Tomcat JBDCRealm with Oracle DB
Hi. I configured two JDBCRealm's - for MySQL and Oracle databases. Both DB have same tables with same content: mysql show tables; +--+ | Tables_in_tmc_access | +--+ | user_roles | | users| +--+ mysql desc user_roles; +---+--+--+-+-+---+ | Field | Type | Null | Key | Default | Extra | +---+--+--+-+-+---+ | user_name | varchar(100) | NO | PRI | NULL| | | role_name | varchar(100) | NO | PRI | NULL| | +---+--+--+-+-+---+ 2 rows in set (0.00 sec) mysql desc users; +---+--+--+-+-+---+ | Field | Type | Null | Key | Default | Extra | +---+--+--+-+-+---+ | user_name | varchar(100) | NO | PRI | NULL| | | user_pass | varchar(100) | NO | | NULL| | +---+--+--+-+-+---+ 2 rows in set (0.00 sec) mysql select * from users,user_roles; ++---+++ | user_name | user_pass | user_name | role_name | ++---+++ | indexadmin | password | indexadmin | indexadmin | ++---+++ 1 row in set (0.00 sec) Oracle: SQL SELECT table_name FROM user_tables; TABLE_NAME -- TMC_USERS_SET USER_ROLES_SET SQL desc USER_ROLES_SET; Name Null?Type - USER_NAME NOT NULL VARCHAR2(100) ROLE_NAME NOT NULL VARCHAR2(100) SQL desc TMC_USERS_SET; Name Null?Type - USER_NAME NOT NULL VARCHAR2(100) USER_PASS NOT NULL VARCHAR2(100) SQL select * from TMC_USERS_SET,USER_ROLES_SET; USER_NAME USER_PASS USER_NAME ROLE_NAME indexadmin password indexadmin indexadmin server.xml config: !-- Realm className=org.apache.catalina.realm.JDBCRealm driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://10.***.***.239/tmc_access connectionName=tmc_access connectionPassword=password userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / -- Realm className=org.apache.catalina.realm.JDBCRealm driverName=oracle.jdbc.driver.OracleDriver connectionURL=jdbc:oracle:thin:@oraclehost:1521:correctscheme connectionName=tmc connectionPassword=tmc userTable=tmc_users_set userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles_set roleNameCol=role_name / web.xml: security-constraint web-resource-collection web-resource-nameRestricted Area/web-resource-name url-pattern/index.jsp/url-pattern /web-resource-collection auth-constraint role-nameindexadmin/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config security-role role-nameindexadmin/role-name /security-role So, when I switch config to Oracle Realm - it is not working (just return again login-window)... With MySQL - working perfect. What I'm doing wrong?
Re: Tomcat JBDCRealm with Oracle DB
No errors, but I already found problem cause - forgot run `commit` in SQLPLUS after added rows with usernamerole. :-( Thanks for replay. 2013/12/16 André Warnier a...@ice-sa.com Арсений Зинченко wrote: Hi. I configured two JDBCRealm's - for MySQL and Oracle databases. Both DB have same tables with same content: mysql show tables; +--+ | Tables_in_tmc_access | +--+ | user_roles | | users| +--+ mysql desc user_roles; +---+--+--+-+-+---+ | Field | Type | Null | Key | Default | Extra | +---+--+--+-+-+---+ | user_name | varchar(100) | NO | PRI | NULL| | | role_name | varchar(100) | NO | PRI | NULL| | +---+--+--+-+-+---+ 2 rows in set (0.00 sec) mysql desc users; +---+--+--+-+-+---+ | Field | Type | Null | Key | Default | Extra | +---+--+--+-+-+---+ | user_name | varchar(100) | NO | PRI | NULL| | | user_pass | varchar(100) | NO | | NULL| | +---+--+--+-+-+---+ 2 rows in set (0.00 sec) mysql select * from users,user_roles; ++---+++ | user_name | user_pass | user_name | role_name | ++---+++ | indexadmin | password | indexadmin | indexadmin | ++---+++ 1 row in set (0.00 sec) Oracle: SQL SELECT table_name FROM user_tables; TABLE_NAME -- TMC_USERS_SET USER_ROLES_SET SQL desc USER_ROLES_SET; Name Null?Type - USER_NAME NOT NULL VARCHAR2(100) ROLE_NAME NOT NULL VARCHAR2(100) SQL desc TMC_USERS_SET; Name Null?Type - USER_NAME NOT NULL VARCHAR2(100) USER_PASS NOT NULL VARCHAR2(100) SQL select * from TMC_USERS_SET,USER_ROLES_SET; USER_NAME USER_PASS USER_NAME ROLE_NAME indexadmin password indexadmin indexadmin server.xml config: !-- Realm className=org.apache.catalina.realm.JDBCRealm driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://10.***.***.239/tmc_access connectionName=tmc_access connectionPassword=password userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / -- Realm className=org.apache.catalina.realm.JDBCRealm driverName=oracle.jdbc.driver.OracleDriver connectionURL=jdbc:oracle:thin:@oraclehost:1521:correctscheme connectionName=tmc connectionPassword=tmc userTable=tmc_users_set userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles_set roleNameCol=role_name / web.xml: security-constraint web-resource-collection web-resource-nameRestricted Area/web-resource-name url-pattern/index.jsp/url-pattern /web-resource-collection auth-constraint role-nameindexadmin/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config security-role role-nameindexadmin/role-name /security-role So, when I switch config to Oracle Realm - it is not working (just return again login-window)... With MySQL - working perfect. What I'm doing wrong? Not looking at the Tomcat logfiles ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JAVA_OPTS vs CATALINA_OPTS
Hi, Dan. Thanks for replay. he JVM is only going to accept one value for Xmx and Xms. Specifying the same options in JAVA_OPTS and CATALINA_OPTS would just be confusing. As I says before - we have few Java-application on same machine. So - for them needs to set Xmx 1G, but for Tomcat - 4G. Don’t set these as system variables. You’d want to define them in setenv.bat Again, don’t set system variables for these. There’s no reason to set them system wide. Same reason - few Java-applications wich all need same Java_opts (exclude Tomcat). Since you’re on Windows, you’re probably running as a service and that’s going to be a bit different No, Tomcat started via command line (rather - from .bat script wich call %catalina_home%/bin/startup.bat). 2014/1/27 Daniel Mikusa dmik...@gopivotal.com On Jan 27, 2014, at 9:21 AM, Арсений Зинченко setev...@gmail.com wrote: Hi. I'm sorry for so kindly question - but needs experts advice... We have a little dispute with my colleague about using this variables. So: have Windows-box machine. On it - runing few different Java-application, including Tomcat. Needs to set memory for Tomcat other, than for all other Java-applications. My proposal is set to System variables: JAVA_OPTS -Xmx1024M -Xms512M -XX:MaxPermSize512M CATALINA_OPTS -Xmx4096M -Xms2048M -XX:MaxPermSize=1024M” Don’t set these as system variables. You’d want to define them in setenv.bat if you’re running from the command prompt or with the Windows Service utility (either [1] or [2]), if you’re running as a service. But, as he asserts - this is not correct way: - CATALINA_OPTS must NOT contain memory limits like Xmx, Xms etc; There are no restrictions to what you can set in CATALINA_OPTS. You could put your memory setting there if you wanted. Having said that, if you’re running as a Windows service then you wouldn’t. You'd set your heap memory settings through the service wrapper (either [1] or [2]). If you’re running from the console (not likely) or on Linux / Unix then you’d set your heap settings in the setenv.sh|bat script. Again, you could put memory settings in CATALINA_OPTS or in JAVA_OPTS. Setting them in CATALINA_OPTS is generally a better choice though because settings in CATALINA_OPTS are only applied when Tomcat is started. If you set them in JAVA_OPTS then they’ll be applied when you start and stop the instance, something you probably don’t want for your heap settings. - Java Garbage collector will work differently because JAVA_OPTS have another opts for memory then CATALINA_OPTS, so - this will worse Tomcat performance; I’m not sure I follow your logic here. The JVM is only going to accept one value for Xmx and Xms. Specifying the same options in JAVA_OPTS and CATALINA_OPTS would just be confusing. - and so on His suggestion is to set JAVA_OPTS with memory limits exactly to Tomcat startup script (not as system variable at all). Again, don’t set system variables for these. There’s no reason to set them system wide. So, my question is: is it correct to set memory limits for Tomcat via CATALINA_OPTS variable? Generally, but it depends on how you are starting Tomcat. Since you’re on Windows, you’re probably running as a service and that’s going to be a bit different. See above comments. If in system also present JAVA_OPTS - will it have influence on to Tomcat's performance? I think I answered this above. If it’s not clear, let me know. Thanks. Dan [1] - http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html#Command_line_parameters [2] - http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html#Tomcat7w_monitor_application - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JAVA_OPTS vs CATALINA_OPTS
Thanks, Christopher. OK, what about next: Set JAVA_OPTS as system variable (for all other applications); and create setenv.bat in /bin/ directory with CATALINA_OPTS whith Xmx/Xms for Tomcat? Will it be more correctly than set CATALINA_OPTS as System variable? Or - by the way, in setevn.bat must be used JAVA_OPTS too? https://plus.google.com/u/0/113253806461878935497?prsrc=4 2014/1/27 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Арсений, On 1/27/14, 9:21 AM, Арсений Зинченко wrote: We have a little dispute with my colleague about using this variables. So: have Windows-box machine. On it - runing few different Java-application, including Tomcat. Needs to set memory for Tomcat other, than for all other Java-applications. My proposal is set to System variables: JAVA_OPTS -Xmx1024M -Xms512M -XX:MaxPermSize512M CATALINA_OPTS -Xmx4096M -Xms2048M -XX:MaxPermSize=1024M But, as he asserts - this is not correct way: - CATALINA_OPTS must NOT contain memory limits like Xmx, Xms etc; - Java Garbage collector will work differently because JAVA_OPTS have another opts for memory then CATALINA_OPTS, so - this will worse Tomcat performance; - and so on Tomcat runs Java roughly in this way: $JAVA_HOME/bin/java $JAVA_OPTS $CATALINA_OPTS \ org.apache.catalina.startup.Bootstrap If you have these options configured using both environment variables, then CATALINA_OPTS (the later one) will win because that's how the JVM parses arguments: the last one on the command-line wins. So, it's perfectly safe to do what you have described above. On the other hand, note that since JAVA_OPTS specifies 0.5GiB of heap space for when you are /not/ launching Tomcat, then running bin\shutdown.bat will pre-allocate 0.5GiB of heap space just to send the shutdown command to a running Tomcat instance, and then terminate. It's kind of a waste. I totally agree with Dan's comments about how using system variables: just use bin/setenv.bat and keep everything locally. His suggestion is to set JAVA_OPTS with memory limits exactly to Tomcat startup script (not as system variable at all). +1 So, my question is: is it correct to set memory limits for Tomcat via CATALINA_OPTS variable? If in system also present JAVA_OPTS - will it have influence on to Tomcat's perfarmance? See above. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS5n9ZAAoJEBzwKT+lPKRYXJAQAIoI/6t21bVVHXGH+KZDVOvy e+YsyWJRdRtFCDCIc+Y3YtY+8q+uDQRyqBQyJLNgdmkNEdbrGf1a/n74Mg4bNilA GxOi7D75tiMni3T4rz4nUc5nyTnCOBNYuitrpjZMWfvd/ajHdSAEWuivGa87A/oL C7Y4Bu6KB+2dwNifOwYWPzRq9yl+25G7SBo+URH8HMTHVEBVrDYflTudX0q9D4XI XK5CNTiOQvfKgu/3HCjcZSq75LspTIC0Kw9P+GRX9PoJJCvAlF3TQgLghJ9S3YOT l0n3A5UE2cZycUv3NEJrdoerWbYsbDexq47eeQ2CMVoHeTBBFDAZK4uR7EneFsea 89WI39tNT0+jrScFQ7eKCv72yxUb05gunOnWMHe23vx10BXVT2at8jvgSlJs2SSy co2B9PrNqwZRZtzZCS38A5DmXts9KlEFnc7bd5Fu4ME4jEs/sODd8+CXc9Fpsmee 68v2w0avaAKjngvirhMq+X12t+NZSIK5TTsz9XA36AGEnDEAgWZUNQ/6GSG2oA2F tiQzIKkl/MTl8ZEYbI0ZydQgsdhbdvcQ+51dRsqlk1wj+Rlp9d3rOnUgtHn0w4xO wUid16DjQyCKiqBw+2ATpf6bK1m/cCKQxbkBmfMUXa4wR9Hok3M0fCwsJrHOt74T 1k9HFMAfUZSNelfdCvsC =M2Q+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JAVA_OPTS vs CATALINA_OPTS
Hi. I'm sorry for so kindly question - but needs experts advice... We have a little dispute with my colleague about using this variables. So: have Windows-box machine. On it - runing few different Java-application, including Tomcat. Needs to set memory for Tomcat other, than for all other Java-applications. My proposal is set to System variables: JAVA_OPTS -Xmx1024M -Xms512M -XX:MaxPermSize512M CATALINA_OPTS -Xmx4096M -Xms2048M -XX:MaxPermSize=1024M But, as he asserts - this is not correct way: - CATALINA_OPTS must NOT contain memory limits like Xmx, Xms etc; - Java Garbage collector will work differently because JAVA_OPTS have another opts for memory then CATALINA_OPTS, so - this will worse Tomcat performance; - and so on His suggestion is to set JAVA_OPTS with memory limits exactly to Tomcat startup script (not as system variable at all). So, my question is: is it correct to set memory limits for Tomcat via CATALINA_OPTS variable? If in system also present JAVA_OPTS - will it have influence on to Tomcat's perfarmance? Thanks.
Re: JAVA_OPTS vs CATALINA_OPTS
OK, thanks - I'll do it from now (really - never used this file before, just now found reference to it in catalina.bat) . But - last question, please: in setenv.bat - must be used CATALINA_OPTS or JAVA_OPTS? 2014/1/27 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Арсений, On 1/27/14, 10:58 AM, Арсений Зинченко wrote: Thanks, Christopher. OK, what about next: Set JAVA_OPTS as system variable (for all other applications); and create setenv.bat in /bin/ directory with CATALINA_OPTS whith Xmx/Xms for Tomcat? Will it be more correctly than set CATALINA_OPTS as System variable? Or - by the way, in setevn.bat must be used JAVA_OPTS too? https://plus.google.com/u/0/113253806461878935497?prsrc=4 2014/1/27 Christopher Schultz ch...@christopherschultz.net Арсений, On 1/27/14, 9:21 AM, Арсений Зинченко wrote: We have a little dispute with my colleague about using this variables. So: have Windows-box machine. On it - runing few different Java-application, including Tomcat. Needs to set memory for Tomcat other, than for all other Java-applications. My proposal is set to System variables: JAVA_OPTS -Xmx1024M -Xms512M -XX:MaxPermSize512M CATALINA_OPTS -Xmx4096M -Xms2048M -XX:MaxPermSize=1024M But, as he asserts - this is not correct way: - CATALINA_OPTS must NOT contain memory limits like Xmx, Xms etc; - Java Garbage collector will work differently because JAVA_OPTS have another opts for memory then CATALINA_OPTS, so - this will worse Tomcat performance; - and so on Tomcat runs Java roughly in this way: $JAVA_HOME/bin/java $JAVA_OPTS $CATALINA_OPTS \ org.apache.catalina.startup.Bootstrap If you have these options configured using both environment variables, then CATALINA_OPTS (the later one) will win because that's how the JVM parses arguments: the last one on the command-line wins. So, it's perfectly safe to do what you have described above. On the other hand, note that since JAVA_OPTS specifies 0.5GiB of heap space for when you are /not/ launching Tomcat, then running bin\shutdown.bat will pre-allocate 0.5GiB of heap space just to send the shutdown command to a running Tomcat instance, and then terminate. It's kind of a waste. I totally agree with Dan's comments about how using system variables: just use bin/setenv.bat and keep everything locally. His suggestion is to set JAVA_OPTS with memory limits exactly to Tomcat startup script (not as system variable at all). +1 So, my question is: is it correct to set memory limits for Tomcat via CATALINA_OPTS variable? If in system also present JAVA_OPTS - will it have influence on to Tomcat's perfarmance? See above. -chris I would always recommend that you use bin/setenv.sh (or bin\setenv.bat) because you can then set the value differently for each Tomcat instance that you have. This becomes an issue if you have many different Tomcat instances, which I tend to do. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS5oLSAAoJEBzwKT+lPKRY8BMP/06E75p4L2fx75ekKgyVFuVX vM/tBcP3ulHlEVHAzcTl+gNui4Px0hjRRdKBxU9in/gSRSsD2xkJJa5eXF0EvSn1 e9BNiVY78JZITSu1wBar0YmIf11EJEtGhhtj/fSkJUxIMhp9YYpM1s9CrxckkIef WFQZOnLVdWUq2xxkPiY8AbK7h5zDgo+riBd4HcSC6ymPT0oYCldGIZki7nZ8lxMb G3i52aTCiuaOlKYBhdKBsfDdkFJvqF+zZEXdsw+FKP+mKZvpEt5Fn1cWSTX7FXxS mWApl7J8FZW+zwX734qUw3ThLIbY2RCwT78VPkPcHK9rbWcKbI4UQ1WIGZeL5U+K IqX1MOIJ+dVCJ7rgvtjYWYlfDoovYqfJ6vCoPU5I3Xh0CMzGaKMZY/QZ+gFUXtdu 0ym/DQJB13cgjWbOi4YFeL8jNRjgui2UkdtThOzfSzL4eY3C+L5Ca0bb/ExReWTb X05q1RVeTB6rTScTYiPCNMKfZ7S2JnXcoXgEeHpKoGo8EPClKLGlLRmFplk/U4Do ZdCLLjCavrkEVg6pUEf7UZDJ/qH/VDC0nyNnqJJQHRhjUBh/bMR1yjrzNOnkLOeV x0BMEHK8ND76EZ0L5+bwZlAQxvCqjQ/vH1IBmrUsjS60rgMyocJB//UDIZOEOAiq 9MXTB+fLRv2ziADmiWJ1 =QPaR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JAVA_OPTS vs CATALINA_OPTS
A lot of thanks, Neven! This is perfect explanation - considering my English :-) About point 4 - this is main goal: as we have few Java-applications running in this very system - they must use global memory options, thats why I suggested set System variable JAVA_OPTS. But namely Tomcat - must use another memory perametrs. So, if I correctly understood - for me better solution will be: 1) set CATALINA_OPTS with Xmx4G etc - in /bin/setenv.bat; 2) set JAVA_OPTS with Xmx1G etc - as system variable. Yep? 2014/1/28 André Warnier a...@ice-sa.com Арсений Зинченко wrote: OK, thanks - I'll do it from now (really - never used this file before, just now found reference to it in catalina.bat) . But - last question, please: in setenv.bat - must be used CATALINA_OPTS or JAVA_OPTS? Ok, let us be really clear here. 1) The command to *stop* Tomcat starts *another* instance of Java JVM (and Tomcat), *just* to send a stop signal to the running Tomcat. And after that, this second instance of Java and Tomcat exits. 2) Options given in JAVA_OPTS are used in *both* the command to start and to stop Tomcat. Options given in CATALINA_OPTS are used *only* in the command that starts Tomcat, and not in the command that stops Tomcat. In other words : - startup.(bat|sh) : java %JAVA_OPTS% %CATALINA_OPTS% tomcat-stuff - shutdown.(bat|sh) : java %JAVA_OPTS% tomcat-stuff That is just the way that these command files are written. 3) So, - if you use JAVA_OPTS to indicate a Heap of 4 GB, then this Heap of 4 GB will be allocated : - for the JVM instance that starts and runs Tomcat (which is what you want) - but *also* for the JVM instance that stops Tomcat (which you probably do not want, just to send a stop signal)(because then, just for a short moment, you need 4 + 4 = 8 GB of Heap) - if you use CATALINA_OPTS to indicate a Heap of 4 GB, then this Heap will be allocated - *only* for the JVM instance which starts and runs Tomcat - and *not* for JVM instance that stops Tomcat (that one will use a minimal Heap, so the total would be only 4 + 0.1 GB) 4) and if you make either one of the above be a general system variable, then they will be used by *any* Java JVM that you start on that system. This is probably not what you want either, so don't do that. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JAVA_OPTS vs CATALINA_OPTS
Thanks for your replay, Neven. Eventually - I decided to heed advices and remove JAVA_OPTS at all. So - now using only CATALINA_OPTS in /bin/setenv.bat. 2014/1/28 Neven Cvetkovic neven.cvetko...@gmail.com On Tue, Jan 28, 2014 at 4:00 AM, Арсений Зинченко setev...@gmail.com wrote: About point 4 - this is main goal: as we have few Java-applications running in this very system - they must use global memory options, thats why I suggested set System variable JAVA_OPTS. But namely Tomcat - must use another memory perametrs. Arsenije, That's one way of doing it, yes. My personal preference is to keep system-wide settings empty, and then size each Java process separately (in their corresponding startup script). Having said that, it really depends on type of applications you are running on you system. Are they same type of applications, or are they significantly different? If different, I probably want to size them differently, and customize each one of them. Yes, it is easy to set default values in the JAVA_OPTS globally, but that's rarely what I want for my applications. Also, others pointed out - it is confusing to see both JAVA_OPTS and CATALINA_OPTS both setting up -Xmx and -Xms values. Ultimately, everything boils down to a single line: java.exe %JAVA_OPTS% %CATALINA_OPTS% ... java.exe -Xmx1G -Xms512M -Xmx4G -Xms2G ... Yes, the later will override former parameter, but I wouldn't count on it :) Think if you need to add another Java process that requires 4G, how would you set the size of memory of that process? So, unless all Java applications on that box (you said you had only few) - are of similar type and require same sizing, I wouldn't use JAVA_OPTS system-wide setting. So, if I correctly understood - for me better solution will be: 1) set CATALINA_OPTS with Xmx4G etc - in /bin/setenv.bat; 2) set JAVA_OPTS with Xmx1G etc - as system variable. Yep? It is TOMCAT_HOME/bin/setenv.bat (wherever you installed Tomcat). Yes, that is one possible solution, if all your Java apps need to be sized the same. I prefer sizing each Java application separately in a script that starts it. Hope that helps! n.
Re: ssl without keystorePass in open text in server.xml
Why are plain text passwords in the config files? Because there is no good way to secure them. When Tomcat needs to connect to a database, it needs the original password. While the password could be encoded, there still needs to be a mechanism to decode it. And since the source to Tomcat is freely available, the attacker would know the decoding method. So at best, the password is obscured - but not really protected. http://wiki.apache.org/tomcat/FAQ/Password 2014/1/30 Mark Thomas ma...@apache.org On 30/01/2014 09:46, Ja kub wrote: is it possible not to write keystorePass in open text server.xml, and make tomcat to ask for it at startup ? or specify only some hash of it (rather not possible) ? http://wiki.apache.org/tomcat/FAQ/Password Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat SSL: two issues
Hi, people. We have Tomcat with two factor authentication when access to /some/pagerequested. Auth configured with JDBCRealm Oracle database: Realm className=org.apache.catalina.realm.JDBCRealm driverName=oracle.jdbc.driver.OracleDriver ... SSL-connector: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=want sslProtocol=TLS keystoreFile=/home/keystore.jks keyAlias=keystore keystorePass=password truststoreFile=/home/trustcacerts.jks truststorePass=password / Auth requring via web.xml: security-constraint^M web-resource-collection^M web-resource-name*/web-resource-name^M url-pattern/some/*/url-pattern^M /web-resource-collection^M auth-constraint^M role-namecert/role-name^M /auth-constraint^M user-data-constraint^M transport-guaranteeCONFIDENTIAL/transport-guarantee^M /user-data-constraint^M /security-constraint^M login-config^M auth-methodCLIENT-CERT/auth-method^M /login-config^M security-role^M role-namecert/role-name^M /security-role^M Client's cert created with keytool: $ keytool -genkey -alias somealias -keystore somekey.p12 -storetype PKCS12 $ keytool -export -alias somealias -file somefile.cer -keystore somekey.p12 -storetype PKCS12 somefile.cer - imported to Tomcat's trustcacerts.jks and somekey.p12 - to client's browsers. User's present in trustcacerts.jks like: somealias, 30-Jan-2014, trustedCertEntry, Certificate fingerprint (MD5): 60:A1:CE:35:2D:5E:01:22:65:A7:26:19:9E:D6:F3:74 And present in Oracle database, like: USER_NAME: CN=someuser, OU=Unknown, O=Unknown, L=Unknown, ST=Kiev, C=UA ROLE_NAME: cert (not exactly same - but about it) Tomcat 5.5.23, running on SuSE 10. Users - on Windows7, Firefox 26.0 and Chrome 32.0.1700.76 m. So - we have two issues. 1) Some (!) of users when connecting with Chrome got error: Error code: ERR_SSL_PROTOCOL_ERROR In Catalina-' log: WARNING: Exception getting SSL attributes javax.net.ssl.SSLHandshakeException: renegotiation is not allowed Attempts add lines allowUnsafeLegacyRenegotiation=true and allowLegacyHelloMessages=true doesn't give results (was added to Connector or -D(option) to CATALINA_OPTS). What else can be done? All googled tips says only about this two parametrs. 2) Using Firefox - from some machines give error 403, from others - normal auth. It's look like (from Tomcat auth-log): 10.***.**.132 - CN=someuser, OU=**, O=company, L=Kiev, ST=Ukraine, C=UA [30/Jan/2014:16:50:29 +] GET /some/page HTTP/1.1 403 1108 // Got auth failed; 10.***.***.132 - CN=someanotheruser, OU=**, O=company, L=Kiev, ST=Unknown, C=UA [30/Jan/2014:16:17:29 +] GET /some/page HTTP/1.1 200 81 // Normal result. I only think about may be some difference in browser's configs... But which exactly? Or - something another? Unfortunatelly - we haven't access to tcpdump and ssldump now, so I can't check for details. Thanks for any tips/links. javascript:void 0 powered by nullTranslate javascript:void 0 javascript:void 0 username2 javascript:void 0 — select a translation: null # [jˈuːzənɛɪːm tˈuː] username2 javascript:void 0 0 . See also: http://multitran.ru/c/m.exe?CL=1l1=1s=username2http://translate.google.com/#en|ru|username2http://lingvopro.abbyyonline.com/en/Search/en-ru/username2http://dictionary.reference.com/browse/username2http://www.thefreedictionary.com/username2 LinguaLeo
Re: Tomcat SSL: two issues
Hi, Chris. So - 5.5 yes, very old - but we still use it. I hope - will update some day... I can see that you have clientAuth=want... what happens if the client declines to send a certificate? // if it's connection not to restricted area - Tomcat will open it, if to /some/page - will decline with handshake_error or something like it, I don't remeber all error from last few days :D top-level certificate that is used to sign the individual client certificates. That way, you don't have to bother storing all of the individual client certificates Yes, thanks - I know, and we have one top-level cert for server. But here some difficults in our... organisation - so we decide for users use self-signed cert. That looks like a LDAP username. Does LDAP have anything to do with this? No - this is just usual username which taken from user's cert and compared with entry in database. And at least - about Firefox issue. TThe problem was due to different (yes... I don't know it till today) keystore types. Only my own cert was created as PCKS12. Other used .JKS then convert it .p12 and something like this... After we re-generate cert exactly in .p12 - problem was solved. So for now only with Chrome browser. P.S. Sorry for errors\typos and thanks for tips :-) 2014-01-31 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Арсений, On 1/31/14, 5:15 AM, Арсений Зинченко wrote: We have Tomcat with two factor authentication when access to /some/pagerequested. Auth configured with JDBCRealm Oracle database: Realm className=org.apache.catalina.realm.JDBCRealm driverName=oracle.jdbc.driver.OracleDriver ... SSL-connector: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=want sslProtocol=TLS keystoreFile=/home/keystore.jks keyAlias=keystore keystorePass=password truststoreFile=/home/trustcacerts.jks truststorePass=password / It's nice when people say two-factor authentication and actually use two different factors. Yay, you! (I can see that you have clientAuth=want... what happens if the client declines to send a certificate?) Auth requring via web.xml: security-constraint web-resource-collection web-resource-name*/web-resource-name url-pattern/some/*/url-pattern /web-resource-collection auth-constraint role-namecert/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namecert/role-name /security-role Aah, okay: Tomcat will refuse the request if it is for a protected web-resource-collection. Client's cert created with keytool: $ keytool -genkey -alias somealias -keystore somekey.p12 -storetype PKCS12 $ keytool -export -alias somealias -file somefile.cer -keystore somekey.p12 -storetype PKCS12 somefile.cer - imported to Tomcat's trustcacerts.jks and somekey.p12 - to client's browsers. Ok. Note that if you want to do 2-factor properly, you should have everyone sharing the second factor (the client certificate). Also, this is typically done by generating a top-level certificate that is used to sign the individual client certificates. That way, you don't have to bother storing all of the individual client certificates... you just store the parent cert and validate all clients against that one. It makes management much easier. User's present in trustcacerts.jks like: somealias, 30-Jan-2014, trustedCertEntry, Certificate fingerprint (MD5): 60:A1:CE:35:2D:5E:01:22:65:A7:26:19:9E:D6:F3:74 And present in Oracle database, like: USER_NAME: CN=someuser, OU=Unknown, O=Unknown, L=Unknown, ST=Kiev, C=UA ROLE_NAME: cert That looks like a LDAP username. Does LDAP have anything to do with this? (not exactly same - but about it) Tomcat 5.5.23, running on SuSE 10. Users - on Windows7, Firefox 26.0 and Chrome 32.0.1700.76 m. You need to upgrade. Tomcat 5.5 is no longer supported. So - we have two issues. 1) Some (!) of users when connecting with Chrome got error: Error code: ERR_SSL_PROTOCOL_ERROR In Catalina-' log: WARNING: Exception getting SSL attributes javax.net.ssl.SSLHandshakeException: renegotiation is not allowed Attempts add lines allowUnsafeLegacyRenegotiation=true and allowLegacyHelloMessages=true doesn't give results (was added to Connector or -D(option) to CATALINA_OPTS). What else can be done? All googled tips says only about this two parameters. Hmm. 2) Using Firefox - from some machines give error 403, from others - normal auth. It's look like (from Tomcat auth-log): 10.***.**.132 - CN=someuser, OU=**, O=company, L=Kiev, ST=Ukraine, C=UA [30/Jan/2014:16:50:29 +] GET /some/page HTTP
Using different SSL-connector settings for various Context
Hi. Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but enable two-factor auth (clientAuth=true and using trustedstore.jks) for other Context. Can somebody please any tips?
Re: Using different SSL-connector settings for various Context
Yes, this is exactly what I'm want and I see this manual to. But - how to specify different clientAuth= for different Context's ? I found SSL Authenticator Valvehttp://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SSL_Authenticator_Valve - but there is nohting about how to do it... And I don't see any possibility to make with any other Context optionshttp://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Context_Parameters... 2014-02-04 André Warnier a...@ice-sa.com: Арсений Зинченко wrote: Hi. Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but enable two-factor auth (clientAuth=true and using trustedstore.jks) for other Context. Can somebody please any tips? I don't know much about SSL, but isn't the answer right here ? http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support clientAuth Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication. If I understand the above correctly, then setting clientAuth=false in the Connector, and then requesting a CLIENT-CERT authentication only in your other Context, should do the trick, no ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using different SSL-connector settings for various Context
Please don't top post here. Respond below the text to which you are responding. It's easier to read that way. See below. Sorry - it's Google formatting if press Answer. That should be solvable just by the auth-requirements of each Context. I tried google it - but nothing... Can you please give liink to something about it? Plus some additional info. Now - we use configuration via web.xml: security-constraint web-resource-collection web-resource-name*/web-resource-name url-pattern/sourcename/*/url-pattern /web-resource-collection auth-constraint role-namecert/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namecert/role-name /security-role And for ROOT - configuration described in server.xml: Context docBase=ROOT path= Valve className=org.apache.catalina.valves.SomeAuthValve FLDAPAppName=SOME FLDAPDebug=1 FLDAPLogin=https://some; / /Context So task is - create second context for url-pattern/sourcename/*/url-pattern with auth-methodCLIENT-CERT/auth-method but in Context terminology. 2014-02-04 André Warnier a...@ice-sa.com: Hi. Please don't top post here. Respond below the text to which you are responding. It's easier to read that way. See below. 2014-02-04 André Warnier a...@ice-sa.com: Арсений Зинченко wrote: Hi. Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but enable two-factor auth (clientAuth=true and using trustedstore.jks) for other Context. Can somebody please any tips? I don't know much about SSL, but isn't the answer right here ? http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support clientAuth Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication. If I understand the above correctly, then setting clientAuth=false in the Connector, and then requesting a CLIENT-CERT authentication only in your other Context, should do the trick, no ? Арсений Зинченко wrote: Yes, this is exactly what I'm want and I see this manual to. But - how to specify different clientAuth= for different Context's ? I found SSL Authenticator Valvehttp://tomcat.apache.org/tomcat-7.0-doc/config/ valve.html#SSL_Authenticator_Valve - but there is nohting about how to do it... And I don't see any possibility to make with any other Context optionshttp://tomcat.apache.org/tomcat-7.0-doc/config/ context.html#Context_Parameters... Sorry, as I mentioned earlier, I do not know much about SSL and cannot help you with the details. One thing though : the setup of an SSL connection happens *before* Tomcat even knows to which application the browser wants to talk. Some properties of that connection may not be changeable anymore, at the level of a Context. You can just tell the Context to make use or not of some of these properties, not really change them. In your case though, it seems that you want the following : - clients connect via SSL - some Context's then (later) require clientAuth - and some other Context's (later) do not require clientAuth That should be solvable just by the auth-requirements of each Context. If you want some Context's to be accessible via HTTP/HTTPS, and others only via HTTPS, that also is a parameter that you can specify in each context's web.xml. (transport-guarantee or something like that) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Add certificate without Tomcat restart
Hi. We have two-side authentification on our Tomcat: keystoreFile=/home/someuser/apache-tomcat-5.5.23/conf/.ssl/somealias.jks keyAlias=somealias keystorePass=somepass truststoreFile=/home/someuser/apache-tomcat-5.5.23/conf/.ssl/trustcacerts.jks truststorePass=somepass / Is there any way to add certificate to truststore and get Tomcat load it without restart it? I mean - after: $ keytool -import -v -trustcacerts -alias somealias -file some.cer -keystore ../trustcacerts.jks Thanks.
Tomcat log4j vs MySQL
Hi. Question are not exactly about Tomcat - but I hope somebody can help with it. So - we have Tomcat running. Apllication in it use log4j to write logs. log4j configured to use syslogd daemon and syslogd uses MySQL to store logs. Problem is that when we have any error in log - it writes it with newlines when at in trace added. For example: 14-03-24 13:49:59,574+0200 1641034 ERROR [com***l] (http-8443-Processor25:CN=setevoy, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown:10.***.***.15) Error in finding user: 'CN=setevoy, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown' org.s***.EmptyResultDataAccessException: Incorrect result size: expected 1, actual 0 at org.***(***.java:1520) at com.***(***.java:288) at sun.***0(Native Method) Then - in database table its added again with newlines fro every at' element and, as it new line, it's added it with new entry for every line. So tables looks like (this other error trace, not from example above): mysql select ID,Message from SystemEvents order by ID desc limit 60;...| 258433 | at java.lang.Thread.run(Thread.java:662) | 258432 | at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) | 258431 | at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) | 258430 | at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:541) Instead of add error entirely in one cell of table. Could it be reconfigured someway? Thanks.
Re: How to monitor performance of tomcat
Hi. We use JavaMelody for moment performance checks on test box and Zabbix monitoring system to have whole history. Zabbix can use JMX connection to Tomcat instance and have set of included teamplates, for example - number of threads, current memory usage, gzip usage and so on. Main virtue of Zabbix ++ JMX is that it store all data in database + can draw graphs. 2014-04-08 18:00 GMT+03:00 Jeffrey Janner jeffrey.jan...@polydyne.com: -Original Message- From: Randhir Singh [mailto:randhir.si...@sterlite.com] Sent: Tuesday, April 08, 2014 6:05 AM To: users@tomcat.apache.org Subject: How to monitor performance of tomcat We have an application which has JBoss as the application server with Tomcat as the web server, our application has Oracle 11g as the database. I would give some further background to the issue we are facing, since the last 1 1/2 months, the application slows down. Sometimes it comes back to normal, specially on week-ends. But other times we restart JBoss Tomcat to bring back the application to normal. We have been using jconsole to monitor tomcat like jconsole 10.101.17.79:8891 which monitors our tomcat for a work order system. If the memory usage does not show spike and shows constant reading, the GC button is clicked to invoke the garbage collector. I checked out on the net and got some clue as below: 1) Javamelody - It seems to be a 3rd party tool which is not recommended. 2) There is a command mentioned to see the admin console, http://IP:port/ but it is not displaying the required page. Please give your inputs whether jconsole should be a help in the right direction or some other way to monitor the performance of Tomcat. Jconsole and JVisualVm are quite useful tools for basic monitoring, if you understand how to use them and their limitations. Why did you get the impression that JavaMelody is not recommended? It does offer an awful lot of monitoring/debugging information, but you need to careful in setting it up. Under Tomcat 7, it will autodeploy with no security by default and expose a lot of potentially confidential information to whomever connects using the well-known context for it (which can't be changed). If you want to use it, I suggest limiting it to your development environment only, or reading up on how to secure it as best as possible. Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where find documentation
I used this one: http://wiki.metawerx.net/wiki/Web.xml 2014-05-15 16:05 GMT+03:00 Francesco Viscomi fvisc...@gmail.com: Hi all, i'm try to find a documentation that describe every tag inside the web.xml file, but i wasn't able to find anything about that on http://tomcat.apache.org/tomcat-5.5-doc/config/context.html someone can help me? thanks in advance; Francesco Italy
CATALINA_PID != real PID
Hi, guys. I set: $ export CATALINA_PID=$CATALINA_HOME/conf/catalina.pid Started *Tomcat*: $ ./bin/startup.shUsing CATALINA_BASE: /home/tomcats/apache-tomcat-7.0.53Using CATALINA_HOME: /home/tomcats/apache-tomcat-7.0.53Using CATALINA_TMPDIR: /home/tomcats/apache-tomcat-7.0.53/tempUsing JRE_HOME: /usr/java/jdk1.6.0_45/jre/Using CLASSPATH: /home/tomcats/apache-tomcat-7.0.53/bin/bootstrap.jar:/home/tomcats/apache-tomcat-7.0.53/bin/tomcat-juli.jarUsing CATALINA_PID: /home/tomcats/apache-tomcat-7.0.53/conf/catalina.pidTomcat started. Checked pid-file: $ cat /home/tomcats/apache-tomcat-7.0.53/conf/catalina.pid28461 But - there is no process 28461: $ ps aux | grep 28461 tomcats 28599 0.0 0.0 103240 872 pts/0S+ 12:50 0:00 grep 28461 $ ps -p 28461 PID TTY TIME CMD And Tomcat's JVM runs with other PID: $ ps u | grep tomcat | grep java | grep -v grep | cut -d -f 330133 So - for what exactly CATALINA_PID variable needs or - why it's return wrong number? From *Tomcat the Definitive Guide* of *Jason Brittain* book we know that: CATALINA_PID This variable may optionally hold the path to the process ID file that Tomcat should use when starting up and shutting down. None Use: $ cat /etc/redhat-releaseCentOS release 6.4 (Final) Thanks for advice.
Re: CATALINA_PID != real PID
Hi, Leon. Thanks for replay. Don't know why - but now it works good :-)
Tomcat 5.5 vs 7.0 SSL
Hi.
Faced with very odd behavior of Tomcat 7...
Have two instances on same box - Tomcat 5.5 and Tomcat 7.
Both have same configuration - first from 5.5:
Connector port=${port.https} maxHttpHeaderSize=8192
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
clientAuth=want sslProtocol=TLS
keystoreFile=conf/.ssl/tomcat.jks
keyAlias=tomcat
keystorePass=pass
truststoreFile=conf/.ssl/trustcacerts.jks
truststorePass=pass /
Next - from 7.0:
Connector
port=${port.https}
protocol=HTTP/1.1
SSLEnabled=true
enableLookups=false
disableUploadTimeout=true
scheme=https
secure=true
clientAuth=want
sslProtocol=TLS
keystoreFile=conf/.ssl/tomcat.jks
keyAlias=tomcat
keystorePass=pass
truststoreFile=conf/.ssl/trustcacerts.jks
truststorePass=pass
/
Also - both configured for CLIENT-CERT authentification (same applicaion
with same web.xml).
In browser installed cert, but - when I'm trying open connection to 7
Tomcat - I got 401 - Cannot authenticate with the provided credentials and
no authentification attempt in log:
10.***.***.15 - - [02/Jun/2014:17:10:31 +0300] GET /service/ HTTP/1.1 401
1049
But connection to 5.5 - succsessfull with same browser certificate.
Also, in ssldump I see that browser can't make handshake with 7.0 server:
1 2 0.0317 (0.0308) SC Handshake
ServerHello
Version 3.1
session_id[32]=
53 8c 85 d7 cf 17 a1 45 8a 4e 64 e6 95 7f 2b f3
cb 74 0a f3 13 40 71 e8 74 50 53 1a 00 24 a0 76
cipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA
compressionMethod NULL
Certificate
ServerKeyExchange
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_authority
30 62 31 0b 30 09 06 03 55 04 06 13 02 55 41 31
10 30 0e 06 03 55 04 08 13 07 55 6e 6b 6e 6f 77
6e 31 0d 30 0b 06 03 55 04 07 13 04 4b 69 65 76
31 0f 30 0d 06 03 55 04 0a 13 06 4c 75 78 6f 66
74 31 0c 30 0a 06 03 55 04 0b 13 03 4c 4d 53 31
13 30 11 06 03 55 04 03 13 0a 61 7a 69 6e 63 68
65 6e 6b 6f
certificate_authority
30 60 31 0b 30 09 06 03 55 04 06 13 02 55 41 31
// and that's all
But on 5.5 - everyting OK:
1 2 0.0213 (0.0195) SC Handshake
ServerHello
Version 3.1
session_id[32]=
53 8c 85 89 be 1f c5 63 e2 16 a0 a0 dc 5b aa 68
0d 1c 8d b7 24 c5 13 0a 24 0a 66 9b 54 f4 b0 0f
cipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA
compressionMethod NULL
Certificate
ServerKeyExchange
ServerHelloDone
1 3 0.0256 (0.0042) CS Handshake
ClientKeyExchange
DiffieHellmanClientPublicValue[96]=
4a 39 5e f5 2a c1 58 13 6b 7c 98 0b 44 d7 9a 42
bf 48 c2 6e a4 c6 6d 50 a7 89 8f 53 a4 54 92 a5
81 18 1b 22 63 cf c1 63 8f 36 9f d2 59 c3 3e 67
1f 4e 18 01 db f2 9d 07 0b 81 12 39 64 62 83 84
78 dc 36 9b 00 34 f5 34 44 2d 92 eb d9 f6 b0 7e
c4 66 d9 ad f2 bf 7f fb 07 56 eb 58 5d 58 41 2e
What I'm doing wrong?
Thanks.
Tomcat autodeploy doesn't return actual files via HTTP
Hi. Faced with little bit odd behavior of Tomcat 7 Java 1.6. Old file is: $ curl http://localhost:8084First file I mean - *war-file* contains only one index.jsp page with text First page: $ jar tf ../app-application/APP.war META-INF/ META-INF/MANIFEST.MF index.jsp Tomcat's server.xml has next components config: Host name=localhost appBase=/home/user/APP/app-application/ unpackWARs=false autoDeploy=true deployOnStartup=false Context path= docBase=APP.war reloadable=true / Then - I copied new *war-file*: $ cat ../tmp/1/index.jspSecond file $ cd ../tmp/1/ jar cf APP.war index.jsp $ cp APP.war ../../app-application/ cp: overwrite `../../app-application/APP.war'? y And see in log: INFO: Undeploying context [/APP] Jun 3, 2014 1:16:40 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive /home/user/APP/app-application/APP.war Buit - when I'm trying open it with browser - I got old file again: $ curl http://localhost:8084/First file And only after full Tomcat's reboot - I see new file; $ curl http://localhost:8084Second file Why? Am I missed something? Tomcat keep it in some cache? Thanks.
Unexpanded WAR and FileNotFoundException: META-INF/MANIFEST.MF
Hi. We have Tomcat with: Host name=localhost appBase=webapps unpackWARs=false autoDeploy=false deployOnStartup=true While startup I got ERROR in log: 14-07-22 15:13:01,551+0100 289 INFO [com.***.listener.PropertiesConfigListener] (main:) Adapter is a log4j adapter ?org.slf4j.impl.Log4jLoggerAdapter 14-07-22 15:13:01,552+0100 290 ERROR [com.***.listener.PropertiesConfigListener] (main:) Exception getting codebase versionjava.io.FileNotFoundException: META-INF/MANIFEST.MF (No such file or directory) I understood, that PropertiesConfigListener can't find path to this file, but - it can't get MANIFEST.MF from inside WAR-file? Any tips - how it can be fixed? Thanks.
Re: Unexpanded WAR and FileNotFoundException: META-INF/MANIFEST.MF
Hi, Chris. Thanks for replay. Biggest problem is that I'm not our application developer . 2014-07-23 17:26 GMT+03:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Арсений, On 7/23/14, 10:14 AM, Арсений Зинченко wrote: We have Tomcat with: Host name=localhost appBase=webapps unpackWARs=false autoDeploy=false deployOnStartup=true While startup I got ERROR in log: 14-07-22 15:13:01,551+0100 289 INFO [com.***.listener.PropertiesConfigListener] (main:) Adapter is a log4j adapter ?org.slf4j.impl.Log4jLoggerAdapter 14-07-22 15:13:01,552+0100 290 ERROR [com.***.listener.PropertiesConfigListener] (main:) Exception getting codebase versionjava.io.FileNotFoundException: META-INF/MANIFEST.MF (No such file or directory) I understood, that PropertiesConfigListener can't find path to this file, but - it can't get MANIFEST.MF from inside WAR-file? Any tips - how it can be fixed? Your com.***.listener.PropertiesConfigListener needs to know how to load files from inside WAR files if you don't want to expand the WAR file. How does your code currently attempt to load the file? You are probably using a FileInputStream or something like that, which can't operate within a JAR/WAR file. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTz8YJAAoJEBzwKT+lPKRYuaAQAKO7Ck6MIVnT672vX1ZzY41Z HKgg+Dk/sjVdZXh+fXWTTyAD9FeG5hN7eEkd95LuO5RApmwj03EU8AsHs8drGQX9 rOdkpc0ucrgxP0KCQ7VlJ7n3SPZ64ASQ8PPMbs0VpkdWFueMz53GjL6hAkEi5p4f 5xK1NJK95e50AokMElbi4YBienZYCDWKV1/0Wh9FfhVnaBWqwFKfiBxoePpHsr18 m8Xh9I27Q+4HPP+34AOGpDSSN2LIl9VFa1suBsgEjdlKvN3HAjQfFee2dAgvUj64 lDGCJbzUD+HriQeNqXjUSDYqsLsfn2Wd/cA6HgP2tTvt3AFciDFqON6nyWC9Cl22 3W+8L5rKmzIYP/Se2084VB8TOEKBg2D9T8Am0FDyKExwvJNY/l8Hxc7IPbZw5aWE /cwTIvO2u9M4lPzDx5RUrhy8VlZSIubAr41P1vgO58BPKLM8vSJsqE/SNMKuoZ+c 3TgqiYyUwlGRQV0JsCNARQw2haDq1YLfGfpsnt0/wWh1LJ9caD8S2d++6IT56x66 oCmIwZvTI9lmBzIqA8ZGifIyzuiVut79Xcg/CL8Pvje5uZhRXkRw8yIuAp86ymH5 S2setIwthjGBKsEOnPMGXjQDePIA83Xa220jQpxyfnUXWb3xXZSb1OGb3IeZepM9 2QXHx/ouQpeV7dsXrjLi =WKOD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
