certificate and ‘staples’ the resulting ticket to the certificate
> before presenting it to the client.
> 
>  
> 
> Does anyone know of a place with instructions how to do something like
> this? Or possibly I’m not quite understanding the process of OCSP
> stapling, in which case any pointers on what it means and how it works
> with Tomcat would be much appreciated.

https://bz.apache.org/bugzilla/show_bug.cgi?id=56148

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat for OCSP stapling?

[Coty Sutherland]

Hi,

On Mon, May 28, 2018 at 7:22 PM, Mark Boon  wrote:

> My company asked to enable OCSP stapling for our Tomcat server. I found
> the documentation about configuring a Tomcat OCSP Connector here:
>
> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#
> Configuring_OCSP_Connector
>
>
>
> However, if I’m not mistaken those are instructions for how to set up an
> OCSP responder. But I think in my case, the OCSP responder is the CA that
> issued the certificate. What I need is to instruct Tomcat so that it makes
> the call to the OCSP responder that is specified in the CA signed
> certificate and ‘staples’ the resulting ticket to the certificate before
> presenting it to the client.
>

You're correct. The configuration document does mention the OCSP responder,
but you really don't need to do anything special in tomcat to enable OCSP.
If your connector has certificateVerification or clientAuth enabled, then
tomcat will do the needful with the client certificate (including verify it
with OCSP if the OCSP url is present).


>
>
> Does anyone know of a place with instructions how to do something like
> this? Or possibly I’m not quite understanding the process of OCSP stapling,
> in which case any pointers on what it means and how it works with Tomcat
> would be much appreciated.
>
>
>
>
>
> *Mark Boon*
> *Staff Engineer*
> mb...@vmware.com
> 3401 Hillview Avenue, Palo Alto, CA 94304
> 
> 650.123.4567 Office
> 808.234.4892 Mobile
>
> [image: e] 
>
>
>

How to configure Tomcat for OCSP stapling?

[Mark Boon]

My company asked to enable OCSP stapling for our Tomcat server. I found the 
documentation about configuring a Tomcat OCSP Connector here:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector

However, if I’m not mistaken those are instructions for how to set up an OCSP 
responder. But I think in my case, the OCSP responder is the CA that issued the 
certificate. What I need is to instruct Tomcat so that it makes the call to the 
OCSP responder that is specified in the CA signed certificate and ‘staples’ the 
resulting ticket to the certificate before presenting it to the client.

Does anyone know of a place with instructions how to do something like this? Or 
possibly I’m not quite understanding the process of OCSP stapling, in which 
case any pointers on what it means and how it works with Tomcat would be much 
appreciated.


Mark Boon
Staff Engineer
mb...@vmware.com
3401 Hillview Avenue, Palo Alto, CA 94304
650.123.4567 Office
808.234.4892 Mobile
[e]

Re: How to configure tomcat to ignore large websocket messages

[Mark Thomas]

On 25/01/2017 21:12, Preston Price wrote:
> So what is the purpose of a Decoder.TextStream then if not to handle
> incomplete/partial messages?

To interface with other components that wanted to process the data in
that form.

Partial messages feeding an InputStream is doable, but you need to built
it yourself / find a framework (Atmosphere?) that has already done it
for you.

Mark

> 
> Cheers!
> 
> On Wed, Jan 25, 2017 at 2:07 PM, Mark Thomas  wrote:
> 
>> On 25/01/2017 20:53, Preston Price wrote:
>>> Is it possible to use a Decoder to handle partial websocket messages?
>>
>> No. Decoders only apply to whole messages.
>>
>> The closest you will get it is:
>> - remove the message size limit
>> - use a partial message handler that buffers up to a limit
>> - discard data once the buffer limit is exceeded
>> - ignore messages that exceed the buffer
>>
>> This makes the application vulnerable to a DoS via very large messages
>> unless there is some high limit than the buffer limit enforced.
>>
>> Mark
>>
>>>
>>> On Wed, Jan 25, 2017 at 1:29 PM, Mark Thomas  wrote:
>>>
 On 25/01/2017 20:25, Preston Price wrote:
> My environment:
> java: 1.8.0_102,
> tomcat: 8.0.39,
> os:Ubuntu 4.4.0-45-generic,
> websocket api: 1.1
>
> Currently in my application clients will (rarely) send a message that
> exceeds the default (8192 byte) limit for messages. This results in the
> socket being closed by the server with a 1009 code (too big). Can
>> tomcat
 be
> configured to ignore such large messages without closing the socket?

 No.

 Mark


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


>>>
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure tomcat to ignore large websocket messages

[Preston Price]

So what is the purpose of a Decoder.TextStream then if not to handle
incomplete/partial messages?

Cheers!

On Wed, Jan 25, 2017 at 2:07 PM, Mark Thomas  wrote:

> On 25/01/2017 20:53, Preston Price wrote:
> > Is it possible to use a Decoder to handle partial websocket messages?
>
> No. Decoders only apply to whole messages.
>
> The closest you will get it is:
> - remove the message size limit
> - use a partial message handler that buffers up to a limit
> - discard data once the buffer limit is exceeded
> - ignore messages that exceed the buffer
>
> This makes the application vulnerable to a DoS via very large messages
> unless there is some high limit than the buffer limit enforced.
>
> Mark
>
> >
> > On Wed, Jan 25, 2017 at 1:29 PM, Mark Thomas  wrote:
> >
> >> On 25/01/2017 20:25, Preston Price wrote:
> >>> My environment:
> >>> java: 1.8.0_102,
> >>> tomcat: 8.0.39,
> >>> os:Ubuntu 4.4.0-45-generic,
> >>> websocket api: 1.1
> >>>
> >>> Currently in my application clients will (rarely) send a message that
> >>> exceeds the default (8192 byte) limit for messages. This results in the
> >>> socket being closed by the server with a 1009 code (too big). Can
> tomcat
> >> be
> >>> configured to ignore such large messages without closing the socket?
> >>
> >> No.
> >>
> >> Mark
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
Preston M. Price
KidCheck
www.kidcheck.com
Facebook

 / Twitter 

-- 

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify KidCheck at 
supp...@kidcheck.com. Please note that any views or opinions presented in 
this email are solely those of the author and do not necessarily represent 
those of KidCheck. E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete. Finally, the recipient should check this email 
and any attachments for the presence of viruses. KidCheck accepts no 
liability for any damage caused by any virus transmitted by this email.

Re: How to configure tomcat to ignore large websocket messages

[Mark Thomas]

On 25/01/2017 20:53, Preston Price wrote:
> Is it possible to use a Decoder to handle partial websocket messages?

No. Decoders only apply to whole messages.

The closest you will get it is:
- remove the message size limit
- use a partial message handler that buffers up to a limit
- discard data once the buffer limit is exceeded
- ignore messages that exceed the buffer

This makes the application vulnerable to a DoS via very large messages
unless there is some high limit than the buffer limit enforced.

Mark

> 
> On Wed, Jan 25, 2017 at 1:29 PM, Mark Thomas  wrote:
> 
>> On 25/01/2017 20:25, Preston Price wrote:
>>> My environment:
>>> java: 1.8.0_102,
>>> tomcat: 8.0.39,
>>> os:Ubuntu 4.4.0-45-generic,
>>> websocket api: 1.1
>>>
>>> Currently in my application clients will (rarely) send a message that
>>> exceeds the default (8192 byte) limit for messages. This results in the
>>> socket being closed by the server with a 1009 code (too big). Can tomcat
>> be
>>> configured to ignore such large messages without closing the socket?
>>
>> No.
>>
>> Mark
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure tomcat to ignore large websocket messages

[Preston Price]

Is it possible to use a Decoder to handle partial websocket messages?

On Wed, Jan 25, 2017 at 1:29 PM, Mark Thomas  wrote:

> On 25/01/2017 20:25, Preston Price wrote:
> > My environment:
> > java: 1.8.0_102,
> > tomcat: 8.0.39,
> > os:Ubuntu 4.4.0-45-generic,
> > websocket api: 1.1
> >
> > Currently in my application clients will (rarely) send a message that
> > exceeds the default (8192 byte) limit for messages. This results in the
> > socket being closed by the server with a 1009 code (too big). Can tomcat
> be
> > configured to ignore such large messages without closing the socket?
>
> No.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
Preston M. Price
KidCheck
www.kidcheck.com
Facebook

 / Twitter 

-- 

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify KidCheck at 
supp...@kidcheck.com. Please note that any views or opinions presented in 
this email are solely those of the author and do not necessarily represent 
those of KidCheck. E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete. Finally, the recipient should check this email 
and any attachments for the presence of viruses. KidCheck accepts no 
liability for any damage caused by any virus transmitted by this email.

Re: How to configure tomcat to ignore large websocket messages

[Mark Thomas]

On 25/01/2017 20:25, Preston Price wrote:
> My environment:
> java: 1.8.0_102,
> tomcat: 8.0.39,
> os:Ubuntu 4.4.0-45-generic,
> websocket api: 1.1
> 
> Currently in my application clients will (rarely) send a message that
> exceeds the default (8192 byte) limit for messages. This results in the
> socket being closed by the server with a 1009 code (too big). Can tomcat be
> configured to ignore such large messages without closing the socket?

No.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to configure tomcat to ignore large websocket messages

[Preston Price]

My environment:
java: 1.8.0_102,
tomcat: 8.0.39,
os:Ubuntu 4.4.0-45-generic,
websocket api: 1.1

Currently in my application clients will (rarely) send a message that
exceeds the default (8192 byte) limit for messages. This results in the
socket being closed by the server with a 1009 code (too big). Can tomcat be
configured to ignore such large messages without closing the socket?

Thanks

-- 
Preston M. Price
KidCheck
www.kidcheck.com
Facebook

 / Twitter 

-- 

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify KidCheck at 
supp...@kidcheck.com. Please note that any views or opinions presented in 
this email are solely those of the author and do not necessarily represent 
those of KidCheck. E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete. Finally, the recipient should check this email 
and any attachments for the presence of viruses. KidCheck accepts no 
liability for any damage caused by any virus transmitted by this email.

Re: Tutorial: Configure Tomcat with HTTPS/SSL on Ubuntu 16.04 LTS (Xenial) using Letsencrypt

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mladen,

On 9/30/16 10:34 AM, Mladen Adamović wrote:
> Hi all,
> 
> I'm running 3 servers with Tomcat (migrated from Glassfish which is
> not maintained well imo). But documentation is kind of not the best
> for configuring HTTPS/SSL.
> 
> I've written my own tutorial how to do that using Letsencrypt and
> Tomcat native: 
> https://mladenadamovic.wordpress.com/2016/09/06/configure-tomcat-with-
ssl-on-ubuntu-minimal/
>
>  As you can notice from the tutorial: - I'm running 8.5.5 from
> website (not prepackaged with comes with Ubuntu) - run Tomcat as
> non-root user and do ip tables forwarding because of that -
> implemented my own ACME support for Letsencrypt (it's easy)
> 
> I'm using it for my own purposes, but if people have suggestions to
> improve it, I'd be happy to consider it.
> 
> I hope it will be useful to other people as well.

Thanks for doing this guide. I'm mostly interested in the Let's
Encrypt part, because everything else is very straightforward IMO. I
have some comments about the LE stuff.

First, this is a bad idea:

chmod o+rx /etc/letsencrypt
chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/archive/online-utility.org
chmod o+rx /etc/letsencrypt/live

That gives world-readable access to your server's private keys. There
are better ways to allow the Tomcat user to read these certificates.
For example, on my server, the /etc/letsencrypt/archive directory and
contents are group-owned by a group called "ssl-cert". It's better to
add the Tomcat user to the ssl-cert group than to open the certs and
keys to the whole world.

Second, the ACME servlet doesn't need to be mounted on /* -- you can
just as easily mount it on /.well-known/acme/*. Better yet, just
configure the  to contain some  that mounts a
special directory
(/tmp/letsencrypt/public_html/.well-known/acme-challenge/ in your
example) into the URL space of the application. Less code = less
opportunities for errors.

Better even still, package a web application called ".well-known" with
the complete configuration necessary. Then all that is required is to
drop the WAR file into Tomcat's auto-deploy directory
(CATALINA_HOME/webapps) and allow LE to authentication your control
over the server.

Third, I haven't spent much time with LE yet, but I believe you can
simply "renew" your cert instead of requesting a new one:

$ /path/to/certbot renew

This will perform the steps for renewal that were originally oser to
obtain the certificate. So, I believe, if you used the "certonly"
plugin, then it will again only use the "certonly" plugin. Similarly,
if you use the "webroot" plugin, it will be used again. For Tomcat,
you might have to adjust the caching configuration to get it to work
properly.

I for one am interested in getting official support for Tomcat into
the command-line tools for Let's Encrypt. I tried to understand how
certbot works, but it's clear that I'd need a curated guide to
building a new plug-in for Tomcat. When I have some time (ha ha), I'll
reach-out to the LE folks to see what it would take.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX9BzDAAoJEBzwKT+lPKRYbzUP/1ig3YzkHtomMXSWKBKzB8Bm
Awmw4cip3WmbOif0psALGGOpMWMBNtiHNgJjzB+uZRLIB0f/czw26BR+hhK4wVnS
gyduMklYZk3V16ukcPGVaf7Cw8JEJVpvXyTr4mOMrPULUatAla/yfbN3mR/cuyee
M+p/AiKjm1OOtLlrokKKpfTKrWqYSs9I6+aPOAD67gkPyz8AA+CkvzvbPqBosfHi
vScx4eUFVKkshjyWhE6NOmQn2zrSiK9t5K+Zl0UyKZxzu6DmbF+3UmDuNxcZ3LlU
h4va4xkNxzBzuaJ4y50eS4IrhfiVR6fq+ESdkzCkvzFCyU/s1pESxFKOVdVLV1Fe
9v1N6KAVYzuOOuZ7R7kaNFZ30sbDRK1WdZek+NaCtGro828Ql+D18xIdZ6px/JVY
HVsjdoNDvG/XsVqEDuAYvMd6FBuz/X7NWk+z56bSqrkcKw/caP/masyyIo6D6I91
KpWcc/bQl1L6Y+xTeH8y2L03DFfLxQyTCZKEdJpG34P5JWr3bLvUJK5mZGA/pJAL
9r/GShgwRizpdJY681tlJ5ikS7Mnp/oSbbeaw+fOBeb3vBnuEIuS4SgTSAiQsytx
BDG0293yaMvfuQv0hH0/+6eM/7sPtX9OUX14wwBxrcGTjMhYG1szNxuhAYhUx7vI
7evywPDYtUiB8EK59s4E
=rk6+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tutorial: Configure Tomcat with HTTPS/SSL on Ubuntu 16.04 LTS (Xenial) using Letsencrypt

[Mladen Adamović]

Hi all,

I'm running 3 servers with Tomcat (migrated from Glassfish which is not
maintained well imo).
But documentation is kind of not the best for configuring HTTPS/SSL.

I've written my own tutorial how to do that using Letsencrypt and Tomcat
native:
https://mladenadamovic.wordpress.com/2016/09/06/configure-tomcat-with-ssl-on-ubuntu-minimal/

As you can notice from the tutorial:
- I'm running 8.5.5 from website (not prepackaged with comes with Ubuntu)
- run Tomcat as non-root user and do ip tables forwarding because of that
- implemented my own ACME support for Letsencrypt (it's easy)

I'm using it for my own purposes, but if people have suggestions to improve
it, I'd be happy to consider it.

I hope it will be useful to other people as well.

Kind Regards,
Mladen

Re: AW: Problems to configure tomcat as windows service

[Aurélien Terrestris]

OK good that it's finally working.
There is a weakness in the documentation since it duplicates a big part of
the original procrun doc, and it would more readable to just give a short
explanation and give a link as you suggest. You can ask for an improvement
in the bug database ( http://tomcat.apache.org/bugreport.html) but I'm not
sure they will spend time on it as there is no "real" mistake in the doc.

regards


2015-10-09 9:15 GMT+02:00 Arno Schäfer :

> Aurélien,
>
> > still investigating for you in the documentation (
> http://commons.apache.org/proper/commons-daemon/procrun.html ), can you
> try again with --ServiceUser & --ServicePassword instead of --User &
> --Password ?
>
> thanks for that hint. I try it and it works now. :-)
> I miss the point, that my start mode 'jvm' was excluded, but no
> alternative is described in the tomcat documentation.
> Perhaps it will be a good idea to integrate a link to the original procrun
> documentation, when it is more up to date and complete. I didn't recognize
> til today, that this is a separate project.
>
> Thanks for your patience,
> best regards
> Arno
>
>

AW: AW: Problems to configure tomcat as windows service

[Arno Schäfer]

Aurélien,

> still investigating for you in the documentation ( 
> http://commons.apache.org/proper/commons-daemon/procrun.html ), can you try 
> again with --ServiceUser & --ServicePassword instead of --User & --Password ?

thanks for that hint. I try it and it works now. :-)
I miss the point, that my start mode 'jvm' was excluded, but no alternative is 
described in the tomcat documentation.
Perhaps it will be a good idea to integrate a link to the original procrun 
documentation, when it is more up to date and complete. I didn't recognize til 
today, that this is a separate project.

Thanks for your patience,
best regards
Arno

AW: AW: Problems to configure tomcat as windows service

[Arno Schäfer]

Hi Aurélien,

> Arno, can you try with these parameters : --StdOutput out.txt --StdError 
> err.txt 
> and check if this writes anything to these files (I don't bet a pence on this 
> but let's try) ?

That isn't the point. My problem is, that I can't configure a different service 
user as the local system account with this utility. 'tomcat7.exe' configure all 
other parameter as you can see afterwards in the 'serverconsole' utility except 
the '--User' and '--Password' on Windows 8.1 64 bit with no error message. It 
only ignores these both values.
The service is running in all cases under the local system account and I can 
manualy change to an other user and it still works.
So, do you know, what is the normal process to report a bug to the development?

I have to revert my statement from the mail before: It didn't work also with 
tomcat6 on Windows 8.1 64 Bit

> Taken from the doc :
> http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html

I know this document very well ;-)

regards
Arno

Re: AW: Problems to configure tomcat as windows service

[Aurélien Terrestris]

Arno, can you try with these parameters : --StdOutput out.txt --StdError
err.txt and check if this writes anything to these files (I don't bet a
pence on this but let's try) ?

Taken from the doc :
http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html



2015-10-02 17:52 GMT+02:00 Arno Schäfer :

> André,
>
> > Maybe it is not only the version of Tomcat that has changed, but also
> the machine/OS on which
> > you do this ? Maybe the user under which you execute this command does
> not have the
> > required
> > privileges, at OS level on this machine, to do this ?
>
> On the same machine/OS it work's with tomcat 6.
>
>
> > Maybe the user-id *to* which you are trying to set the Tomcat service,
> does not have enough
> > privileges to "run as a Service" ?
> > (In the services.msc applet, it would ask you interactively to grant
> these privileges first, but
> > maybe the command-line tool cannot do that).
>
> Like I said in my first mail, I install it as an local administrator and
> the service was registered and I am able to run it under the local system
> account.
> And also if I fill in the user data manually, what I used in the
> tomcat7.exe call, I am able to start and run the tomcat server, so missing
> privileges shouldn't be the problem.
>
> Regards
> Arno
>
>

Re: AW: Problems to configure tomcat as windows service

[Aurélien Terrestris]

Arno,

still investigating for you in the documentation (
http://commons.apache.org/proper/commons-daemon/procrun.html ), can you try
again with --ServiceUser & --ServicePassword instead of --User & --Password
?

regards

2015-10-08 17:35 GMT+02:00 Arno Schäfer :

> Hi Aurélien,
>
> > Arno, can you try with these parameters : --StdOutput out.txt --StdError
> err.txt
> > and check if this writes anything to these files (I don't bet a pence on
> this but let's try) ?
>
> That isn't the point. My problem is, that I can't configure a different
> service user as the local system account with this utility. 'tomcat7.exe'
> configure all other parameter as you can see afterwards in the
> 'serverconsole' utility except the '--User' and '--Password' on Windows 8.1
> 64 bit with no error message. It only ignores these both values.
> The service is running in all cases under the local system account and I
> can manualy change to an other user and it still works.
> So, do you know, what is the normal process to report a bug to the
> development?
>
> I have to revert my statement from the mail before: It didn't work also
> with tomcat6 on Windows 8.1 64 Bit
>
> > Taken from the doc :
> > http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html
>
> I know this document very well ;-)
>
> regards
> Arno
>
>

Problems to configure tomcat as windows service

[Arno Schäfer]

Hi all,

using tomcat 7.0.54 on Windows 8.1 64 Bit system, I encounter the problem, that 
I can not configure a user/password
with the tomcat7.exe utility. I run this as a local administrator in a DOS box 
with a valid user and password it returned
with errorlevel 0, but the user was not set in the service settings.

What can be the reason for this? The same solution run before in a tomcat 6 
environment with no problems and I
recognize no changes in the documentation in this area.

best regard
Arno

_



Vorsitzender des Aufsichtsrats: David Bellin
Vorstand: Diederik Vos (CEO) ? Ralph Gillessen (COO) ? René Gawron (CFO)
SQS AG ? Stollwerckstraße 11 ? 51149 Köln
Sitz der Gesellschaft: Köln ? Amtsgericht Köln, HRB 12764

This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient
(or have received this e-mail in error) please notify the sender immediately 
and destroy this e-mail.
Any unauthorised copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

AW: Problems to configure tomcat as windows service

[Arno Schäfer]

Thanks for the hint Aurélien,

> there *maybe is* documentation about this, see question & comments from 
> Konstantin Kolinko in 
> http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html

but I asked this question, because I recognize, that it didn't worked like it 
is described, but in version 6 the description was the same and it has worked.

Regards
Arno

Re: AW: Problems to configure tomcat as windows service

[tomcat]

On 02.10.2015 17:12, Arno Schäfer wrote:

Thanks for the hint Aurélien,


there *maybe is* documentation about this, see question & comments from 
Konstantin Kolinko in 
http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html


but I asked this question, because I recognize, that it didn't worked like it 
is described, but in version 6 the description was the same and it has worked.



Maybe it is not only the version of Tomcat that has changed, but also the 
machine/OS on which

you do this ? Maybe the user under which you execute this command does not have 
the required

privileges, at OS level on this machine, to do this ?

Maybe the user-id *to* which you are trying to set the Tomcat service, does not have 
enough privileges to "run as a Service" ?
(In the services.msc applet, it would ask you interactively to grant these privileges 
first, but maybe the command-line tool cannot do that).


(I am not really a Windows OS specialist, but I have seen variations of the above kind of 
issues previously)




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problems to configure tomcat as windows service

[Aurélien Terrestris]

Arno,

there *maybe is* documentation about this, see question & comments
from Konstantin Kolinko in
http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html





2015-10-02 16:36 GMT+02:00 Arno Schäfer :

> Hi all,
>
> using tomcat 7.0.54 on Windows 8.1 64 Bit system, I encounter the problem,
> that I can not configure a user/password
> with the tomcat7.exe utility. I run this as a local administrator in a DOS
> box with a valid user and password it returned
> with errorlevel 0, but the user was not set in the service settings.
>
> What can be the reason for this? The same solution run before in a tomcat
> 6 environment with no problems and I
> recognize no changes in the documentation in this area.
>
> best regard
> Arno
>
> _
>
>
>
> Vorsitzender des Aufsichtsrats: David Bellin
> Vorstand: Diederik Vos (CEO) ? Ralph Gillessen (COO) ? René Gawron (CFO)
> SQS AG ? Stollwerckstraße 11 ? 51149 Köln
> Sitz der Gesellschaft: Köln ? Amtsgericht Köln, HRB 12764
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient
> (or have received this e-mail in error) please notify the sender
> immediately and destroy this e-mail.
> Any unauthorised copying, disclosure or distribution of the material in
> this e-mail is strictly forbidden.
>

AW: AW: Problems to configure tomcat as windows service

[Arno Schäfer]

André,

> Maybe it is not only the version of Tomcat that has changed, but also the 
> machine/OS on which
> you do this ? Maybe the user under which you execute this command does not 
> have the 
> required
> privileges, at OS level on this machine, to do this ?

On the same machine/OS it work's with tomcat 6.


> Maybe the user-id *to* which you are trying to set the Tomcat service, does 
> not have enough 
> privileges to "run as a Service" ?
> (In the services.msc applet, it would ask you interactively to grant these 
> privileges first, but 
> maybe the command-line tool cannot do that).

Like I said in my first mail, I install it as an local administrator and the 
service was registered and I am able to run it under the local system account.
And also if I fill in the user data manually, what I used in the tomcat7.exe 
call, I am able to start and run the tomcat server, so missing privileges 
shouldn't be the problem.

Regards
Arno

Re: Problems to configure tomcat as windows service

[tomcat]

On 02.10.2015 16:36, Arno Schäfer wrote:

Hi all,

using tomcat 7.0.54 on Windows 8.1 64 Bit system, I encounter the problem, that 
I can not configure a user/password
with the tomcat7.exe utility. I run this as a local administrator in a DOS box 
with a valid user and password it returned
with errorlevel 0, but the user was not set in the service settings.

What can be the reason for this? The same solution run before in a tomcat 6 
environment with no problems and I
recognize no changes in the documentation in this area.



Hi.
What exactly /is/ the problem ?
- that you cannot change the user-id under which it runs (which by default should be 
something like LocalService) ?

- or that you can change it, but then it crashes when you run it ?

If the last, then one more question : does your Tomcat or any of its applications need 
access to any network shared directory ?




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Problems to configure tomcat as windows service

[Arno Schäfer]

Hi Andre,

> What exactly /is/ the problem ?

'XXX' is not configured and doesn't exist. if I then call 
'tomcat7 //IS//XXX --User="domain\user" --Password="xx" 
the call return with exitcode 0 and if I look in the services.msc the service 
XXX is installed, but run as local system account. The --User and --Password 
was ignored. All other parameters was accepted. I have also double checked it 
with the serverconsole.bat.

Regards
Arno


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Configure Tomcat Manager-GUI to use SPNEGO authentication

[Jingru Barr]

 Tomcat version: 7.0.62Platform (OS) - Centos 6.6
Steps I perform1) follow the document 
(http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html) to configure 
Kerbero.      - I use kinit to verify the keytab and service account and it 
shows.        kinit -V -k -t server.keytab 
HTTP/serviceaccountname.mycompany@mycompany.com         Authenticated to 
Kerberos v52) configure server.xml to use Active Directory for JNDI      add 
the following to server.xml between Engine and Realm        Realm   
className=org.apache.catalina.realm.JNDIRealm    
connectionURL=ldap://ADServerName:3268;   authentication=simple   
referrals=follow   connectionName=serviceaccountn...@mycompany.com   
connectionPassword=ServiceAccountpassword    
userSearch=(amp;(objectCategory=person)(sAMAccountName={0}))   
userBase=dc=mycompany,dc=com    userSubtree=true   
roleSearch=(member={0})    roleName=cn    roleSubtree=true   
roleBase=dc=mycompany,dc=com /
3) modify web.xml to change authentication       login-config 
auth-methodSPNEGO/auth-method  realm-nameManager GUI/realm-name  
/login-config
 !-- Security roles referenced by this web application -- security-role   
role-nameIIAG_HER_Everyone/role-name   (this is the AD group name)  
/security-role
The result is still not able to authenticate.  Based on the log, I don't see 
the tomcat try to authenticate using the Kerberos.  Pleae advice further



 

   

Re: Configure Tomcat 7 using Apache 2.4.6

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Andrew,

On 4/8/15 3:07 PM, Leggio, Andrew wrote:
 Thank you for responding.  I changed the mod_proxy_ajp.c to 
 mod_proxy_ajp.so which is the module that is being loaded.  Now my 
 html pages are rendering fine; however, when I go the jsp pages
 it's not even putting an entry in the tomcat access log.

Did you configure an access log? Where/how?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVJnXeAAoJEBzwKT+lPKRYNqcQALHudFc29EAqs6BzqDTf8GJD
LRGRWsdta5DVKmj9vbYOsohkm2yE+ZWspUCu18dYlUnec3AG3XSJEw0IIzpaqE0X
Cv0dAx/joXHyPY2RH2cQmBZLOauSzghPG0KOYsZ2TgxcL0njChbR0+gyfjzqhK6O
ggfdLP5sIbgcv+XcPqlnbJKLyh0MkDyrxBAU3fKFzjrncWi6NBZvjZBLZHtOF38e
roYcOmuB+O7lDW3a9BxO2flM4VgIT8z1Q+ys5NQexbDUECaqwnLkiDv3zjSoPFKI
OpcFYG2myn6N8ssHHxdr9aI4K8gnCN9lA41QfrQIKrFRPxRm9X35R8SQuFpq8f2q
bhptAvOZFbwz3RK13ns71zTtUd8vdA9AVygecf3FWNWgVP2F6VCGSMLDwA9Il0C+
JzBg1yit+5isDscNqh6Tvc88zXj5prHOElojg9EO+pGOOS14kbsFzhd7h2tpih57
QpnaEkVFYE12L1sh/KvIa4GwbmK4wlLGVQ9YMz9T5RHpNMu2SH6Evjs9GfzGrfo7
u+7FJzVH272JEtlDWt0LWeoQ2lWXfuS0v3sF3LCnjKsDqrzPCKD2jW322AUcvEwF
sfZjQiOlTUocjFNr12pskRuChpgdEwvq0E7WIYAeeqXv+MB/pjolCLWJzuLS69nH
+oD1TSM0o3xMmpQjR/VT
=DAkU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure Tomcat 7 using Apache 2.4.6

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Andrew,

On 4/8/15 1:43 PM, Leggio, Andrew wrote:
 I am trying to get tomcat to work under Apache.  I have verified
 that tomcat is listening on port 8009.
 
 
 
 I tried doing the following:
 
 *Apache Web Server Settings*
 
 Add the following to the */etc/httpd/conf.d/proxy_ajp.conf* file or
 if that file does not exist you can add it to the end of the 
 */etc/httpd/conf/httpd.conf* file instead:
 
 
 
 IfModule mod_proxy_ajp.c
 
 ProxyPass / ajp://localhost:8009/
 
 /IfModule
 
 
 
 Once I put this in my html pages will not render:
 
 cid:image001.png@01D07200.95E58D80

Your image attachment was stripped. Can you describe this in plain text?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVJXlBAAoJEBzwKT+lPKRY19YQALloRwgdGdONOkZ1qRzZyxIZ
RCuJj9Vf9vv8W+5vZFTL9vgj/R+OF1Ih5QdZbgWyneqRENe51lqAv2DAT2wgVXvn
iKQjcJm5xEeN6pm0X/MevkYSvUGm1x/hnYYPPHiAsgW1/PBw7pU5JH0+B4gYAWvr
VQzK+3uMN/3XLInS5pO6IzAEpf3AIEZpZ7RIASLATzCy8Aw3CpDTY9T+bFMccFH5
0eFAuPZZogZMfdNdiUd0/Rorla3PlP164aD3M0xqCDkdHXOtYibnPMYkEUwamtEG
c/pz26dPAtDI3ZPGEqnbXnkuhvQCAGuJXMGvN42CkbgKH+UYmC1SyYTPtHFZ1iJj
8AWDH0yts7gP9MwfcS9yHnchCBgYBxRRIMSVwMMW4bULiQ4XV07076oC8tCV2hvh
8LJvme4+5loNjpRi5aK66r3Cy7nJyVoJMDaWQbAk1/dHlkxKzc76lrDa7VRpKYip
mCfzOcFKVGdHq//U33znmZWkM6cF5JecO1HvrZjWtLp57MGU/+84Qxe0w6xO04zi
arAdB2zi6BWnuf7e0aTX4Lh782Ok4OCIy4pxv5V08KstrobtN/TELa257lQ23RPd
S53X+fDHIZIGwGxZS+M7Grm1xlWa3DXiGDCEcsRJcE3pwXAKbOKdfDM7wvhTSrOq
RlNDUHgrESflfh3mdgjO
=8se/
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Configure Tomcat 7 using Apache 2.4.6

[Leggio, Andrew]

Andy,
Thank you for responding.  I changed the mod_proxy_ajp.c to 
mod_proxy_ajp.so which is the module that is being loaded.  Now my html pages 
are rendering fine; however, when I go the jsp pages it's not even putting an 
entry in the tomcat access log.
 Any ideas?

Andy 

Andrew J. Leggio | MBIA Services Corporation | Assistant Vice President | Phone 
P (914) 765-3206 | Fax ( (914) 765-3095 |   andrew.leg...@mbia.com


-Original Message-
From: Andy Wang [mailto:aw...@ptc.com] 
Sent: Wednesday, April 08, 2015 2:07 PM
To: users@tomcat.apache.org
Subject: Re: Configure Tomcat 7 using Apache 2.4.6



On 04/08/2015 12:43 PM, Leggio, Andrew wrote:
 I am trying to get tomcat to work under Apache.  I have verified that 
 tomcat is listening on port 8009.

 I tried doing the following:

 *Apache Web Server Settings*

 Add the following to the */etc/httpd/conf.d/proxy_ajp.conf* file or if 
 that file does not exist you can add it to the end of the
 */etc/httpd/conf/httpd.conf* file instead:

 IfModule mod_proxy_ajp.c

ProxyPass / ajp://localhost:8009/

 /IfModule


Did you actually load the mod_proxy_ajp module?
Given the directory structure of the configuration files you're likely using a 
distribution bundled apache httpd.  Given that you'd probably get a bit more 
help from the resources for that distribution.  But it's most likely that you 
need to ensure that the module is loaded.

Andy


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



--
This e-mail, including any attachments, is intended only for use by the 
addressee(s) named herein and may contain legally privileged and/or 
confidential information.  If you are not the intended recipient of this 
e-mail, you are hereby notified any dissemination, distribution or copying of 
any part of this e-mail is strictly prohibited; please contact the sender and 
permanently delete the original and any copies of it.
--


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Configure Tomcat 7 using Apache 2.4.6

[Leggio, Andrew]

I am trying to get tomcat to work under Apache.  I have verified that tomcat is 
listening on port 8009.

I tried doing the following:
Apache Web Server Settings
Add the following to the /etc/httpd/conf.d/proxy_ajp.conf file or if that file 
does not exist you can add it to the end of the /etc/httpd/conf/httpd.conf file 
instead:

IfModule mod_proxy_ajp.c
  ProxyPass / ajp://localhost:8009/
/IfModule

Once I put this in my html pages will not render:
[cid:image001.png@01D07202.009EC2D0]

What am I doing wrong?  Any help would be greatly appreciated.  Thanks.


Andrew J. Leggio | MBIA Services Corporation | Assistant Vice President | Phone 
* (914) 765-3206 | Fax * (914) 765-3095 | * 
andrew.leg...@mbia.commailto:andrew.leg...@mbia.com



--
This e-mail, including any attachments, is intended only for use by the 
addressee(s) named herein and may contain legally privileged and/or 
confidential information.  If you are not the intended recipient of this 
e-mail, you are hereby notified any dissemination, distribution or copying of 
any part of this e-mail is strictly prohibited; please contact the sender and 
permanently delete the original and any copies of it.
--

Re: Configure Tomcat 7 using Apache 2.4.6

[Andy Wang]

On 04/08/2015 12:43 PM, Leggio, Andrew wrote:

I am trying to get tomcat to work under Apache.  I have verified that
tomcat is listening on port 8009.

I tried doing the following:

*Apache Web Server Settings*

Add the following to the */etc/httpd/conf.d/proxy_ajp.conf* file or if
that file does not exist you can add it to the end of the
*/etc/httpd/conf/httpd.conf* file instead:

IfModule mod_proxy_ajp.c

   ProxyPass / ajp://localhost:8009/

/IfModule



Did you actually load the mod_proxy_ajp module?
Given the directory structure of the configuration files you're likely 
using a distribution bundled apache httpd.  Given that you'd probably 
get a bit more help from the resources for that distribution.  But it's 
most likely that you need to ensure that the module is loaded.


Andy


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure Tomcat 7 using Apache 2.4.6

[André Warnier]

Leggio, Andrew wrote:

I am trying to get tomcat to work under Apache.  I have verified that tomcat is 
listening on port 8009.

I tried doing the following:
Apache Web Server Settings
Add the following to the /etc/httpd/conf.d/proxy_ajp.conf file or if that file 
does not exist you can add it to the end of the /etc/httpd/conf/httpd.conf file 
instead:

IfModule mod_proxy_ajp.c
  ProxyPass / ajp://localhost:8009/
/IfModule

Once I put this in my html pages will not render:
[cid:image001.png@01D07202.009EC2D0]

What am I doing wrong?  Any help would be greatly appreciated.  Thanks.



Andrew, you are really not providing enough information for anyone to be able 
to help.
Your inline image did not make it to the forum, so we have really no idea what result you 
are trying to show us.
Nor do we know if your Apache httpd configuration is correct.  The configuration lines 
above are not all that you need to do in order to properly load and run the mod_proxy_ajp 
connector module in Apache httpd.
I don't know exactly on which kind of OS platform you are running this, but it kinda looks 
like RedHat or similar.  For a start, as user root, try entering the command a2enmod and 
paste here what it displays.

Also tell us what is the content of the Tomcat webapps/ROOT/ directory.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[dmccrthy]

Hi André,

The endpoint is an internal service with published WSDL/XSDs. The 3rd party
client app used JAX-WS to invoke on it. Overriding client to use an
in-house URL protocol handler could be an option for solving the HTTPS/MA
issue. But if we introduce a WS policy to sign and encrypt the messages as
well then it becomes more complex again. My point here is that standing
back from the problem at hand and taking a broader architecture/security
perspective raises other challenges.

I think the right thing to do is a feature request on the 3rd party or
write a client library that does these things which the client app could
invoke on instead of using JAX-WS.

Well it was worth exploring this and I learned a huge amount, so my thanks
again for your continuing interest and advice.

Diarmuid
On 9 Jan 2015 16:44, André Warnier a...@ice-sa.com wrote:

 Christopher Schultz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Chuck,

 On 1/8/15 6:21 PM, Caldarale, Charles R wrote:

 From: dmccrthy [mailto:dmccr...@gmail.com] Subject: Re: Tomcat
 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual
  Authentication connections
 I found the link below from 2008. It looks like a minor change to
 the Catalina WebAppLoader class might solve the problem and let
 me provide a custom HTTPS URL protocol handler. Have I misread
 this?
 http://tomcat.10.x6.nabble.com/Custom-URL-handlers-in-
 Tomcat-web-app-td2006418.html

 This is for requests coming _into_ Tomcat, not any outbound
 requests your webapp is doing - which Tomcat is not involved in (or
 even aware of) at all.  Again, you need some sort of proxy, if your
 webapp cannot be changed to do the right thing.


 No, this is for constructing URLs and using classes like URLConnection
 to access them. If the underlying code (e.g. Apache httpclient) uses
 URLConnection under the hood, then this technique will work.

 This is actually what my initial suggestion was in my first reply to
 this thread: install a stream handler for a particular protocol.

 The thing is, I don't think you'd want to do this for *all* http://
 URLs... only those that should be converted into secure ones. So you'd
 have to be able to change the URL.

 Another thought: use stunnel. It's probably the simplest possible
 thing to set up. Have stunnel listen on a nearby host (perhaps
 localhost) for non-secure HTTP connections, and connect the other end
 to the real server's HTTPS port. We do this at $work to deal with a
 product that doesn't support HTTPS internally, just as the OP is doing.


 I think that the final answer is : it depends.
 I've done a few of these proxy hacks in the past, for various purposes,
 including a couple of failed attempts too (but rich in lessons).
 If you know exactly what kind of requests the client (the webapp in this
 case) is sending to what server, and you know exactly what it gets in
 response, then you can usually do something of the man in the middle kind
 of thing.
 But by experience, some websites return really nightmarish stuff, full of
 re-directs, javascript modules making their own connections elsewhere,
 cookies containing information needed to access follow-up pages and
 whatnot, and that can quickly become unmanageable.
 (Think Akamai, ads and analytics sites, www.bbc.com and img.bbc.com,
 balancing proxies etc..)

 I have a couple of questions here, for my own edification but I believe
 also on-topic for the OP :

 We have this webapp making a HTTP connection on the side, to some
 third-party host.
 It is a fair bet that the creators of that webapp did not start from
 scratch, and that they used some existing library to do that (à la
 httpclient as Chris suggested).

 First question thus : even not having the source code of the webapp, can
 one easily find out what it uses in order to make that HTTP connection ?

 Assuming that the answer to the previous question is yes, second question :
 If a webapp invokes a given class to create such a connection, where
 does java look first for the corresponding class ? in the webapp's own
 WEB-INF/classes or WEB-INF/lib ?

 And if the answer to that is also yes, can one place a jar there, with
 classes having the same name as the one which the webapp would normally
 invoke, and which would be found first/override the usual ones it uses ?

 And could such a class examine the original request URL, and if it is not
 one that it should intercept and massage, just delegate the call to the
 similarly-named normal class ?

 Or is there something fundamentally uncouth/illegal/fattening in such a
 scheme ?



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[André Warnier]

Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 1/8/15 6:21 PM, Caldarale, Charles R wrote:

From: dmccrthy [mailto:dmccr...@gmail.com] Subject: Re: Tomcat
7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual
 Authentication connections
I found the link below from 2008. It looks like a minor change to
the Catalina WebAppLoader class might solve the problem and let
me provide a custom HTTPS URL protocol handler. Have I misread
this?
http://tomcat.10.x6.nabble.com/Custom-URL-handlers-in-Tomcat-web-app-td2006418.html

This is for requests coming _into_ Tomcat, not any outbound
requests your webapp is doing - which Tomcat is not involved in (or
even aware of) at all.  Again, you need some sort of proxy, if your
webapp cannot be changed to do the right thing.


No, this is for constructing URLs and using classes like URLConnection
to access them. If the underlying code (e.g. Apache httpclient) uses
URLConnection under the hood, then this technique will work.

This is actually what my initial suggestion was in my first reply to
this thread: install a stream handler for a particular protocol.

The thing is, I don't think you'd want to do this for *all* http://
URLs... only those that should be converted into secure ones. So you'd
have to be able to change the URL.

Another thought: use stunnel. It's probably the simplest possible
thing to set up. Have stunnel listen on a nearby host (perhaps
localhost) for non-secure HTTP connections, and connect the other end
to the real server's HTTPS port. We do this at $work to deal with a
product that doesn't support HTTPS internally, just as the OP is doing.



I think that the final answer is : it depends.
I've done a few of these proxy hacks in the past, for various purposes, including a 
couple of failed attempts too (but rich in lessons).
If you know exactly what kind of requests the client (the webapp in this case) is sending 
to what server, and you know exactly what it gets in response, then you can usually do 
something of the man in the middle kind of thing.
But by experience, some websites return really nightmarish stuff, full of re-directs, 
javascript modules making their own connections elsewhere, cookies containing information 
needed to access follow-up pages and whatnot, and that can quickly become unmanageable.

(Think Akamai, ads and analytics sites, www.bbc.com and img.bbc.com, balancing 
proxies etc..)

I have a couple of questions here, for my own edification but I believe also on-topic for 
the OP :


We have this webapp making a HTTP connection on the side, to some third-party 
host.
It is a fair bet that the creators of that webapp did not start from scratch, and that 
they used some existing library to do that (à la httpclient as Chris suggested).


First question thus : even not having the source code of the webapp, can one easily find 
out what it uses in order to make that HTTP connection ?


Assuming that the answer to the previous question is yes, second question :
If a webapp invokes a given class to create such a connection, where does java look 
first for the corresponding class ? in the webapp's own WEB-INF/classes or WEB-INF/lib ?


And if the answer to that is also yes, can one place a jar there, with classes having the 
same name as the one which the webapp would normally invoke, and which would be found 
first/override the usual ones it uses ?


And could such a class examine the original request URL, and if it is not one that it 
should intercept and massage, just delegate the call to the similarly-named normal class ?


Or is there something fundamentally uncouth/illegal/fattening in such a scheme ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 1/8/15 5:07 PM, André Warnier wrote:
 dmccrthy wrote:
 Chris, André,
 
 Many thanks. I hadn't considered either the MITM or Apache HTTPD
 angles. The proxy idea occurred to me (sorry, I had a typo in my
 original mail and that may not have been clear) but I agree it's
 messy.
 
 Many thanks again, I just couldn't find anything that said yes it
 can be done, or no it can't. A 3rd party feature request is a
 last resort so I had to find out if there was some
 under-the-bonnet way. I really appreciate your insights into
 this.
 
 
 No problem.
 
 For the sake of completeness, the only thing which made me
 cautious about using an already-made proxy server such as Apache
 httpd, is the question of the DNS lookups (or rather the resolver
 in the machine itself), if you play with the fake entry in the
 hosts file. Consider the following scenario : - the webapp in
 question wants to connect to server.company.com:8000 - to divert
 this to your own local proxy, you define server.company.com in
 the local hosts file as 127.0.0.1 (the localhost), and you set up a
 local httpd to listen on 127.0.0.1:8000, to do the proxying. - thus
 when the webapp builds its TCP connection to 
 server.company.com:8000 - presumably by looking up 
 server.company.com first - it gets back (from the local OS's
 resolver) the IP address 127.0.0.1, and builds a TCP connection to
 127.0.0.1. Then over that connection, it sends a HTTP 1.1 request
 including a Host: server.company.com header. So far so good. -
 your httpd proxy catches this connection and the request. - now the
 proxy has itself to build a connection to the real 
 server.company.com. So it does a lookup (using the local OS's TCP
 stack) for the IP address of server.company.com, to build its own
 connection to it. And.. it gets back 127.0.0.1 as an IP address
 (because of course that lookup also looks in the local hosts file
 first).
 
 That would be kind of a self-inflicted DOS attack, and it would be 
 interesting to see how quickly the proxy would blow up.

An easy solution would be to put the proxy on a different machine. I
hadn't thought of hosts+localhost = boom. Good catch.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUr+egAAoJEBzwKT+lPKRYawQQAKb14/7+pwOePtzOxSqVOAUN
J33Vejmc0D1g1fWsondGenw+T5h7lEBfCNyWh6mL02JL2N5bPptHL3wScsdtiA+4
u+hrbhSrv/iO1LHGXNZxjVot0GeCCPLnKN8DLMqAquJqADOU+bcCjnqGrO3eTK/M
Aw0rs83I7T+KIfEsIDYTagChdzNNqKbsqh28HJNQ4dNaSswnq15ecCgakUAVKbCI
4mGXXT/pC3v/lOKsI8m/vvo15cUv0Si/ptF1jr/4smQ+nbnNkg/ICmE/sdkPtVZj
kU/T2V3jKXesv72U4g1m2nBHtLpYxUaHmupkaaY9ix3kgSfFq0vtHLw09qsKBlxG
8N/aW1QH/5korYRtze6vjNFZz+mKyiqrpbytvwbBH3rQbJz4ci71cqOm9cDByvEz
pszb5wIzFwgB3IhJ2u7ZROH+30UYp4nfghEBWDPJ9Uxq5fmUwfmLR8PHX4AaQ9wO
KA2XTcUVkE1WTNFQ4QbWYGXnr6Moaeuhxq3MhMkJ7awch57DPS0su4ViFtxNq7+Q
LBG+S4sG5pWQRfBEg331XK7nnslHkUmn7YS7FojaCZMaY/b/ABwBGjlHCDTmfqAp
6WO/jjb2CHsBgOHDVrYeJkrtl2FflSo15IDMsNX8YX0MYQJQz9FB0sGAzXd6rZM/
z1dFLaN59dNMYYnill1G
=rbNy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 1/8/15 6:21 PM, Caldarale, Charles R wrote:
 From: dmccrthy [mailto:dmccr...@gmail.com] Subject: Re: Tomcat
 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual
  Authentication connections
 
 I found the link below from 2008. It looks like a minor change to
 the Catalina WebAppLoader class might solve the problem and let
 me provide a custom HTTPS URL protocol handler. Have I misread
 this?
 
 http://tomcat.10.x6.nabble.com/Custom-URL-handlers-in-Tomcat-web-app-td2006418.html

 
 This is for requests coming _into_ Tomcat, not any outbound
 requests your webapp is doing - which Tomcat is not involved in (or
 even aware of) at all.  Again, you need some sort of proxy, if your
 webapp cannot be changed to do the right thing.

No, this is for constructing URLs and using classes like URLConnection
to access them. If the underlying code (e.g. Apache httpclient) uses
URLConnection under the hood, then this technique will work.

This is actually what my initial suggestion was in my first reply to
this thread: install a stream handler for a particular protocol.

The thing is, I don't think you'd want to do this for *all* http://
URLs... only those that should be converted into secure ones. So you'd
have to be able to change the URL.

Another thought: use stunnel. It's probably the simplest possible
thing to set up. Have stunnel listen on a nearby host (perhaps
localhost) for non-secure HTTP connections, and connect the other end
to the real server's HTTPS port. We do this at $work to deal with a
product that doesn't support HTTPS internally, just as the OP is doing.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUr+ivAAoJEBzwKT+lPKRYGyAQALIalsmLuFWjgu2bGbqC1VyE
1LmOEaotCgxTzf6Y1ZYcOSFh9x1lzEp4iipbNN/qKQQsixtBVAv5f8OOvg28Y7TM
syu+Kh1WAzja1e8MJAvhQoIv/ORYPLl9UFcc9+QyNuBZqh0QwLLEBx/RrepQM3IV
XixHeLGt+rXL51NtH+xYSHmyJIHHI+bBaJwUSWnhxn214s0xssbOEaXMmggXmDwu
Qz0bgHVWwbKBo3IDEHI2vOxNDkujmon274kg8681rywt+yqHNZXjv0WXK53pElTL
W43RGQ7slhMoQd5Yf6Rt+2RqVbZeMK0jhTCFTGUJiznjYrMlZSJayEmRAGTvdX9Q
ZcOLynCUxwh2iLKZj7rPwYUd4VjiSjpbFHIXjsz3M0kVtMXSfB2jemHiiBN2pAhW
6DdTG1sAET0Qb2DHrck3gqLYreHiF+CB8bn8uUPzATP3E9mUAyvWlpcyxF2N4Zj/
BPtS4fd+vXASTKuDZXOKbGEnv0Mlr1/06AHG4e3MMnaIWoaw1waH/jUHwXUYHmHQ
bX5yJx8dyzx5lE8nfnvKosvro2Zh0l14Ds4ZRpfh9fDvy/hVuYEwb7vOe1GlRj7z
oqLeACIEO0UDiJIdGOxKLanJ4v+jbH2e3bKK5taaqOKicUppQUN0XrDa9nwsrqV7
Q9ENacRORksscFncx/Ch
=V0lH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[dmccrthy]

(sigh) Ok, there's do the right thing or brave the proxy approach.

Thanks all, I am immensely grateful and impressed with all the advice,
warnings, and offers of contacts. Hopefully I can give something back in
due course.

Diarmuid
On 8 Jan 2015 23:25, Caldarale, Charles R chuck.caldar...@unisys.com
wrote:

  From: dmccrthy [mailto:dmccr...@gmail.com]
  Subject: Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client
 HTTPS Mutual
  Authentication connections

  I found the link below from 2008.
  It looks like a minor change to the Catalina WebAppLoader class might
 solve
  the problem and let me provide a custom HTTPS URL protocol handler. Have
 I
  misread this?

 
 http://tomcat.10.x6.nabble.com/Custom-URL-handlers-in-Tomcat-web-app-td2006418.html

 This is for requests coming _into_ Tomcat, not any outbound requests your
 webapp is doing - which Tomcat is not involved in (or even aware of) at
 all.  Again, you need some sort of proxy, if your webapp cannot be changed
 to do the right thing.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[Caldarale, Charles R]

 From: dmccrthy [mailto:dmccr...@gmail.com] 
 Subject: Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client 
 HTTPS Mutual 
 Authentication connections

 I found the link below from 2008.
 It looks like a minor change to the Catalina WebAppLoader class might solve
 the problem and let me provide a custom HTTPS URL protocol handler. Have I
 misread this?

 http://tomcat.10.x6.nabble.com/Custom-URL-handlers-in-Tomcat-web-app-td2006418.html

This is for requests coming _into_ Tomcat, not any outbound requests your 
webapp is doing - which Tomcat is not involved in (or even aware of) at all.  
Again, you need some sort of proxy, if your webapp cannot be changed to do the 
right thing.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[André Warnier]

dmccrthy wrote:

Chris, André,

Many thanks. I hadn't considered either the MITM or Apache HTTPD angles.
The proxy idea occurred to me (sorry, I had a typo in my original mail and
that may not have been clear) but I agree it's messy.

Many thanks again, I just couldn't find anything that said yes it can be
done, or no it can't. A 3rd party feature request is a last resort so I had
to find out if there was some under-the-bonnet way. I really appreciate
your insights into this.



No problem.

For the sake of completeness, the only thing which made me cautious about using an 
already-made proxy server such as Apache httpd, is the question of the DNS lookups (or 
rather the resolver in the machine itself), if you play with the fake entry in the hosts 
file.

Consider the following scenario :
- the webapp in question wants to connect to server.company.com:8000
- to divert this to your own local proxy, you define server.company.com in the local 
hosts file as 127.0.0.1 (the localhost), and you set up a local httpd to listen on 
127.0.0.1:8000, to do the proxying.
- thus when the webapp builds its TCP connection to server.company.com:8000 - presumably 
by looking up server.company.com first - it gets back (from the local OS's resolver) the 
IP address 127.0.0.1, and builds a TCP connection to 127.0.0.1.
Then over that connection, it sends a HTTP 1.1 request including a Host: 
server.company.com header.

So far so good.
- your httpd proxy catches this connection and the request.
- now the proxy has itself to build a connection to the real 
server.company.com.
So it does a lookup (using the local OS's TCP stack) for the IP address of 
server.company.com, to build its own connection to it.
And.. it gets back 127.0.0.1 as an IP address (because of course that lookup also looks in 
the local hosts file first).


That would be kind of a self-inflicted DOS attack, and it would be interesting to see how 
quickly the proxy would blow up.


I am not quite sure how you would corrupt the httpd proxy code not to do that 
(*).
If you tell it to connect to the IP address of that remote host instead, it may not work 
as expected, if that remote host happens to be configured with Virtual Hosts itself (which 
work by name).


You may be able to configure your webapp to connect to another fake hostname, rather than 
the real destination one.  In that case, there is a workaround : define that fake hostname 
as 127.0.0.1, instead of the real destination one.

But otherwise, you may be in trouble.


(*) well, actually I do have an idea, but it involves an Apache httpd with perl/mod_perl 
on it, and some devious perl coding to mess around with the proxy request before mod_proxy 
sends it out.  If it is really important to you, and you find no other solution, I could 
point you to a good consultant for this kind of thing.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[dmccrthy]

Hi André, Chris,

Just to park the proxy idea for a moment, I found the link below from 2008.
It looks like a minor change to the Catalina WebAppLoader class might solve
the problem and let me provide a custom HTTPS URL protocol handler. Have I
misread this?

http://tomcat.10.x6.nabble.com/Custom-URL-handlers-in-Tomcat-web-app-td2006418.html

Thanks,
Diarmuid
 On 8 Jan 2015 22:08, André Warnier a...@ice-sa.com wrote:

 dmccrthy wrote:

 Chris, André,

 Many thanks. I hadn't considered either the MITM or Apache HTTPD angles.
 The proxy idea occurred to me (sorry, I had a typo in my original mail and
 that may not have been clear) but I agree it's messy.

 Many thanks again, I just couldn't find anything that said yes it can be
 done, or no it can't. A 3rd party feature request is a last resort so I
 had
 to find out if there was some under-the-bonnet way. I really appreciate
 your insights into this.


 No problem.

 For the sake of completeness, the only thing which made me cautious about
 using an already-made proxy server such as Apache httpd, is the question of
 the DNS lookups (or rather the resolver in the machine itself), if you
 play with the fake entry in the hosts file.
 Consider the following scenario :
 - the webapp in question wants to connect to server.company.com:8000
 - to divert this to your own local proxy, you define server.company.com
 in the local hosts file as 127.0.0.1 (the localhost), and you set up a
 local httpd to listen on 127.0.0.1:8000, to do the proxying.
 - thus when the webapp builds its TCP connection to 
 server.company.com:8000 - presumably by looking up server.company.com
 first - it gets back (from the local OS's resolver) the IP address
 127.0.0.1, and builds a TCP connection to 127.0.0.1.
 Then over that connection, it sends a HTTP 1.1 request including a Host:
 server.company.com header.
 So far so good.
 - your httpd proxy catches this connection and the request.
 - now the proxy has itself to build a connection to the real
 server.company.com.
 So it does a lookup (using the local OS's TCP stack) for the IP address of
 server.company.com, to build its own connection to it.
 And.. it gets back 127.0.0.1 as an IP address (because of course that
 lookup also looks in the local hosts file first).

 That would be kind of a self-inflicted DOS attack, and it would be
 interesting to see how quickly the proxy would blow up.

 I am not quite sure how you would corrupt the httpd proxy code not to do
 that (*).
 If you tell it to connect to the IP address of that remote host instead,
 it may not work as expected, if that remote host happens to be configured
 with Virtual Hosts itself (which work by name).

 You may be able to configure your webapp to connect to another fake
 hostname, rather than the real destination one.  In that case, there is a
 workaround : define that fake hostname as 127.0.0.1, instead of the real
 destination one.
 But otherwise, you may be in trouble.


 (*) well, actually I do have an idea, but it involves an Apache httpd with
 perl/mod_perl on it, and some devious perl coding to mess around with the
 proxy request before mod_proxy sends it out.  If it is really important to
 you, and you find no other solution, I could point you to a good consultant
 for this kind of thing.



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[dmccrthy]

Hi,

Is it possible to configure or hack Tomcat in some way to intercept
outbound HTTP URL requests from a deployed web application and convert them
to HTTPS with Mutual Authentication?

My scenario is:

* 3rd party web application that makes client invocations to a server that
requires HTTPS with Mutual Authentication
* I don’t know what framework the web application uses or how it creates
the HTTP client connections
* I can’t make changes to the 3rd party application

I have investigated the below but they don’t seem to offer a solution

* Adding Custom Resource Factories -
http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-
http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html
howto.html
http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html.  This
requires changes to the client application
* HTTP connector - http://tomcat.apache.org/tomcat-7.0-doc/config/http.html.
This is for the Tomcat web server, not for outbound client connections

I have successfully configured the server and can make SoapUI calls to it
using HTTPS and Mutual Authentication. If I had control of the client code
I would use HttpClient and accomplish it that way.

For the Tomcat client application I have searched Google, Stackoverflow,
and the Tomcat wiki and mail archives but all HTTPS/Mutual Authentication
solutions I can find refer to Tomcat as the web server, not to web
applications making outbound connections from a Tomcat instance.

If there is no option to configure Tomcat then the only options I can think
of are below, but if anyone has any other insights it would be much
appreciated.

1) Write a between the Tomcat “client” instance and the HTTPS/MA endpoint
2)  Find out the framework/socket factory/url connection factory the
3rdparty web app uses and override it with a Tomcat plugin
3)  Raise a feature request with the 3rd party vendor to support HTTPS/MA

Many thanks,
Diarmuid McCarthy

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[dmccrthy]

Chris, André,

Many thanks. I hadn't considered either the MITM or Apache HTTPD angles.
The proxy idea occurred to me (sorry, I had a typo in my original mail and
that may not have been clear) but I agree it's messy.

Many thanks again, I just couldn't find anything that said yes it can be
done, or no it can't. A 3rd party feature request is a last resort so I had
to find out if there was some under-the-bonnet way. I really appreciate
your insights into this.

Best regards,
Diarmuid
On 8 Jan 2015 16:16, Christopher Schultz ch...@christopherschultz.net
wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 André,

 On 1/8/15 9:52 AM, André Warnier wrote:
  dmccrthy wrote:
  Hi,
 
  Is it possible to configure or hack Tomcat in some way to
  intercept outbound HTTP URL requests from a deployed web
  application and convert them to HTTPS with Mutual
  Authentication?
 
  My scenario is:
 
  * 3rd party web application that makes client invocations to a
  server that requires HTTPS with Mutual Authentication * I don’t
  know what framework the web application uses or how it creates
  the HTTP client connections * I can’t make changes to the 3rd
  party application
 
  I have investigated the below but they don’t seem to offer a
  solution
 
  * Adding Custom Resource Factories -
  http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-
  http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html
 
 
 howto.html
  http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html.
   This requires changes to the client application * HTTP connector
  - http://tomcat.apache.org/tomcat-7.0-doc/config/http.html.. This
  is for the Tomcat web server, not for outbound client
  connections
 
  I have successfully configured the server and can make SoapUI
  calls to it using HTTPS and Mutual Authentication. If I had
  control of the client code I would use HttpClient and accomplish
  it that way.
 
  For the Tomcat client application I have searched Google,
  Stackoverflow, and the Tomcat wiki and mail archives but all
  HTTPS/Mutual Authentication solutions I can find refer to Tomcat
  as the web server, not to web applications making outbound
  connections from a Tomcat instance.
 
  If there is no option to configure Tomcat then the only options I
  can think of are below, but if anyone has any other insights it
  would be much appreciated.
 
  1) Write a between the Tomcat “client” instance and the HTTPS/MA
  endpoint 2)  Find out the framework/socket factory/url connection
  factory the 3rdparty web app uses and override it with a Tomcat
  plugin 3)  Raise a feature request with the 3rd party vendor to
  support HTTPS/MA
 
 
  I don't know really about the hacking Tomcat option (but I
  believe that is not possible in this case, because Tomcat is not
  involved at all in those connections which the webapp is making on
  the side).
 
  This is what you could do outside of Tomcat (but it is some work)
  :
 
  1) find out to what hostname:port that application is making a
  call. Say for now that it is server.company.com:8000.
 
  2) in the hosts file of the Tomcat server, add an entry for that
  hostname, with IP address 127.0.0.1, like 127.0.0.1
  server.company.com (alternatively, you could use another valid IP
  of your Tomcat server)

 Yup: MITM.

  3) on the Tomcat server, create a separate proxy process which
  listens on that IP and port 8000 for such HTTP requests, and
  forwards them via HTTPS to the real external host/port (while being
  careful not to create a loop via the hosts file - iow, if possible,
  it should not do a DNS lookup for the external hostname
  server.company.com, because it would get 127.0.0.1 as the IP
  address, and that would be self-defeating)
 
  Of course then, the burden of the HTTPS/MA dialog falls on that
  process which you create.

 Any web server capable of proxying would work here, probably better
 than Tomcat. Proxying connections from HTTP to HTTPS using Apache
 httpd would be fairly simple: no code required, just configuration.

  Note that this approach is somewhat simplistic and flaky, and will
  only work if these external HTTP requests/responses are really
  simple, and the responses returned by the external server don't do
  things like re-directs elsewhere etc..

 Apache httpd would probably handle these appropriately. Writing one's
 one code would be a mistake, here.

  It would indeed be a lot better to ask the webapp provider to fix
  their code.

 +1

  But also note that to simplify your life you may be able, for this
  separate proxy process, to use an already-existing piece of
  software such as an Apache httpd webserver (listening on
  localhost:8000) (*), or some utility that creates tunnels.

 +1

  (*) or even a dedicated Tomcat instance, provided you find a webapp
  able to act as a HTTPS/MA proxy

 I'm not sure if there's a Java-based proxy web application out there;
 I've never looked for one. The use of httpd, nginx, or squid seems
 like

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Diarmuid,

On 1/8/15 8:51 AM, dmccrthy wrote:
 Is it possible to configure or hack Tomcat in some way to
 intercept outbound HTTP URL requests from a deployed web
 application and convert them to HTTPS with Mutual Authentication?

Why not just do that directly in your web application?

The short answer is that Tomcat is only in charge of the incoming
requests; what your web application decides to do (e.g. making an
outgoing connection) is not its concern. There may be full Java EE
servers that provide services like what you describe, but Tomcat does not.

 My scenario is:
 
 * 3rd party web application that makes client invocations to a
 server that requires HTTPS with Mutual Authentication * I don’t
 know what framework the web application uses or how it creates the
 HTTP client connections * I can’t make changes to the 3rd party
 application

I see. Can you change the URL that the 3rd party application uses to
call-out?

 I have investigated the below but they don’t seem to offer a
 solution
 
 * Adding Custom Resource Factories - 
 http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources- 
 http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html

 
howto.html
 http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html.
 This requires changes to the client application * HTTP connector -
 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html. This is
 for the Tomcat web server, not for outbound client connections

Nah, what you'd want to do is register a URL protocol stream handler,
and then use that special URL which would then call your code. Your
code can decorate the connection however it wants.

What you are really trying to do is a MITM attack against your own
software.

You can check out this project on SourceForge which has all the source
code available to register a protocol handler. You'd have to write the
HTTP-to-HTTPS stuff, though.

https://sourceforge.net/projects/tuc/

 I have successfully configured the server and can make SoapUI calls
 to it using HTTPS and Mutual Authentication. If I had control of
 the client code I would use HttpClient and accomplish it that way.
 
 For the Tomcat client application I have searched Google,
 Stackoverflow, and the Tomcat wiki and mail archives but all
 HTTPS/Mutual Authentication solutions I can find refer to Tomcat as
 the web server, not to web applications making outbound connections
 from a Tomcat instance.
 
 If there is no option to configure Tomcat then the only options I
 can think of are below, but if anyone has any other insights it
 would be much appreciated.
 
 1) Write a between the Tomcat “client” instance and the HTTPS/MA
 endpoint 2)  Find out the framework/socket factory/url connection
 factory the 3rdparty web app uses and override it with a Tomcat
 plugin 3)  Raise a feature request with the 3rd party vendor to
 support HTTPS/MA

Ultimately, #4 is the right solution: you should start there and only
resort to heroic measures if they either say no or tell you that the
timeframe is going to be very long.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUrpdpAAoJEBzwKT+lPKRYWFMP/A7f59Oo5O/zVaxXCnR49OuJ
0mCJN8NY3ocnABjmeCGM0kTSEgNilCfSYXsFcl3sGLLpdnmORavSNe0fZxYJV/Fu
ZPZ6VAVwAoVah/snwq9ZXA5T3U0ecyCVYUJXSXPVZgeHUcoebwRYVYTNABpYN2O7
GHPuv8X2iUJPNJN6pBCx2j8oAVZTOCLBKcjTShxf4qJNotl5X/gDU5OVPQ7Lss6m
iAujUz322/aA13tXddVDmAxnDdVQcbItTmahpxoICkKouDHheT/GefCk2A1T+aoC
z+NgrgNGY9TVpl44RxYvwvvUkd2x1DgQXEeILzKvHqiF6bWPii8/Nn4XkzGog/S6
kFCM18Yxw8cPEVuvXgtjW9TB5xu2SjinzSFgyPDOaleE1RN98NJwUPAJSuoUT13H
bOEcXc8RHmBtgQ4H7ZbPPakiQYCLPW7LWvwAcJbY5yCQ1Rp9LEQ5XiRTP7BwSuXi
JT9p/T7wLmdsXQ4taKLvCMyOV0Luagu3aJiEtCmzA1xZC5Iyb4zcWsnSUsXDbNo1
NmHMamItyuHKA+7tMDTF/rtCTgAzb/cLgiMr77VUgq2mRCMiT0k9fW5GR5ir3wYZ
cK2/2PM7z0vxVETQlu9rzgGEGiaGi1t27nSlK7akKRP9PDlaP8h340Ru+v3VadVD
TmwnRQyf1zzk5X92oVV5
=N2uG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[André Warnier]

dmccrthy wrote:

Hi,

Is it possible to configure or hack Tomcat in some way to intercept
outbound HTTP URL requests from a deployed web application and convert them
to HTTPS with Mutual Authentication?

My scenario is:

* 3rd party web application that makes client invocations to a server that
requires HTTPS with Mutual Authentication
* I don’t know what framework the web application uses or how it creates
the HTTP client connections
* I can’t make changes to the 3rd party application

I have investigated the below but they don’t seem to offer a solution

* Adding Custom Resource Factories -
http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-
http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html
howto.html
http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html.  This
requires changes to the client application
* HTTP connector - http://tomcat.apache.org/tomcat-7.0-doc/config/http.html..
This is for the Tomcat web server, not for outbound client connections

I have successfully configured the server and can make SoapUI calls to it
using HTTPS and Mutual Authentication. If I had control of the client code
I would use HttpClient and accomplish it that way.

For the Tomcat client application I have searched Google, Stackoverflow,
and the Tomcat wiki and mail archives but all HTTPS/Mutual Authentication
solutions I can find refer to Tomcat as the web server, not to web
applications making outbound connections from a Tomcat instance.

If there is no option to configure Tomcat then the only options I can think
of are below, but if anyone has any other insights it would be much
appreciated.

1) Write a between the Tomcat “client” instance and the HTTPS/MA endpoint
2)  Find out the framework/socket factory/url connection factory the
3rdparty web app uses and override it with a Tomcat plugin
3)  Raise a feature request with the 3rd party vendor to support HTTPS/MA



I don't know really about the hacking Tomcat option (but I believe that is not possible 
in this case, because Tomcat is not involved at all in those connections which the webapp 
is making on the side).


This is what you could do outside of Tomcat (but it is some work) :

1) find out to what hostname:port that application is making a call.
Say for now that it is server.company.com:8000.

2) in the hosts file of the Tomcat server, add an entry for that hostname, with IP 
address 127.0.0.1, like

127.0.0.1 server.company.com
(alternatively, you could use another valid IP of your Tomcat server)

3) on the Tomcat server, create a separate proxy process which listens on that IP and 
port 8000 for such HTTP requests, and forwards them via HTTPS to the real external 
host/port (while being careful not to create a loop via the hosts file - iow, if possible, 
it should not do a DNS lookup for the external hostname server.company.com, because it 
would get 127.0.0.1 as the IP address, and that would be self-defeating)


Of course then, the burden of the HTTPS/MA dialog falls on that process which 
you create.

Note that this approach is somewhat simplistic and flaky, and will only work if these 
external HTTP requests/responses are really simple, and the responses returned by the 
external server don't do things like re-directs elsewhere etc..


It would indeed be a lot better to ask the webapp provider to fix their code.

But also note that to simplify your life you may be able, for this separate proxy 
process, to use an already-existing piece of software such as an Apache httpd webserver 
(listening on localhost:8000) (*), or some utility that creates tunnels..


(*) or even a dedicated Tomcat instance, provided you find a webapp able to act as a 
HTTPS/MA proxy


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 1/8/15 9:52 AM, André Warnier wrote:
 dmccrthy wrote:
 Hi,
 
 Is it possible to configure or hack Tomcat in some way to
 intercept outbound HTTP URL requests from a deployed web
 application and convert them to HTTPS with Mutual
 Authentication?
 
 My scenario is:
 
 * 3rd party web application that makes client invocations to a
 server that requires HTTPS with Mutual Authentication * I don’t
 know what framework the web application uses or how it creates 
 the HTTP client connections * I can’t make changes to the 3rd
 party application
 
 I have investigated the below but they don’t seem to offer a
 solution
 
 * Adding Custom Resource Factories - 
 http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources- 
 http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html

 
howto.html
 http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html.
  This requires changes to the client application * HTTP connector
 - http://tomcat.apache.org/tomcat-7.0-doc/config/http.html.. This
 is for the Tomcat web server, not for outbound client
 connections
 
 I have successfully configured the server and can make SoapUI
 calls to it using HTTPS and Mutual Authentication. If I had
 control of the client code I would use HttpClient and accomplish
 it that way.
 
 For the Tomcat client application I have searched Google,
 Stackoverflow, and the Tomcat wiki and mail archives but all
 HTTPS/Mutual Authentication solutions I can find refer to Tomcat
 as the web server, not to web applications making outbound
 connections from a Tomcat instance.
 
 If there is no option to configure Tomcat then the only options I
 can think of are below, but if anyone has any other insights it
 would be much appreciated.
 
 1) Write a between the Tomcat “client” instance and the HTTPS/MA
 endpoint 2)  Find out the framework/socket factory/url connection
 factory the 3rdparty web app uses and override it with a Tomcat
 plugin 3)  Raise a feature request with the 3rd party vendor to
 support HTTPS/MA
 
 
 I don't know really about the hacking Tomcat option (but I
 believe that is not possible in this case, because Tomcat is not
 involved at all in those connections which the webapp is making on
 the side).
 
 This is what you could do outside of Tomcat (but it is some work)
 :
 
 1) find out to what hostname:port that application is making a
 call. Say for now that it is server.company.com:8000.
 
 2) in the hosts file of the Tomcat server, add an entry for that 
 hostname, with IP address 127.0.0.1, like 127.0.0.1
 server.company.com (alternatively, you could use another valid IP
 of your Tomcat server)

Yup: MITM.

 3) on the Tomcat server, create a separate proxy process which
 listens on that IP and port 8000 for such HTTP requests, and
 forwards them via HTTPS to the real external host/port (while being
 careful not to create a loop via the hosts file - iow, if possible,
 it should not do a DNS lookup for the external hostname
 server.company.com, because it would get 127.0.0.1 as the IP
 address, and that would be self-defeating)
 
 Of course then, the burden of the HTTPS/MA dialog falls on that
 process which you create.

Any web server capable of proxying would work here, probably better
than Tomcat. Proxying connections from HTTP to HTTPS using Apache
httpd would be fairly simple: no code required, just configuration.

 Note that this approach is somewhat simplistic and flaky, and will
 only work if these external HTTP requests/responses are really
 simple, and the responses returned by the external server don't do
 things like re-directs elsewhere etc..

Apache httpd would probably handle these appropriately. Writing one's
one code would be a mistake, here.

 It would indeed be a lot better to ask the webapp provider to fix
 their code.

+1

 But also note that to simplify your life you may be able, for this 
 separate proxy process, to use an already-existing piece of
 software such as an Apache httpd webserver (listening on
 localhost:8000) (*), or some utility that creates tunnels.

+1

 (*) or even a dedicated Tomcat instance, provided you find a webapp
 able to act as a HTTPS/MA proxy

I'm not sure if there's a Java-based proxy web application out there;
I've never looked for one. The use of httpd, nginx, or squid seems
like a much better choice. The nice thing is that you don't have to
deploy it wide-scale: you can just make it listen to localhost
connections and not expand the attack surface of your server. So, even
though you might be introducing more complexity, etc. into your
network setup, you are not exposing that service to the world and only
have trusted clients connecting to it (the service you are trying to
MITM).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUrq0cAAoJEBzwKT+lPKRY/B4QAKB+9GhfOGH49duuMDpKo9Y5
yPBcyM5S0BAaTeDnePYr+62fLqOLc3LlENUprM01wPKqTgMuIgeFd9q6yOGeDzwb
+p8DF+zpvNFO

How to configure Tomcat for simulating SSL

[juan fernandez]

Hello,
we have HTTPS from the browser to the Oracle Web Cache server, and HTTP from 
Web 
Cache to the Tomcat server. 

We have seen analyzing the network traffic 
that after an HTTPS request there is an HTTP request and the status code is 
aborted. 

Example: 
(HTTPS request) https://myserver.com:4443/example/ 
- (HTTP response – Error:This web page is not available) 
http://myserver.com:4443/example/index.htm 


Which configuration do we 
have to simulate HTTPS? 


Oracle Web Cache info (output “opatch lsinventory”): 

Oracle WebTier and Utilities CD 11.1.1.6.0 

Tomcat info: 
Apache 
Tomcat Version 6.0.35 

S.O info:Red Hat Enterprise Linux Server release 6.4 (Santiago) 
  

Re: How to configure Tomcat for simulating SSL

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Juan,

On 5/6/14, 7:26 AM, juan fernandez wrote:
 we have HTTPS from the browser to the Oracle Web Cache server, and
 HTTP from Web Cache to the Tomcat server.
 
 We have seen analyzing the network traffic that after an HTTPS
 request there is an HTTP request and the status code is aborted.

Who participates in the HTTPS request? Who for the HTTP request?

 Example: (HTTPS request) https://myserver.com:4443/example/ -
 (HTTP response – Error:This web page is not available) 
 http://myserver.com:4443/example/index.htm

This looks like the request is being mutated at some point.

 Which configuration do we have to simulate HTTPS?

What do you mean simulate HTTPS?

 Oracle Web Cache info (output “opatch lsinventory”):
 
 Oracle WebTier and Utilities CD 11.1.1.6.0
 
 Tomcat info: Apache Tomcat Version 6.0.35
 
 S.O info:Red Hat Enterprise Linux Server release 6.4 (Santiago)
 
Can you provide more information? For instance, when the client
requests https://myserver.com:4443/example, what request should go to
Tomcat?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTaPjDAAoJEBzwKT+lPKRYWfwQAI303P9rogfehIO89lmW085/
I3KGhbHPaJWZd+y65MnHiurg+We1vn7thotgzEdv89oblAtR57qXlA0cZREBdEQ0
WSYR2ZPzze55wjkCEVuGhcfTIn++3/+MbdSf48VatBQmsqILnMFjvzu2965yaR4X
44I3H5oX2lHBw58bl+0ooHQIbQ4mSS1Cyzrfk+yQmxO76TR0zWPrRAjejqBdp2N8
O7+TvLHcMFWjXcDrWWUx12eAPcNZDj2jTvu5uewzXWd/yvAu6ZLSjZL+08TMfYD0
GhpJNbSdLyShzSWBLcMYRaeARLGFCEX5eBz8HqhQL7bmSlZjf4Z7SS5OIPlM/YtF
exsk46MUTGybr7NdjTTE7SghdqVSMvugYo4+CwgPIHlunaA0JoDo7U0hHBgMESS8
dUNHk+VcjNvmcgyrDU6tBfJ5GFPk9+hQ8NvRIa4kfrh0YEmOP2OtDf6JIZ/pUpF9
yASJlNnO5KgJav7zaJprXp3bAyiglRF08ZCOEYkiI5q3N4FJYSpNtnWLdTQiHBEg
7lVe0zU7bk3XnSf7P5ZYAc0uGqRqHKc+O+DH/ck6qbqV2ANgNqWTsBxhx3APp8+n
5g8fI2Ze2hUdeJC/HEEfZzOcutit/i7wcyG9P/wbwp0uWtnEJlcMXZiAmbxWoDU5
6nIaSkGru2RlJRi5dxOh
=5efx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure Tomcat Logging Programmatically

[java developer]

Hi,
Calling tomcat.setSilent(false) might help. Just try this and see if this
helps. Below is small funcation from Tomcat class.


/**
 * Controls if the loggers will be silenced or not.
 * @param silentcodetrue/code sets the log level to WARN for the
 *  loggers that log information on Tomcat start up.
This
 *  prevents the usual startup information being logged.
 *  codefalse/code sets the log level to the default
 *  level of INFO.
 */
public void setSilent(boolean silent) {
for (String s : silences) {
if (silent) {
Logger.getLogger(s).setLevel(Level.WARNING);
} else {
Logger.getLogger(s).setLevel(Level.INFO);
}
}
}



On Mon, Dec 9, 2013 at 11:16 AM, Matthew Westwood-Hill 
matthew.westwood-h...@nuix.com wrote:

 I am running Tomcat programmatically (embedded) and I wanted to configure
 its logging so I can track inbound request.



 I start Tomcat as follows:



 tomcat = new Tomcat();

 tomcat.setBaseDir(DEFAULT_BASE_DIR);

 tomcat.getService().addConnector(defaultConnector);

 tomcat.setConnector(defaultConnector);

 tomcat.init();

 tomcat.start();



 How do I go about configuring the logging?



 Cheers,

 Matt

Configure Tomcat Logging Programmatically

[Matthew Westwood-Hill]

I am running Tomcat programmatically (embedded) and I wanted to configure
its logging so I can track inbound request.



I start Tomcat as follows:



tomcat = new Tomcat();

tomcat.setBaseDir(DEFAULT_BASE_DIR);

tomcat.getService().addConnector(defaultConnector);

tomcat.setConnector(defaultConnector);

tomcat.init();

tomcat.start();



How do I go about configuring the logging?



Cheers,

Matt

Do you know how to configure Tomcat in ipv6 ?

[olivier giorgi]

Hello to all,
 
Please, could you help me about the following subject:
 
How to configure Tomcat in ipv6 ?
 
Thanks in advance.
Best regards Olivier.

RE: Do you know how to configure Tomcat in ipv6 ?

[Gilles Badouet]

In order to do what?

Your question is too generic!!





Kind regards





Gilles Rubens Badouet

Student ID: 3940347

Faculty of Engineering and Computing

MSc Network Computing Course

Mobile: 07424486426


From: olivier giorgi olivier_gio...@yahoo.fr
Sent: 01 August 2013 17:17
To: users@tomcat.apache.org
Subject: Do you know how to configure Tomcat in ipv6 ?

Hello to all,

Please, could you help me about the following subject:

How to configure Tomcat in ipv6 ?

Thanks in advance.
Best regards Olivier.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Do you know how to configure Tomcat in ipv6 ?

[Jeffrey Janner]

 -Original Message-
 From: olivier giorgi [mailto:olivier_gio...@yahoo.fr]
 Sent: Thursday, August 01, 2013 11:17 AM
 To: users@tomcat.apache.org
 Subject: Do you know how to configure Tomcat in ipv6 ?
 
 Hello to all,
 
 Please, could you help me about the following subject:
 
 How to configure Tomcat in ipv6 ?
 
 Thanks in advance.
 Best regards Olivier.

Start here: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure tomcat 6.0.36 in Windows 7 to deploy servlets

[Pid]

On 27/01/2013 16:25, Varuna Seneviratna wrote:
 I extracted tomcat-6.0.36 zip file to c:\tomcat, now root of my tomcat
 installation is c:\tomcat. I have set the CLASSPATH  to
 
 .;C:\tomcat\lib\servlet-api.jar;C:\Program Files\Java\jdk1.7.0_10

Don't do that.  Tomcat configures the classpath for itself.


 Tomcat-6.0.36 is now running and the Home page is displayed
 
 I created the below Servlet
 SERVLET
 import java.io.*;
 import javax.servlet.*;
 import javax.servlet.http.*;
 
 public class HelloWorld extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res)
   throws ServletException, IOException  {
   
   res.setContentType(text/html);
   PrintWriter out = res.getWriter();
   
   
   out.println(HTML);
   out.println(HEADTITLEHello World/TITLE/HEAD);
   out.println(BODY)
   out.println(BIGHello World/BIG);
   out.println(/BODY/HTML);
   
   
   }
 }
 
 /SERVLET
 
 The above Servlet was successfully compiled and the resulting .class
 file was placed in the directory /webapps/ROOT/WEB-INF/classes
 The classes directory was not created when the tomcat zip file was
 extraxted so I created it my self.Inside WEB-INF/ directory there is a
 web.xml file and I didn't do anything with it.

You need to specify the Servlet in web.xml.  That would be why it
doesn't work, read the Servlet Specification for more information and
follow the guide here:

 http://tomcat.apache.org/tomcat-6.0-doc/appdev/index.html

Tip: don't modify the existing Tomcat applications, remove/backup the
existing ones and replace them with the ones you create.


p


 When I tried to access the Servlet HelloWorld through the url
 http://localhost:8080/servlet/HelloWorld the response is
 RESPONSE
 HTTP Status 404 - /servlet/HelloWorld
 
 type Status report
 
 message /servlet/HelloWorld
 
 description The requested resource is not available.
 Apache Tomcat/6.0.36
 /RESPONSE
 
 trying with the url http://localhost:8080/servlets/servlet/HelloWorld
 resulted in the same response as above
 
 What must be done to get the Servlets deployed?
 
 Thanks
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-- 

[key:62590808]

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

how to configure Tomcat for leveraging browser caching?

[Choudhury]

Hi , 
 I ran Google's Page Speed(
https://developers.google.com/speed/pagespeed/ ) on our web app to analyze 
and optimize our web site .

One of the many items under Web Performance Best Practices (
https://developers.google.com/speed/docs/best-practices/caching#LeverageBrowserCaching
 
) as listed in Page Speed says To take advantage of the full benefits of 
caching consistently across all browsers, we recommend that you configure 
your web server to explicitly set caching headers and apply them to all 
cacheable static resources, not just a small subset (such as images). 
Cacheable resources include JS and CSS files, image files, and other 
binary object files (media files, PDFs, Flash files, etc.). In general, 
HTML is not static, and shouldn't be considered cacheable.
How do I configure tomcat to achieve the same ? I know it can be done via 
Filters by putting some HTTP headers but can we do it without touching 
code just by configuration ?

Regards,

Subhrajyoti 
Mobile: +919830079545
Mail: choudh...@labware.com
Web: www.labware.com

LabWare LIMS Solutions - Results Count

Re: how to configure Tomcat for leveraging browser caching?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Subhrajyoti,

On 6/27/12 3:16 AM, choudh...@labware.com wrote:
 Hi , I ran Google's Page Speed( 
 https://developers.google.com/speed/pagespeed/ ) on our web app to
 analyze and optimize our web site .
 
 One of the many items under Web Performance Best Practices ( 
 https://developers.google.com/speed/docs/best-practices/caching#LeverageBrowserCaching
  ) as listed in Page Speed says To take advantage of the full
 benefits of caching consistently across all browsers, we recommend
 that you configure your web server to explicitly set caching
 headers and apply them to all cacheable static resources, not just
 a small subset (such as images). Cacheable resources include JS and
 CSS files, image files, and other binary object files (media files,
 PDFs, Flash files, etc.). In general, HTML is not static, and
 shouldn't be considered cacheable. How do I configure tomcat to
 achieve the same ? I know it can be done via Filters by putting
 some HTTP headers but can we do it without touching code just by
 configuration ?

It looks like you can use urlrewrite [1] with a set configuration to
set headers for specific URL patterns. So, technically, you need code
to do it, but you can use existing code instead of writing your own.
url-rewrite might be a bit heavy for your needs, and you may decide to
write your own simple filter.

- -chris

[1] http://www.tuckey.org/urlrewrite/
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/rIgUACgkQ9CaO5/Lv0PDSSwCcCn69rXiHBI3RJtjXWDbrfni+
gcQAn13BawxoC5RzD4Ot7tJBVX4ZNqnR
=/w3Y
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Antw.: how to properly configure tomcat 7 cluster with BackupManager

[Filip Hanik - Dev Lists]

http://www.datadisk.co.uk/html_docs/java_app/tomcat6/tomcat6_clustering.htm
http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html
http://tomcat.apache.org/tomcat-6.0-doc/tribes/introduction.html

On 10/27/2011 9:29 AM, juergen.l...@gmail.com wrote:

Hi Mark,
thanks a lot for this clarification!
Is there any reference you recommend for learning about tomcat clustering 
(apart from the source code)?

Cheers
Jürgen




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

how to properly configure tomcat 7 cluster with BackupManager

[Jürgen Link]

Hi all,
I successfully did set up a tomcat cluster (3 nodes) with session
replication, using the standard DeltaManager.

In order to allow for more nodes, I'd like to switch to BackupManager for
primary-secondary replication on a dedicated backup node.
Unfortunately, the official documentation (and various other sources out
there) simply states For larger clusters, to use a primary-secondary
session replication where the session will only be stored at one backup
server simply setup the BackupManager.
I therefore tried to replace DeltaManager in all node's three context.xml by
BackupManager, but sessions still get replicated on all three nodes.
I also tried to configure only one node with BackupManager, but it didn't
help either.

I'm obviously missing something - can someone give a sketch of how to
configure the cluster correctly?


Cheers
Jürgen

Re: how to properly configure tomcat 7 cluster with BackupManager

[markt]

Jürgen Link juergen.l...@googlemail.com wrote:

Hi all,
I successfully did set up a tomcat cluster (3 nodes) with session
replication, using the standard DeltaManager.

In order to allow for more nodes, I'd like to switch to BackupManager
for
primary-secondary replication on a dedicated backup node.
Unfortunately, the official documentation (and various other sources
out
there) simply states For larger clusters, to use a primary-secondary
session replication where the session will only be stored at one backup
server simply setup the BackupManager.
I therefore tried to replace DeltaManager in all node's three
context.xml by
BackupManager, but sessions still get replicated on all three nodes.
I also tried to configure only one node with BackupManager, but it
didn't
help either.

I'm obviously missing something - can someone give a sketch of how to
configure the cluster correctly?

The backup manager doesn't work the way you think it does. Consider a four node 
cluster with nodes A, B, C  D. If node A has 30 primary sessions (more on that 
on a sec) then 10 of them will be backed up on node B, 10 on node C and 10 on 
node D. Sessions may be primary (currently being used), backup (full copy of 
the primary) or proxy (no data but knows which nodes are primary and backup). 
If a node isn't the primary or a backup it will be a proxy.

You have to use sticky sessions with the backup manager else the primary node 
for the session keeps changing and that creates a lot of traffic.

If the primary node fails, any other node can take over since they all have 
either a backup or the proxy info.

Mark





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to properly configure tomcat 7 cluster with BackupManager

[Mark Thomas]

On 27/10/2011 14:43, ma...@apache.org wrote:
 Jürgen Link juergen.l...@googlemail.com wrote:
 
 Hi all, I successfully did set up a tomcat cluster (3 nodes) with
 session replication, using the standard DeltaManager.
 
 In order to allow for more nodes, I'd like to switch to
 BackupManager for primary-secondary replication on a dedicated
 backup node. Unfortunately, the official documentation (and various
 other sources out there) simply states For larger clusters, to use
 a primary-secondary session replication where the session will only
 be stored at one backup server simply setup the BackupManager. I
 therefore tried to replace DeltaManager in all node's three 
 context.xml by BackupManager, but sessions still get replicated on
 all three nodes. I also tried to configure only one node with
 BackupManager, but it didn't help either.
 
 I'm obviously missing something - can someone give a sketch of how
 to configure the cluster correctly?
 
 The backup manager doesn't work the way you think it does. Consider a
 four node cluster with nodes A, B, C  D. If node A has 30 primary
 sessions (more on that on a sec) then 10 of them will be backed up on
 node B, 10 on node C and 10 on node D. Sessions may be primary
 (currently being used), backup (full copy of the primary) or proxy
 (no data but knows which nodes are primary and backup). If a node
 isn't the primary or a backup it will be a proxy.

That should say If a node isn't the primary or a backup node for a
session then it will be a proxy node.

Also, you can use the Manager app to view sessions and it will show you
primary, backup or proxy info.

 You have to use sticky sessions with the backup manager else the
 primary node for the session keeps changing and that creates a lot of
 traffic.
 
 If the primary node fails, any other node can take over since they
 all have either a backup or the proxy info.
 
 Mark
 
 
 
 
 
 -

 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Antw.: how to properly configure tomcat 7 cluster with BackupManager

[Mark Thomas]

On 27/10/2011 16:29, juergen.l...@gmail.com wrote:
 Hi Mark, thanks a lot for this clarification! Is there any reference
 you recommend for learning about tomcat clustering (apart from the
 source code)?

Nothing immediately comes to mind. It is an area where we could do with
some better docs.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to configure Tomcat 7 manager webapp into an subpath?

[Roland Schmitt]

I have configure the tomcat webroot outside of the tomcat directory.
But then the tomcat managment application isn't accessible any more.
I have then tried to create an subcontext /manager which should allow access to 
the manager application. But localhost/manager doesn't show any content.

How can i configure an subcontext just for accessing the manager application?

I have configured two contextes under: 
Tomcat7\conf\catalina\localhost

ROOT.XML:
Context path= docBase=D:/webroot/ cookies=false reloadable=false 
allowLinking=false caseSensitive=true unpackWAR=false useNaming=false
/Context

manager.xml
Context path=/manager docBase=D:\Programs\Tomcat 7\webapps\manager
/Context

Roland
-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat 7 manager webapp into an subpath?

[Konstantin Kolinko]

2011/10/26 Roland Schmitt roland-schm...@gmx.de:
 I have configure the tomcat webroot outside of the tomcat directory.
 But then the tomcat managment application isn't accessible any more.
 I have then tried to create an subcontext /manager which should allow access 
 to the manager application. But localhost/manager doesn't show any content.

 How can i configure an subcontext just for accessing the manager application?

 I have configured two contextes under:
 Tomcat7\conf\catalina\localhost

 ROOT.XML:
 Context path= docBase=D:/webroot/ cookies=false reloadable=false 
 allowLinking=false caseSensitive=true unpackWAR=false useNaming=false
 /Context

 manager.xml
 Context path=/manager docBase=D:\Programs\Tomcat 7\webapps\manager
 /Context

1. You cannot use path attribute in *.xml context files.
2. Manager webapp needs to be privileged.

?xml version=1.0 encoding=UTF-8?
Context docBase=${catalina.home}\webapps\manager
antiResourceLocking=false privileged=true
/Context

You may want to add a Valve
className=org.apache.catalina.valves.RemoteAddrValve ... / inside
the Context tag.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat 7 manager webapp into an subpath?

[Roland Schmitt]

Thanks now localhost/manager redirects to the manager app.
But after typing in username + password the access to the manager app doesnt't 
work i get the 401 authorization required page.

The user is added in the tomcat7\conf\tomcat-users.xml

role rolename=manager-gui/
user username=test password=test roles=manager-gui/

best regards
Roland

 Original-Nachricht 
 Datum: Wed, 26 Oct 2011 16:22:39 +0400
 Von: Konstantin Kolinko knst.koli...@gmail.com
 An: Tomcat Users List users@tomcat.apache.org
 Betreff: Re: How to configure Tomcat 7 manager webapp into an subpath?

 2011/10/26 Roland Schmitt roland-schm...@gmx.de:
  I have configure the tomcat webroot outside of the tomcat directory.
  But then the tomcat managment application isn't accessible any more.
  I have then tried to create an subcontext /manager which should allow
 access to the manager application. But localhost/manager doesn't show any
 content.
 
  How can i configure an subcontext just for accessing the manager
 application?
 
  I have configured two contextes under:
  Tomcat7\conf\catalina\localhost
 
  ROOT.XML:
  Context path= docBase=D:/webroot/ cookies=false
 reloadable=false allowLinking=false caseSensitive=true unpackWAR=false
 useNaming=false
  /Context
 
  manager.xml
  Context path=/manager docBase=D:\Programs\Tomcat 7\webapps\manager
  /Context
 
 1. You cannot use path attribute in *.xml context files.
 2. Manager webapp needs to be privileged.
 
 ?xml version=1.0 encoding=UTF-8?
 Context docBase=${catalina.home}\webapps\manager
 antiResourceLocking=false privileged=true
 /Context
 
 You may want to add a Valve
 className=org.apache.catalina.valves.RemoteAddrValve ... / inside
 the Context tag.
 
 Best regards,
 Konstantin Kolinko
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 

-- 
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!   
Jetzt informieren: http://www.gmx.net/de/go/freephone

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to configure Tomcat 7 manager webapp into an subpath?

[Caldarale, Charles R]

 From: Roland Schmitt [mailto:roland-schm...@gmx.de] 
 Subject: Re: How to configure Tomcat 7 manager webapp into an subpath?

 The user is added in the tomcat7\conf\tomcat-users.xml

And are the comment markers removed?  Did you restart Tomcat after updating the 
.xml file?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

Re: RE: How to configure Tomcat 7 manager webapp into an subpath?

[Roland Schmitt]

Yes the comment markers are removed.
And i have also restarted the tomcat after updating xml files.

 Original-Nachricht 
 Datum: Wed, 26 Oct 2011 08:38:28 -0500
 Von: Caldarale, Charles R chuck.caldar...@unisys.com
 An: Tomcat Users List users@tomcat.apache.org
 Betreff: RE: How to configure Tomcat 7 manager webapp into an subpath?

  From: Roland Schmitt [mailto:roland-schm...@gmx.de] 
  Subject: Re: How to configure Tomcat 7 manager webapp into an subpath?
 
  The user is added in the tomcat7\conf\tomcat-users.xml
 
 And are the comment markers removed?  Did you restart Tomcat after
 updating the .xml file?
 
  - Chuck

-- 
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!   
Jetzt informieren: http://www.gmx.net/de/go/freephone

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat 7 manager webapp into an subpath?

[André Warnier]

Roland Schmitt wrote:

Yes the comment markers are removed.
And i have also restarted the tomcat after updating xml files.


We believe only what we see with our own eyes. ;-)

Copy and paste the contents of the file here, so that we can have a look.
(overwrite the passwords of course)

repeat : do not send the file as an attachment, the list strips them.  Copy and paste into 
the message to the list.





 Original-Nachricht 

Datum: Wed, 26 Oct 2011 08:38:28 -0500
Von: Caldarale, Charles R chuck.caldar...@unisys.com
An: Tomcat Users List users@tomcat.apache.org
Betreff: RE: How to configure Tomcat 7 manager webapp into an subpath?


From: Roland Schmitt [mailto:roland-schm...@gmx.de] 
Subject: Re: How to configure Tomcat 7 manager webapp into an subpath?

The user is added in the tomcat7\conf\tomcat-users.xml

And are the comment markers removed?  Did you restart Tomcat after
updating the .xml file?

 - Chuck





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[ettoregia]

Alright guys, thanks for your help.



Pid * wrote:
 
 On 14/10/2011 16:31, Mark Thomas wrote:
 On 14/10/2011 16:15, Mark H. Wood wrote:
 This I can agree with.  They don't allow application managers
 access to Tomcat's config., but anyone can drop stuff into
 /etc/init.d, whence it will run as root?  Really?  Something is not
 right here.
 
 +1  These support guys need firing...
 
 Is it just me, or is the simple privilege escalation attack that this
 makes possible the quickest way to solve this? :) Granted, it isn't
 the best way to solve it but boy would I be tempted in your shoes.
 
 Yes, quite.
 
 
 p
 
 
  
 

-- 
View this message in context: 
http://old.nabble.com/Configure-tomcat-using-init.d-tp32650998p32665384.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[ettoregia]

Thanks Hassan for your help.

I found the version (Red Hat 4.1.2-50).

Regarding the the deploy, I know that by storing a file under
Catalina-localhost- myAppName.xml in which I specify the path of the WAR I
would not need to copy WAR under wepApps but Tomcat will do it by itself. Is
that correct?

For the context.xml, shall I create it, since there's no file so called in
META-INF.

Many thanks.


Hassan Schroeder-2 wrote:
 
 On Fri, Oct 14, 2011 at 1:52 AM, ettoregia ettore...@gmail.com wrote:
 
 My system: Linux, the version I'don't know how to realize, since I've got
 just an ssh connection and typing some command I've not been able to
 discover it, maybe you can help me out on this as well.
 
 `cat /proc/version` should give you something useful.
 
 Alright, I need to deploy .war file under tomcat that actually has 4
 engines
 (5.5, 6.0.16, 6.0.18, 7.0), and as I'm used to, I would put under
 /conf/Catalina/localhost, of the engine 6.0.18, a file called
 myAppName.xml to specify the context path of my webApp then I would
 modify
 the server.xml to specify the jdbc connection and the like. As I've no
 rights to modify anything under the tomcat's home the IT guy told me to
 use
 the folder init.d/myAppName in order to use any script at boot time to
 accomplish the configuration above.
 
 Huh? Your app's context path should be taken from the name of the
 WAR file, and the JDBC config should be contained in the WAR file
 in a META-INF/context.xml file.
 
 Nothing else required. Other than an better IT department. :-)
 
 -- 
 Hassan Schroeder  hassan.schroe...@gmail.com
 http://about.me/hassanschroeder
 twitter: @hassan
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/Configure-tomcat-using-init.d-tp32650998p32665821.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[Hassan Schroeder]

On Mon, Oct 17, 2011 at 3:04 AM, ettoregia ettore...@gmail.com wrote:

 Regarding the the deploy, I know that by storing a file under
 Catalina-localhost- myAppName.xml in which I specify the path of the WAR I
 would not need to copy WAR under wepApps but Tomcat will do it by itself. Is
 that correct?

Sorry, I'm not sure what you're asking. You need to place your WAR
file *somewhere* to deploy it.

Personally I just put it in the appBase directory, eliminating the step
you describe above.

 For the context.xml, shall I create it, since there's no file so called in
 META-INF.

Yes.

-- 
Hassan Schroeder  hassan.schroe...@gmail.com
http://about.me/hassanschroeder
twitter: @hassan

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[ettoregia]

I know, but storing the file it's less invasive. At least that suggest the
Tomcat doc.


Hassan Schroeder-2 wrote:
 
 On Mon, Oct 17, 2011 at 3:04 AM, ettoregia ettore...@gmail.com wrote:
 
 Regarding the the deploy, I know that by storing a file under
 Catalina-localhost- myAppName.xml in which I specify the path of the
 WAR I
 would not need to copy WAR under wepApps but Tomcat will do it by itself.
 Is
 that correct?
 
 Sorry, I'm not sure what you're asking. You need to place your WAR
 file *somewhere* to deploy it.
 
 Personally I just put it in the appBase directory, eliminating the step
 you describe above.
 
 For the context.xml, shall I create it, since there's no file so called
 in
 META-INF.
 
 Yes.
 
 -- 
 Hassan Schroeder  hassan.schroe...@gmail.com
 http://about.me/hassanschroeder
 twitter: @hassan
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/Configure-tomcat-using-init.d-tp32650998p32667860.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[Hassan Schroeder]

On Mon, Oct 17, 2011 at 8:01 AM, ettoregia ettore...@gmail.com wrote:

 I know, but storing the file it's less invasive. At least that suggest the
 Tomcat doc.

Sorry, I'm afraid I don't follow that. But whatever works for you :-)

-- 
Hassan Schroeder  hassan.schroe...@gmail.com
http://about.me/hassanschroeder
twitter: @hassan

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Configure tomcat using init.d

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 10/14/2011 11:15 AM, Mark H. Wood wrote:
 On Fri, Oct 14, 2011 at 07:33:28AM -0700, Hassan Schroeder wrote:
 On Fri, Oct 14, 2011 at 1:52 AM, ettoregia ettore...@gmail.com 
 wrote:
 My system: Linux, the version I'don't know how to realize, 
 since I've got just an ssh connection and typing some command 
 I've not been able to discover it, maybe you can help me out
 on this as well.
 
 `cat /proc/version` should give you something useful.
 
 'uname -a' is another possibility.

I'm running Debian Squeeze:

$ uname -a
Linux dev 2.6.32-5-openvz-amd64 #1 SMP Wed May 18 23:53:57 UTC 2011
i686 GNU/Linux

No mention of Debian.

$ cat /proc/version
Linux version 2.6.32-5-openvz-amd64 (Debian 2.6.32-34squeeze1)
(da...@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Wed
May 18 23:53:57 UTC 2011

Ooh, Debian everywhere.

Looks like Hassan's suggestion is better.

I usually do:

$ cat /etc/issue
Debian GNU/Linux 6.0 \n \l

I didn't know there was a /proc/version. Maybe I'll start using that,
as it has more information.

 This I can agree with.  They don't allow application managers 
 access to Tomcat's config., but anyone can drop stuff into 
 /etc/init.d, whence it will run as root?  Really?  Something is
 not right here.

Technically, things in /etc/init.d don't run as root just because they
are there. Most rc.d-based systems use /etc/rc[runlevel].d/* as
startup scripts, and those are symlinked to /etc/init.d. Putting a
file into /etc/init.d isn't a direct exploit, but it's pretty close.

 That init script would need to start Yet Another Tomcat Instance. 
 Is that what IT wants?  That has implications for memory demand, 
 port and address space, and linking among app.s.  Maybe the IT guy 
 understands how Tomcat works, but I think I would explore the 
 possibility that he doesn't.

+1

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6cgVAACgkQ9CaO5/Lv0PDETACgorbI/rr9VyrqW8Be2FWgBthm
gIEAn0pPW7uw5nsS2Zl8y8EjwFr2A+CY
=Ehot
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Configure tomcat using init.d

[Ann Ramsey]

Thank you - we figured it out.

On Mon, Oct 17, 2011 at 2:26 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Mark,

 On 10/14/2011 11:15 AM, Mark H. Wood wrote:
  On Fri, Oct 14, 2011 at 07:33:28AM -0700, Hassan Schroeder wrote:
  On Fri, Oct 14, 2011 at 1:52 AM, ettoregia ettore...@gmail.com
  wrote:
  My system: Linux, the version I'don't know how to realize,
  since I've got just an ssh connection and typing some command
  I've not been able to discover it, maybe you can help me out
  on this as well.
 
  `cat /proc/version` should give you something useful.
 
  'uname -a' is another possibility.

 I'm running Debian Squeeze:

 $ uname -a
 Linux dev 2.6.32-5-openvz-amd64 #1 SMP Wed May 18 23:53:57 UTC 2011
 i686 GNU/Linux

 No mention of Debian.

 $ cat /proc/version
 Linux version 2.6.32-5-openvz-amd64 (Debian 2.6.32-34squeeze1)
 (da...@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Wed
 May 18 23:53:57 UTC 2011

 Ooh, Debian everywhere.

 Looks like Hassan's suggestion is better.

 I usually do:

 $ cat /etc/issue
 Debian GNU/Linux 6.0 \n \l

 I didn't know there was a /proc/version. Maybe I'll start using that,
 as it has more information.

  This I can agree with.  They don't allow application managers
  access to Tomcat's config., but anyone can drop stuff into
  /etc/init.d, whence it will run as root?  Really?  Something is
  not right here.

 Technically, things in /etc/init.d don't run as root just because they
 are there. Most rc.d-based systems use /etc/rc[runlevel].d/* as
 startup scripts, and those are symlinked to /etc/init.d. Putting a
 file into /etc/init.d isn't a direct exploit, but it's pretty close.

  That init script would need to start Yet Another Tomcat Instance.
  Is that what IT wants?  That has implications for memory demand,
  port and address space, and linking among app.s.  Maybe the IT guy
  understands how Tomcat works, but I think I would explore the
  possibility that he doesn't.

 +1

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk6cgVAACgkQ9CaO5/Lv0PDETACgorbI/rr9VyrqW8Be2FWgBthm
 gIEAn0pPW7uw5nsS2Zl8y8EjwFr2A+CY
 =Ehot
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[Pid]

On 14/10/2011 16:31, Mark Thomas wrote:
 On 14/10/2011 16:15, Mark H. Wood wrote:
 This I can agree with.  They don't allow application managers
 access to Tomcat's config., but anyone can drop stuff into
 /etc/init.d, whence it will run as root?  Really?  Something is not
 right here.

+1  These support guys need firing...

 Is it just me, or is the simple privilege escalation attack that this
 makes possible the quickest way to solve this? :) Granted, it isn't
 the best way to solve it but boy would I be tempted in your shoes.

Yes, quite.


p



signature.asc
Description: OpenPGP digital signature

Configure tomcat using init.d

[ettoregia]

Hi guys,

hope you're all doing well.

Today I'm facing a new challenge, at least for myself.

My system: Linux, the version I'don't know how to realize, since I've got
just an ssh connection and typing some command I've not been able to
discover it, maybe you can help me out on this as well.

Tomcat 6.0.18
Java 1.6

Alright, I need to deploy .war file under tomcat that actually has 4 engines
(5.5, 6.0.16, 6.0.18, 7.0), and as I'm used to, I would put under
/conf/Catalina/localhost, of the engine 6.0.18, a file called
myAppName.xml to specify the context path of my webApp then I would modify
the server.xml to specify the jdbc connection and the like. As I've no
rights to modify anything under the tomcat's home the IT guy told me to use
the folder init.d/myAppName in order to use any script at boot time to
accomplish the configuration above.

Here comes the problem. I've checked on the web, but the main use of init.d,
is to make tomcat a linux service using some shell scripting language, but
what about the deploy and jdbc configuration? 
I could not ask the IT guys because we communicate through a ticketing
system and btw they are not so willing to...

Do you have any clue? 

Many thanks in advance guys,
Ettore.
-- 
View this message in context: 
http://old.nabble.com/Configure-tomcat-using-init.d-tp32650998p32650998.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[Hassan Schroeder]

On Fri, Oct 14, 2011 at 1:52 AM, ettoregia ettore...@gmail.com wrote:

 My system: Linux, the version I'don't know how to realize, since I've got
 just an ssh connection and typing some command I've not been able to
 discover it, maybe you can help me out on this as well.

`cat /proc/version` should give you something useful.

 Alright, I need to deploy .war file under tomcat that actually has 4 engines
 (5.5, 6.0.16, 6.0.18, 7.0), and as I'm used to, I would put under
 /conf/Catalina/localhost, of the engine 6.0.18, a file called
 myAppName.xml to specify the context path of my webApp then I would modify
 the server.xml to specify the jdbc connection and the like. As I've no
 rights to modify anything under the tomcat's home the IT guy told me to use
 the folder init.d/myAppName in order to use any script at boot time to
 accomplish the configuration above.

Huh? Your app's context path should be taken from the name of the
WAR file, and the JDBC config should be contained in the WAR file
in a META-INF/context.xml file.

Nothing else required. Other than an better IT department. :-)

-- 
Hassan Schroeder  hassan.schroe...@gmail.com
http://about.me/hassanschroeder
twitter: @hassan

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[André Warnier]

ettoregia wrote:

Hi guys,

hope you're all doing well.

Today I'm facing a new challenge, at least for myself.

My system: Linux, the version I'don't know how to realize, since I've got
just an ssh connection and typing some command I've not been able to
discover it, maybe you can help me out on this as well.

Tomcat 6.0.18
Java 1.6

Alright, I need to deploy .war file under tomcat that actually has 4 engines
(5.5, 6.0.16, 6.0.18, 7.0), and as I'm used to, I would put under
/conf/Catalina/localhost, of the engine 6.0.18, a file called
myAppName.xml to specify the context path of my webApp then I would modify
the server.xml to specify the jdbc connection and the like. As I've no
rights to modify anything under the tomcat's home the IT guy told me to use
the folder init.d/myAppName in order to use any script at boot time to
accomplish the configuration above.

Here comes the problem. I've checked on the web, but the main use of init.d,
is to make tomcat a linux service using some shell scripting language, but
what about the deploy and jdbc configuration? 
I could not ask the IT guys because we communicate through a ticketing

system and btw they are not so willing to...

Do you have any clue? 


Hi.
From the situation that you describe above, let me give you a personal and practical 
answer and recommendation : get your boss to talk to the boss of these IT guys, and give 
you a practical access level to that system, or else you will not be able to solve these 
issues in any practical time.
People here are also not going to be able to help you in any practical time, because by 
not having access to the Tomcat directories, you will not be able to provide answers to 
the questions being asked.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure tomcat using init.d

[Mark H. Wood]

On Fri, Oct 14, 2011 at 07:33:28AM -0700, Hassan Schroeder wrote:
 On Fri, Oct 14, 2011 at 1:52 AM, ettoregia ettore...@gmail.com wrote:
  My system: Linux, the version I'don't know how to realize, since I've got
  just an ssh connection and typing some command I've not been able to
  discover it, maybe you can help me out on this as well.
 
 `cat /proc/version` should give you something useful.

'uname -a' is another possibility.

  Alright, I need to deploy .war file under tomcat that actually has 4 engines
  (5.5, 6.0.16, 6.0.18, 7.0), and as I'm used to, I would put under
  /conf/Catalina/localhost, of the engine 6.0.18, a file called
  myAppName.xml to specify the context path of my webApp then I would modify
  the server.xml to specify the jdbc connection and the like. As I've no
  rights to modify anything under the tomcat's home the IT guy told me to use
  the folder init.d/myAppName in order to use any script at boot time to
  accomplish the configuration above.
 
 Huh? Your app's context path should be taken from the name of the
 WAR file,

No, his method (conf/Catalina/[engineName]/${contextName}.xml is the
one I use all the time.  It works well, and I can install the app
wherever I like, and don't have to reinstall the whole thing every
time I need to tweak a context parameter.

 and the JDBC config should be contained in the WAR file
 in a META-INF/context.xml file.

or ${contextName}.xml where, again, it's much more accessible for
tweaking.  Either one is better than hacking server.xml, though,
unless the data source is meant to be used by every app.

 Nothing else required. Other than an better IT department. :-)

This I can agree with.  They don't allow application managers access
to Tomcat's config., but anyone can drop stuff into /etc/init.d,
whence it will run as root?  Really?  Something is not right here.

That init script would need to start Yet Another Tomcat Instance.  Is
that what IT wants?  That has implications for memory demand, port and
address space, and linking among app.s.  Maybe the IT guy understands
how Tomcat works, but I think I would explore the possibility that he
doesn't.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Asking whether markets are efficient is like asking whether people are smart.


pgpvyER2Qn4t8.pgp
Description: PGP signature

Re: Configure tomcat using init.d

[Mark Thomas]

On 14/10/2011 16:15, Mark H. Wood wrote:
 This I can agree with.  They don't allow application managers
 access to Tomcat's config., but anyone can drop stuff into
 /etc/init.d, whence it will run as root?  Really?  Something is not
 right here.

Is it just me, or is the simple privilege escalation attack that this
makes possible the quickest way to solve this? :) Granted, it isn't
the best way to solve it but boy would I be tempted in your shoes.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to Configure Tomcat 7.0 for SSL

[Marvin Addison]

 SSLEngine=on

There's no such attribute for this connector.  The attribute you want
is SSLEnabled=true.  I would also recommend the following attributes
for security-conscious deployments:

SSLProtocol=SSLv3+TLSv1
SSLCipherSuite=!ADH:HIGH:MEDIUM:-SSLv2

If you continue to have trouble, post the output of catalina.out.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to Configure Tomcat 7.0 for SSL

[Gene Waters]

Thanks Marvin,

We will give it a try and let you know,

Gene

Gene A. Waters
CACI International Inc.
Senior Business Objects - Programmer Analyst
Navy Enterprise Team Ships (NETS), Norfolk, VA
Work Phone: (757) 852-6943
email:  gewat...@caci.com, gene.waters@navy.mil

From: Marvin Addison [marvin.addi...@gmail.com]
Sent: Monday, September 19, 2011 9:36 AM
To: Tomcat Users List
Subject: Re: How to Configure Tomcat 7.0 for SSL

 SSLEngine=on

There's no such attribute for this connector.  The attribute you want
is SSLEnabled=true.  I would also recommend the following attributes
for security-conscious deployments:

SSLProtocol=SSLv3+TLSv1
SSLCipherSuite=!ADH:HIGH:MEDIUM:-SSLv2

If you continue to have trouble, post the output of catalina.out.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to Configure Tomcat 7.0 for SSL

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gene,

On 9/16/2011 4:43 PM, Gene Waters wrote:
 SSLCertificateFile=webapps\server.cert 
 SSLCertificateKeyFile=webapps\server.key /

You definitely don't want those files there: an easy misconfiguration
could result in those files being remotely readable. Oops.

I would put them under CATALINA_BASE/conf and make sure you use
fully-qualified paths.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk53W8cACgkQ9CaO5/Lv0PAygQCgj1um/2LtAXi1xinfwktTNc+I
RTYAoLodVvjTNb20xwHNcJtp+I57oWMd
=JFE/
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to Configure Tomcat 7.0 for SSL

[Gene Waters]

Version of Tomcat: Apache Tomcat 7.0
Server: Windows 2003

Problem: Configuring Tomcat 7.0 SSL using Apr Implementation
Apache Tomcat splash screen (https://localhost:8443https://localhost:8443/) 
fails after including key, cert in server.xml configuration using following 
entries:

  Connector port=443

   protocol=org.apache.coyote.http11.Http11AprProtocol

maxHttpHeaderSize=8192
maxThreads=150

minSpareThreads=25

maxSpareThreads=75
enableLookups=false

disableUploadTimeout=true
acceptCount=100

scheme=https

secure=true
SSLEngine=on

SSLCertificateFile=webapps\server.cert

SSLCertificateKeyFile=webapps\server.key /





Thanks,

Gene

Re: Can anybody Please tell me How to Configure Tomcat 5 on Fedora 14 or refer me to relevant documentation.

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Varuna,

On 5/2/2011 2:19 PM, Varuna Seneviratna wrote:
  I wont't Tomcat5  becauseI want to study for the SWCDE Exam which uses 
 Tomcat5

Assuming you mean SCWCD, I can tell you you're going to have a rough
road ahead of you. Obtaining this certification will be tough for you if
you are asking questions such as what should JAVA_HOME be set to and
how do I do that?.

Good luck,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3AbOsACgkQ9CaO5/Lv0PCsCQCeMXVqB8S61QCwFrX5hmSS4wGo
CPoAoLjeLBkAwmJFrvEMvRY4RcUCw2XO
=hCua
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Can anybody Please tell me How to Configure Tomcat 5 on Fedora 14 or refer me to relevant documentation.

[Varuna Seneviratna]

Can anybody Please tell me How to Configure Tomcat 5 on Fedora 14 or
refer me to relevant documentation.I am Unable to understand what is
documented at http://tomcat.apache.org/tomcat-5.5-doc/setup.html and
configure Tomcat in order to create a Java Servlet Development
Environment for me at my home machine

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Can anybody Please tell me How to Configure Tomcat 5 on Fedora 14 or refer me to relevant documentation.

[Pid]

On 5/2/11 7:07 PM, Varuna Seneviratna wrote:
 Can anybody Please tell me How to Configure Tomcat 5 on Fedora 14 or
 refer me to relevant documentation.I am Unable to understand what is
 documented at http://tomcat.apache.org/tomcat-5.5-doc/setup.html and
 configure Tomcat in order to create a Java Servlet Development
 Environment for me at my home machine

What don't you understand?


p



signature.asc
Description: OpenPGP digital signature