Re: How to *properly* create and use a CATALINA_BASE installation
The Gentoo Linux packaging of Tomcat does a nice job of laying out separate CATALINA_HOME and one or more CATALINA_BASE trees, if you'd like something to study. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: javax.servlet vs jakarta.servlet?
On Thu, Dec 30, 2021 at 03:16:51PM -0500, Michael B Allen wrote: > On Thu, Dec 30, 2021 at 10:57 AM Christopher Schultz > wrote: > > > > You mean like ServletContext.getRealPath? > > Honestly I'm not sure how I feel about getRealPath. On the one hand, I > don't think it's reasonable to just pretend that applications only > exist in the vacuum of space. There are many practical reasons why an > application might want to interact with the filesystem but without > requiring absolute paths. Just because there might not be a file > system is a weak excuse to not properly account for one. Being able to > update a file of properties for example and have the application see > that the file is updated without reloading the webapp (maybe even if > the app is packaged as a war) is very useful. On the other hand I > don't think I would want another 10 classes just to create some kind > of ancillary webapp storage abstraction. I would say that servlet code should, in general, assume that nothing exists outside of the container except that which it is told about. It should not care where it is. If it needs to interact with a filesystem, it should be given paths into that filesystem as context parameters or environment objects. If I intended to make changes to an application's configuration without re-deploying, I would put the configuration elsewhere and configure the context with a path (or a Path) to it. You may wish to have a look at https://stackoverflow.com/a/12160863/2916377 -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: correct usage of properties to supply database port
On Thu, Mar 10, 2022 at 09:40:48AM -0700, Rob Sargent wrote:
> About context/context/value: I have this context.xml. Is the value
> correctly inside the outer Context?
>
>
>
> name="jdbc/sgsdb/tbar"
> url="jdbc:postgresql://localhost:5432:/tbar"
> driverClassName="org.postgresql.Driver"
> type="javax.sql.DataSource"
> factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
> testWhileIdle="false"
> testOnBorrow="true"
> testOnReturn="false"
> validationInterval="3"
> validationQuery="select 1"
> timeBetweenEvictionRunsMillis="3"
> maxActive="50"
> initialSize="3"
> maxWait="1"
> removeAbandonedTimeout="3600"
> removeAbandoned="true"
> minEvictableIdleTimeMillis="3"
> minIdle="1"
> maxIdle="5"
> logAbandoned="true"
> username="shoc"
> password="password"
> />
>
>
> className="org.apache.catalina.valves.AccessLogValve"
> prefix="sgs_access"
> directory="${SGSSRVR_AccessLogDir}"
> maxDays="7">
>
>
>
I don't think you can nest s that way, and I'm not sure what
it would mean. I would remove the inner pair.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc
Description: PGP signature
Re: Encryption of Tomcat AJP
On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: > CONFIDENTIAL & RESTRICTED > > From: Mark Thomas > Subject: Re: Encryption of Tomcat AJP > > >On 19/05/2022 01:32, Brian Eller wrote: > >> TRADING PARTNER > >> > >> Hello, > >> > >> I am working on a Tomcat install embedded inside a vendor > >> product that uses Apache to pass traffic to Tomcat. My cyber security > >> group is asking if we can encrypt all connections. Does the mod_jk > >> protocol, AJP can be encrypted? > > > >No, AJP does not support encryption. > > > >If you want to encrypt traffic between the reverse proxy and the embedded > >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over > >HTTPS. This requires a little more configuration to get things working. > > > >The main thing to keep in mind is to make sure that the Tomcat instance > >correctly identifies whether the client connection to the reverse proxy was > >over HTTP or HTTPS. > > > >Mark > > I totally agree this is an existing and sufficient mechanism already > available. And I see it popping up in more and more locations. > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > Would it make sense to create a solution with less caveats and up to date > security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Mod_JK vs Mod_Proxy
On Mon, Dec 05, 2022 at 03:37:59PM -0500, Christopher Schultz wrote: > On 12/5/22 15:03, Cathy Spears wrote: > > Using Tomcat 8.5 and 9.0 with 32-bit Apache 2.4 and mod_jk. Are there > > benefits to using mod_proxy instead of mod_jk? Also, is there a > > planned end of life for mod_jk or will it continue to be supported > > for now? > Hopefully this will be helpful: > > https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http I read this as a question about mod_proxy_ajp vs. mod_jk. Happily using mod_proxy_ajp here for some years. Both work well but I very much prefer the way mod_proxy_ajp integrates with the proxy configuration in HTTPD. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: AW: AW: Password in Tomcat 9.x
On Thu, Jan 19, 2023 at 07:33:04PM +0100, a.grub...@bluewin.ch wrote: > I asked Thomas as well, if he knows if this could be solved with placing the > path to the file - in my opinion, this is a easy, safe possiblitiy to > allocate any certs. That would be very helpful to have such tomcat. I think there has been something missing in this discussion. Several people have advised removing the password from the credentials file. This is not just giving up and trading security for practicality. Storing a cleartext password on the same system with the password-protected object is equivalent to having no password, because anyone who can get the protected object can get the password from the same place. The only way that encrypting the container can increase security is to provide the password from outside the system whenever it is needed -- e.g. have an operator type it in. The purpose of encrypting the container seems to be to protect it *in transit from one system to another*, after which a human will decrypt it for use. So: it is unlikely that anyone will do more work on the code for no more benefit. When I think about it, this is just another layer of the reason that these credentials containers *can* be encrypted: such a file contains all of the materials which are needed to evade security, so there must be an external source of control to protect the contents: something which is not part of the materials and can be kept separate from them, carried by different means. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: AW: AW: AW: Password in Tomcat 9.x
On Sat, Jan 21, 2023 at 02:24:46PM +0100, a.grub...@bluewin.ch wrote: > Hello Mark > > Then how do you manage the webserver certitficate in Tomcat? Where do you > store the password? I would like to do it of course always without, but the > architecture is like that I have. > > Webserver certificate.p12 > Webserver certificate.p12.pwd Password_today Password > tomorrow > > Tomcat/conf/server.xml > > I would like to reference the pwd file in server.xml. You cannot enter the > server and get to the directory until you do the sudo to its technical user. > > How can you do this? When you have an automated certificate approach running, > renewing certificates which are in the range to renew. > How to avoid setting ; in a password? This also causes or can cause issues. > > Thank you for your advice. More security is better, but it must be in the > position to be handled easy. Every manual change I want to avoid. I don't store the password. (Perhaps I should ask: do you mean the passphrase for the private key, or the passphrase for the PKCS12 container?) Here I have to create a Certificate Signing Request and send it to the registrar for signature. Since I am creating the private key at the same time, I can have it created without encryption. Perhaps the tools that you use have such an option? I generate the request and key with: openssl req \ -new \ -newkey rsa:4096 \ -nodes \ -keyout SOMETHING.key \ -out SOMETHING.req If I were packing up the certificate(s) and key in a PKCS12, I would use "openssl pkcs12 -export -nodes ..." (to leave the private key unencrypted). But, now that I've been researching it, there may not *be* a way to specify "no encryption" of the PKCS12 structure itself, only ways to express a zero-length password. Of course I pay strict attention to file and directory permissions. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: JNDI match of LDAP hashed passwords fail against cleartext
On Mon, Apr 20, 2020 at 12:17:54PM -0400, Christopher Schultz wrote:
> Hmm. The LDAP stuff I think wasn't me, but I understand it a little
> bit. Brian, is there a standard I can read for this? I'm familiar with
> LDAP servers storing credentials with "{sha}" prefixes but not others.
> Honestly, for an LDAP backend, I'd expect the LDAP server to be
> checking the credentials sent by the client, not to have the client
> fetch the credentials and do its own checking. That's the whole point
> of delegating authentication to the LDAP server.
The point of "client fetches credentials via LDAP to do its own
checking" seems to be *not* to delegate authentication, but to use the
directory as a store of hashed credentials. The only reason for doing
this that I've been able to come up with is that in this setup there
is no reason why the enterprise user has to be a directory user,
i.e. only a handful of directory administrators and service accounts
can actually authenticate identities *to the directory*, while many
objects have credentials stored in a different attribute that the
directory itself does not use for authentication. Minimizing access
to a central store of identity and authorization makes sense in some
settings.
I get the feeling that the X.500 designers deliberately left specific
applications (like authenticating identities in other products) as an
exercise for the client designer, so as not to foreclose clever uses
they hadn't thought of. One result is a rather Wild West approach to
using directory services for authentication. (I see this also in
services dedicated to authentication: seemingly no two organizations
use CAS in the same way.)
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc
Description: PGP signature
Session attribute disappears across requests
Background: client request starts a long-running procedure which eventually returns a calculated result. I want to provide a progress meter so that the user knows that the request is still running. The page where this happens periodically fires an AJAX request to sample the progress of the procedure which is generating the response to the original request. The code which handles the original request adds a session attribute which references an object that knows how to get the current value of "progress". The code which handles the AJAX request looks up this session attribute to provide its response. The first AJAX request fires one second after the original request, confirmed by examining the application's log. This all happens in a single instance of Tomcat 8.5.55 using the StandardManager with all its default settings, i.e. there is no Manager element in the configuration. I don't require persistence across restarts. Problem: the attribute is definitely being created by the original-request handler, because I can see its name in the enumeration returned by Session.getAttributeNames in that handler after setting the attribute, and it definitely has a value there. However, one second later, in the AJAX-request handler the same Session (yes, I checked the session IDs and they match) does not contain an attribute with this name, though it contains all of the other attributes that were enumerated in the original-request handler. The object referenced by the attribute does not implement Serializable and it would be difficult to do so. But it doesn't seem to me that this is necessary in the circumstances: not clustered, not using PersistentManager. Where did I go wrong? I'm considering other ways to coordinate the two requests, but I'd like to know why this one isn't working. Possible confounding factor: this is a Cocoon 2.2 application, and the HttpSession in both handlers is actually an org.apache.cocoon.environment.http.HttpSession. But I'm accessing the attributes the same way in both handlers -- I actually copy/pasted my debugging code -- and the session shows my attribute in one but not subsequently in the other. Bonus question: this AJAX activity isn't going to have any effect on whether the original request times out, is it? So I probably need a broader re-think. (All the traffic is proxied through Apache HTTPD via AJP.) -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Session attribute disappears across requests
[Session attribute disappearing between requests] *sigh* Brown paper bag error: the original-request handler was cleaning up the value before it could be read by the progress-request handler, when the original request *does not* run a long time (e.g. zero records to summarize). That's the wrong place to clean it up anyway. Sorry for the noise. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing
On Wed, Jan 06, 2021 at 03:34:17PM -0800, James H. H. Lampert wrote: > We just had our first Tomcat 8.5 installation on a customer's AS/400. > > The customer apparently has his own CA (they're a big company), and when > I installed SSL in their Tomcat, and tested it with a browser, it > complained, something to the general effect of "weak signature algorithm." > > While it's not really my problem (and is only connected to Tomcat by > virtue of it happening with a Tomcat server), I'm curious about what's > up with it, if anybody here is able and willing to explain it. The beginning of this page might be helpful: https://frasertweedale.github.io/blog-redhat/posts/2017-11-10-freeipa-changing-signature-algorithm.html Simply: the message is saying that the customer's CA signed this certificate in a way that's not now believed by the browser's authors to be sufficiently secure. I don't know what tools are available in the AS/400 environment, but here's how I would use OpenSSL on Linux to inspect a certificate: $ openssl x509 -noout -text -in /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem Certificate: Data: Version: 1 (0x0) Serial Number: 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 Signature Algorithm: sha1WithRSAEncryption Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 Validity Not Before: Oct 1 00:00:00 1999 GMT Not After : Jul 16 23:59:59 2036 GMT Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 etc. The "Signature Algorithm" is what the message is about. Here it says that the certified public key was signed by hashing it with SHA1 and then encrypting the hash with the CA's RSA private key. I just remembered that your browser probably has a way to display details of a certificate, too. BTW that certificate above was issued in 1999, when SHA1 was considered sufficient. Certificates created today should be using a stronger hash. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: [OT] programming style or mental process ?
I've appreciated this discussion. It's caused me to think a bit more
about my use of this pattern.
[regarding tests for null references]
This has got me wondering why there is no operator for such an
irritatingly common need:
if (my_reference isNull) { ... }
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc
Description: PGP signature
Re: [EXTERNAL] Re: tomcat timeout
On Thu, Apr 15, 2021 at 08:25:12PM +, Mohamed Eliyas Abdul Kadar wrote: > I am generating report for a year, normally this takes 5 mins on weblogic > server. We are migrating to tomcat and it does not show any error. In > developer tools I see timeout for that request. I faced a similar issue some time ago, and decided that it was an application design error. I introduced a progress meter that polls periodically until the report generation completes or fails and, incidentally, gives the user an indication that service of the request is proceeding and has not simply hung or been dropped. Other possibilities: o The request causes a background thread to generate the report and email it when complete. o A first request causes the report to be generated in a holding area, perhaps sending an email when completed; a second request fetches the completed report. I decided that just lengthening timeouts was a losing strategy, because these particular reports can be requested over any portion of a record set that steadily grows in size, and can thus take longer to generate every month. Your situation may be different. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Problem posting to Tomcat ssl connector ..
On Fri, May 28, 2021 at 01:32:47PM -0600, John Dale wrote: > Page loads fine. > > Other pages load fine. > > SSL handshakes are working until .. > > An Ajax post with a base64 encoded image in the data. > > I debugged up to the request and it's fine. > > I debugged the server and it's not reaching my component. > > Tomcat is killing the connection for some reason. > > Thought it might be maxSavePostSize .. bumped that up in the SSL connector. > > No dice. > > Request post is around 300K. > > What's going on!? I suppose there's nothing useful in the logs? Can anyone suggest adjustments that might log relevant observations? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Most recent security-related update to 8.5? And setting up access to Manager?
On Mon, Jun 21, 2021 at 12:42:56PM -0400, Christopher Schultz wrote: > On 6/19/21 11:31, James H. H. Lampert wrote: [snip] > > Also, while I'm here, can somebody point me to an example of how to code > > the Manager's RemoteAddrValve setting to allow access from, say, two or > > three arbitrary IP addresses? > > Take a look at the example configuration that ships with the Manager. It > already includes 2 specific IPs and one range. It's a regular > expression. If you aren't too good with those, find someone who is or > give a specific example and someone here can probably help. If you aren't too good at REs, or you just think that a long chain of ORed subexpressions, each of which contains far too many escaped dots, is too horrible to contemplate, you may also want to take a look at RemoteCIDRValve instead. https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_CIDR_Valve I got so tired of those eye-watering IP address REs that I wrote my own CIDR-based Valve some years ago, but I'm happy to discover that I can now throw it away and use one that ships with Tomcat. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Re-Use TCP Source Ports if the Socket is Unique?
On Fri, Jun 25, 2021 at 12:46:03PM +, Eric Robinson wrote: > Olaf and Scott -- > > Thanks to both of you for your comments. I may have asked my question poorly, > since what you both described is the way I understand TCP to work. There is > no correlation between an incoming connection to tomcat and its outgoing > connection to a database backend, nor would I expect there to be. > > Perhaps a simpler way to ask my question is: when a server has multiple IPs, > which one does tomcat use as its source IP when it initiates a three-way > handshake with a remote machine? > > For example, suppose my server has IP addresses 10.0.0.1 and 10.0.0.2, and my > tomcat connector looks like this... > > port="8080" > protocol="HTTP/1.1" > address="10.0.0.2" > connectionTimeout="2" > redirectPort="8443" > /> > > Tomcat is now listening on IP 10.0.0.2. > > But here's the question. If tomcat needs to initiate a TCP session to a > remote machine (acting as a TCP client), will it use 10.0.0.1 or 10.0.0.2 as > the source IP of the outbound connection? I'm assuming it will use the same > IP that the connector is configured to listen on. man 7 tcp A client uses 'connect' and doesn't need to set a local address. Only a service needs to declare its own address and port. The kernel routing database knows which distant hosts should be reachable via each local address. 'connect' should use this to pick an address that can reach the distant host, assign an unallocated port, and send SYN to request a connection. So the answer to your question is "it depends on the service host's address and what networks the interfaces for 10.0.0.1 and 10.0.0.2 can see." -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Tomcat producing (near) duplicate Catalina logs
You are not the only one frustrated by the state of log4j documentation. If you persevere, the Introduction section "Configuration" does sort of explain things, although as noted it does so mainly from the programmer's point of view. The section "Default Initialization" discusses how the configuration is found. Digging in a little, there is somewhat more complete configuration documentation in the Javadoc: http://logging.apache.org/log4j/1.2/apidocs/index.html Scroll down (and down and down) through org.apache.log4j.PropertyConfigurator to the method doConfigure(String,LoggerRepository) and you will find a bit of discussion of configuration syntax and semantics. Apparently, if you fetch the source kit and unpack it, there are further examples included. "Read The Fine Manuals" is certainly good advice, but log4j is a poor example. It's a shame that the package is in such a poor state, because it has a number of clever and useful features which are rarely mentioned. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp1UL7EgEQWH.pgp Description: PGP signature
Re: Logging for Dummies in Tomcat 5.5/6.0
. This is not distribution-specific. How to pass property values to the JRE is perhaps JRE-specific but not distro-specific. One can (and should) document a product's configuration and use relative to what the product "knows", and require that the user understands the details of his own choice of operating environment. Tomcat, in particular, is told the paths represented by catalina.home and catalina.base, and uses that to configure its classloaders, which are used by the chosen logger to locate its default configuration. The name of the default configuration is specified by the chosen logger. The JRE running Tomcat is perhaps told the paths represented by other system properties whose names are specified by the logger. The only distro-specific thing in any of this is the particular paths assigned to these properties, and determining those values is the responsibility of the asker because, as you say, you cannot know them in advance. But an answer expressed in terms of the invariants can be interpreted by the asker and should be sufficient. And there *must* be invariants, a contract between dependency and dependent, or modular software cannot operate. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp49ZSGbse4L.pgp Description: PGP signature
Re: Logging for Dummies in Tomcat 5.5/6.0
On Thu, Jun 19, 2008 at 12:41:30AM +0200, André Warnier wrote: > My idea was, maybe naively, that Tomcat was like any other program, fairly > logical, and that things in it happen for a reason. > Thus that when Tomcat starts, it knows, from some top-level configuration > file, where to look for instructions as to what logging system to use, and > has an idea about where the configuration for that stuff is. > And that this knowledge could be communicated to me somehow without > breaking some official secrecy vow. > > What really puzzled me however, was that going down the hierarchy of > configuration files and directories, I never seemed to find a link between > Tomcat and the logging it was doing. What you are missing is that Tomcat is not the top of the chain of userspace software here; the Java Runtime Environment is. The JRE loads Tomcat and quite a bit of other stuff as well. That "other stuff" is available to Tomcat. A sufficiently new Tomcat version includes Commons Logging (JCL), which is a generalized interface to logging functions which depends on some other package to actually do the logging. Commons Logging has its own internal rules for figuring out what it is supposed to do, and it can get information from the JRE to help in that process. This information does not pass through Tomcat; Commons Logging asks the JRE directly for the values of various "system properties", which values are assigned on the commandline which starts the JRE and directs it to load Tomcat. The actual logging package wrapped by Commons Logging (such as JULI or Log4j) in turn has its own rules to locate its configuration data, and again some of those rules depend on information that it may be able to get from the JRE, again without Tomcat's intervention. So Tomcat, Commons Logging, and e.g. JULI each have their own configuration and none really knows about any of the others. The JRE knits it all together. So, to understand the behavior of logging in Tomcat, you don't need to know much at all about Tomcat, but you do need to understand the actual logger, Commons Logging, and some aspects of the JRE. What you *may* need to know about Tomcat is how it rearranges class loading, because if one of these packages is not told where to find its configuration then some of its built-in rules will search for a configuration file using the classloader hierarchy. > I am starting to see the error of my ways. > What I am, ever so slowly, starting to think I understand (I hope), is that > Tomcat /may/ not itself know; that your refusal to tell me may not after > all have been motivated by a desire to keep the knowledge into your inner > circle of initiates; but that instead, it is some other piece of software > that "hooks" into Tomcat to "steal" the things to be logged, and that this > other piece of thing is the (only) one that knows it's own configuration. Close. The JRE mediates. Tomcat asks for an instance of JCL and the JRE creates one, which (while being created) will have groped around and found a logging package to wrap. The loggin package instance will have groped around and found a configuration which tells it how to log stuff. Tomcat doesn't know or need to know what JCL is using to emit log records; JCL knows that. In turn JCL doesn't know or need to know what the selected logging package is supposed to do; the logger knows. Each component uses the JRE to find the stuff it wants to know. > And thus that for instance Tomcat itself knows nothing about that file > /var/lib/tomcat5.5/conf/logging.properties Correct. It's only there rather than somewhere else because a default search for a properties file will look there, given the classloading setup established by Tomcat. > which I discovered long ago on my Linux Debian Etch system, but could not > figure out how Tomcat found it or used it. Tomcat doesn't find or use it. The logging package does that. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpInunMsNEg7.pgp Description: PGP signature
Re: Mapping question
On Thu, Jun 26, 2008 at 05:23:15PM +0200, André Warnier wrote: > And I presume that mod_jk does pass the information about the virtual host > name, right ? It certainly appears so. I have a host with a single HTTPD in front of a single Tomcat which defines three vhosts, and the traffic is routed properly. I can't say anything about sharing a single copy of a webapp on three vhosts, because although two of our three vhosts are running the same webapp, each has a separate on-disk copy. We need to keep them that way, since the services are updated on unrelated schedules. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpie0lPxAgSn.pgp Description: PGP signature
Re: logging
On Tue, Jul 08, 2008 at 10:12:15AM -0400, David Crane wrote: > I doubt there is a simple solution for redirecting stdout/stderr over > the network. Perhaps netcat? http://nc110.sourceforge.net/ Or if you have security concerns, perhaps scp can be jiggered to do the job. However, keep in mind that there should still be a local "log of last resort" to note the evidence when network logging fails. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpmp6CB6kgy5.pgp Description: PGP signature
Re: Strange startorder of webapps
In particular, Unix code to walk a directory may return file names in any order. You don't often see this behavior because 'ls' typically sorts its output unless you ask it not to. OTOH I believe that Windows keeps its directories sorted and will always produce file names in lexical order. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpwKSCP0nZKD.pgp Description: PGP signature
Re: where to place context configuration
On Thu, Aug 14, 2008 at 01:57:22PM -0500, Caldarale, Charles R wrote: > You may place the element in either location, but Tomcat > *may* copy the one from META-INF/context.xml to conf/Catalina/[host] > so it can access it directly. Proper undeployment will remove the > copy. Is there a page somewhere which documents this? > If you're doing a brute force replacement of a .war rather than a > real undeployment, you deserve what you get. Is there a page somewhere which explains how to distinguish the two cases? > You have the option of placing the webapp's element in > conf/Catalina/[host]/[appName].xml so that you can override the one > packaged in the .war file - often necessary with prepackaged apps > that might require special configuration for a particular site. But then an undeployment (whatever that may be) will destroy my carefully handcrafted Context, right? This behavior has been driving me crazy for years. I keep /conf/Catalina/[host] full of foo.xml.saved files so I can quickly recover when Tomcat blows foo.xml away, seemingly at random. Half the time, when I copy a new .war in, the Context is destroyed; the other half, it Just Works. Currently on Tomcat 6.0.16, but I've had this frustration with 6.0, 5.5, and I believe 5.0. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpQTeCbpaS7X.pgp Description: PGP signature
Re: HOW TO install/setup 2 instances of tomcat on same server
On Thu, Aug 21, 2008 at 02:31:41AM +0200, André Warnier wrote: > Markus Schönhaber wrote: [snip] >> Furthermore, if I understand the OP's statement above correctly, he wants >> to be able to restart the development Tomcat without affecting the >> production Tomcat. That's not possible with either of those two solutions. > > True. But I was wondering why he said that he needed to restart Tomcat. > Considering that he mentioned he knows not much about it, the OP may be > unaware that it is not necessary to restart Tomcat, if the reason is just to > re-install/re-start a new version of the test application. Why? Because, however good Tomcat is, webapp.s are notorious for leaking (and occasionally gushing) Tomcat's resources as they stop and start. Particularly with software under active development, there is the real possibility that app A will run Tomcat out of some vital memory pool and precipitate the crash of app B, though B be coded ever so carefully. Here our production Tomcats run pretty well. The development Tomcat can lock up several times a day, spinning at 100% CPU and unable to execute a controlled shutdown, as we update a developing app. a mere dozen times. I am ever so happy to have not just separate production and development containers, but separate hosts, to contain the problems of unfinished software until they can be fixed. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpW41MVUiO2i.pgp Description: PGP signature
Re: [programmazione] Struts vs JSF (poll?)
On Mon, Aug 25, 2008 at 03:06:49PM +0200, Luca Cicale wrote: > keep in mind that JSF is a very powerful framework, but it has also > some limits. The biggest one is that to work correctly javascript > must be enabled on the client browser. So, as first, take care this > is a very strict specific. [drifting further offtopic] Putting on my end-user hat, I have to say that this can be more significant than one might think. I have NoScript installed on all my browsers. It helps with security, but I find that really I mostly use it to implement the maxim "avoid time-wasting morons", like the all-singing all-dancing mortgage distraction or those infuriating "let a live salesman twist your arm" popins or the sites whose scripts run at 100% for minutes without producing anything useful. So when I hit a new site that wags its finger at me for not providing Javascript (or worse, Flash) then I have to decide whether I'm interested enough in that site to spend time granting them permission to take over MY browser. Often enough I either leave the scripting off if I can get what I want without it, or I go down the road to someone else's nice clean site that Just Works. So when selecting technology, do consider the balance between providing useful functionality to the users and just bothering them. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpmkLJzhKsSP.pgp Description: PGP signature
Re: Struts vs JSF (poll?)
On Tue, Aug 26, 2008 at 01:33:02PM -0400, Frank W. Zammetti wrote: > I'm in the architect/manager boat myself these days, so I'd be crazy to > *not* agree :) I've seen though what happens when you play the "ivory > tower" game and just come down the hill with the stone tablets that say > "this is what we're doing". That not only rubs people the wrong way, but also cheats the decision- maker of useful input to the decision-making process. > Everyone has to have a say IMO... even if > some of those opinions don't carry as much weight as others (having your > opinion carry more weight is one of the perks of moving up the ladder > after all). Yes, borrow as many brains as you can, and give everyone a chance to contribute. THEN make the decision, and be clear that what is decided is decided. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpwkdxgahGx6.pgp Description: PGP signature
Re: SNMP tomcat 5.5!
On Thu, Sep 11, 2008 at 09:29:14PM +0100, Mark Thomas wrote: > Shahar Cohen wrote: > > Hi, > > > > Can anybody please tell me how I can monitor by SNMP tomcat sites > > without querying the admin module which I disabled for security reasons? > > > > > > Is there any MIBS that I can use? > > In short, you can't. Tomcat does not provide SNMP, even with the Admin app. Hep probably means something like this: http://java.sun.com/j2se/1.5.0/docs/guide/management/SNMP.html -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpiyHtWzogOb.pgp Description: PGP signature
Re: Appeal to Tomcat developers
On Thu, Oct 16, 2008 at 10:01:30AM +0200, Johnny Kewl wrote: > The thing that has alway amazed me... we use JMX, we have this complex > logging engine, but tomcat is a big powerful web server... is it only me, > but how come that cant be presented as a web page you just address > /myserver/manager/logs Because it is waiting for YOU to write it? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpiNkIPIPa0f.pgp Description: PGP signature
Re: Appeal to Tomcat developers
There is simple, and then there is SIMPLE. The typical daemon has ONE LINE for logging configuration: "log file goes there". Some might have one line for the error log and another for an activity log. Some might let you say whether to use syslog or files. If you supply NO configuration, it will probably do something totally unsurprising and reasonably useful anyway. Java app.s, on the other hand, tend to have multiple layers of log abstractions and may very well have dozens or hundreds of lines, in (a) separate configuration file(s), just to describe logging. It's great for debugging but hell for the poor sysadmin who only wants to say "put the log file there". I think that's what is being asked: there should be *one page* that begins with *everything you need to know* in order to say, "put the log file there". Just that. After that, it's appropriate to point out that much more subtle arrangements are available, and when you want more, come back, here are pointers to all the hairy details. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpCKJcRygYZj.pgp Description: PGP signature
Tomcat 5.5 destroys $TOMCAT_HOME/Catalina/[host]/[app].xml on reload
I'm trying to maintain a testing environment for several developers who either upload .war files directly or ship them to me for installation. These applications need a context parameter defined as a path on the server. Rather than have the developers hassle with swapping paths between development and shipment, or me hassle with opening up .war files and tinkering with 'context.xml', I'd like to keep an $APP_NAME.xml in the host-specific configuration directory and not touch it. Unfortunately, every time the '.war' is replaced, Tomcat destroys the file which defines the parameter. So at the very least I have to keep a copy elsewhere and copy it back in. 1. Is this behavior a bug or a feature? Why should it do this? 2. Is there a way to stop it? Oh, the parameter's value is different for each app. but the name is the same (and can't be changed) so I can't just pile them into 'server.xml' even if that weren't bad form. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpcce84PISkL.pgp Description: PGP signature
Re: How-to make default Running status = false
On Wed, May 23, 2007 at 12:20:53PM -0500, Roger Tismeer wrote: > I've been perusing the wiki and other avenues for some help in regards > to being able to not Start any of the webapps that I have loaded when I > start up Tomcat. Is this possible? In server.xml the 'host' element's 'deployOnStartup' attribute looks like it would do this, if set to 'false'. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpHVHN2a8u4Q.pgp Description: PGP signature
Re: How to monitor Tomcat Server.
On Thu, May 24, 2007 at 03:03:12PM +0530, Praveen Kumar wrote: > It seems this is also one type of tool. Here again we have some problem > ie we should monitor this tool too right ? > > So instead installing new tool to monitor tomcat server , is there any > feature that apache group provides to inform tomcat server status ? There is an insoluble dilemma here. If you use a separate process to monitor your server, then that process must also be monitored. Eventually you have two processes watching each other, whatever else they may be doing. If you do *not* use a separate process, then your server can only report its state transitions if it is still able to do so. A crashed process cannot tell you that it has crashed; the most you can get is that it will begin failing to tell you that it has *not* crashed. To get complete coverage can become quite elaborate. To protect against hardware failure, you need two machines monitoring each other. To protect against network or utility power failure, you need two (or more) machines monitoring each other from different sites. At some point as this scales up, it may be more sensible to just hire somebody to watch screens and check things periodically. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpxkmTChiio2.pgp Description: PGP signature
Re: Server.xml Sort on Start
I don't *know*, mind you, but random ordering suggests that the container starts a thread for each 'host' and the checks are taking place in those threads. Thread switching is influenced by lots of things and would be fairly unpredictable, so a bunch of threads setting up host objects could complete or fail in any order. The code knows for sure, and you can inspect it if you wish. I'm hoping that someone who has already done so will step forward with, "Mark's right," or, "he's talking rot, you know, it's really thusandso." But it makes a certain amount of sense to spin off a thread to manage each address:port pair and let those threads take care of checking and setup for their own areas of responsibility. If my guess is right, then you're kind of stuck with your current method of debugging the config., but maybe you can automate it. It mightn't be too hard to script up something that processes the log and makes a list of which app.s *did* start. server.xml is, well, XML, so there are plenty of good tools that can be used to edit it programmatically. For example, move all of the known working 'host' declarations to the end and start again, perhaps shuffling the remainder. You could automatically loop through this until the bad'un is isolated. This sort of thing would be a waste of programming time for a handful of hosts, but if you have scores of them and they are fairly volatile then automated "Monte Carlo debugging" (if you will) may be a good approach. Another method would be to disable automatic deployment at startup, and then drive the manager app. with a script that starts each app. until one fails or Tomcat freezes. Less fun, more determinism. Yet another tactic would be to keep the Tomcat config. files in a revision control system, or at least to keep backups (possibly with your editor's help), so that you can readily zero in on the changes between a recent working config. and the busted one. If this is an ongoing problem then keeping good records of what went wrong each time might be useful. As you spot patterns, you may be able to develop antibugging techniques and tools to better avoid the common problems. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp6j3MqFMdLN.pgp Description: PGP signature
Re: How-to make default Running status = false
On Thu, May 24, 2007 at 09:01:13PM -0400, Rashmi Rubdi wrote: > On 5/23/07, Roger Tismeer <[EMAIL PROTECTED]> wrote: > >It takes about 4 minutes or so to (re)start Tomcat granted I have > >30 webapps loaded, but isn't there a switch somewhere that I can toggle > >to not auto-start any non-Tomcat webapps? > > I was in a similar situation as you've mentioned above. > > I find that keeping the Context descriptor outside server.xml makes it > a lot easier to switch between applications. I'll have to remember that one. Thanks! > Say your apps are named app1, app2, app3 etc and if you access them as > > http://localhost:8080/app1 http://localhost:8080/app2 > http://localhost:8080/app3 , then > > you would define the Context for each app under > > Tomcat's /conf/Catalina/localhost/ as app1.xml , app2.xml and app3.xml > > Now if you want Tomcat to only load app1 , you just disable the other > XML files by renaming them as in app2.xml_disable app3.xml_something In that case, you have to either ensure that your webapp.s do not contain META-INF/context.xml or that the Host has deployXML='false'. Otherwise the webapp itself will supply a Context. Tomcat will generate a Context on its own in some circumstances which I've not yet completely worked out from the documentation. How did you disable this? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpDtCY1Wnipw.pgp Description: PGP signature
Re: Server.xml Sort on Start
On Thu, May 24, 2007 at 07:37:25PM -0700, Kyle B wrote: [snip] > In regards to Mark's statement. I'm not opposed to writing some XML parsing > tools to play nice with Tomcat. However, I'm still left trying to figure out > how Tomcat sorts that HashMap it creates for all elements. I've > looked for patterns that I just can't find. It's not sorted by element order > in the server.xml, nor by name attribute, or appBase. Given the information that hosts are collected in a HashMap: Tomcat isn't sorting anything, and you can't sort a HashMap*. Hashing functions are designed to distribute a large key space over a much smaller set of "buckets" in constant time. The more apparently random the relationship between input and output, the better for this purpose, in most cases. The entries in a hashtable are deliberately DISordered on insertion. Hashing data is like hashing meat and potatoes: the result is expected to be finely divided and well mixed. --- * You could sort its content into some other data structure, but apparently that's not done here. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpGLPMxopvps.pgp Description: PGP signature
Re: How to customize the context paths for several web application.
On Mon, Jun 04, 2007 at 06:41:02PM +0800, Guofeng Zhang wrote: > We have four web applications that deployed on Tomcat 6.0 at the same > time. Some special customers want to use special context paths to access > them, so I think the easiest way is to use context.xml to define the > context paths. > > I do not know how to do it? Can you kindly give me a sample? Thanks > > As I know, the context.xml is placed in $CATALINA_HOME/conf/context.xml. > This way we can only define one context path. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html There are five places where a Context may be defined. You probably want either '$CATALINA_HOME/conf/[enginename]/[hostname]/pathname.xml' or (within the app. itself) 'META-INF/context.xml'. In the former case you would specify the path by the naming of the file; in the latter, you would code a 'path' attribute in the Context element. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp4YDWzpIkwI.pgp Description: PGP signature
Re: New to Apache
On Mon, Oct 01, 2007 at 06:58:23PM -0400, Mark Thomas wrote: > Tony Fountain wrote: > > Mark, > > > > I did not hijack a thread. I started this one myself. > > No you didn't. You hit reply to an old message deleted the content and > changed the subject. Please don't do this. Possibly he's an innocent victim of today's over-helpful MUAs. If I'd never seen or been told about the Message-ID:, In-Reply-To:, and References: headers, I'd think that the above actions had wiped out all traces of the previous thread, and I would think I'm being efficient by letting the MUA copy the list address for me instead of typing it myself. Authors of gooey MUAs would do well to support listmail better by, for example, providing a button to "send new message to the list that reflected this message", or enabling the association of a folder with an address and providing a button for "send to this folder's associated address". -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpcSwaAsBimg.pgp Description: PGP signature
Re: Copying large files around
On Sat, Oct 13, 2007 at 11:02:59AM -0400, Jim Cox wrote: > On 10/13/07, Christopher Schultz <[EMAIL PROTECTED]> wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > David, > > > > David Kerber wrote: > > > Let me give a bit more detail: I am working on a utility function in my > > > webapp that will periodically copy the database file from the db server > > > to a backup server on the LAN. > > > > Uh cron and cp, anyone? You can even use cron to initiate the > > backup, too, instead of scripting it from your webapp. > > Or in this case scp (or rcp, or sftp, or ftp) ? Definitely. While you're at it, just pipe the backup stream through instead of collecting a huge file on host A and then moving it to host B. I have some DBMS backups that run that way. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpjWdEGlU65p.pgp Description: PGP signature
Re: Copying large files around
On Sat, Oct 13, 2007 at 12:41:45PM +0200, Johnny Kewl wrote: > OK... now if you on a LAN... thats cool, but for the internet this is not > good enough... > > If you have a look at something like the Opera browser's file transfer it > does some cool things, like if you shut down the machine, next time you > start up again, it will pick up where you stopped it, it doesnt start with > the whole 1 gb file again > In fact if I built a servlet to do this... I would run the Opera browser > download against it and stop and start and see it my servlet is to spec... > > I think the way to do it is to to modify the code in that link for RANDOM > file access... ie the client knows its got 800 MB already and only asks for > 800MB onwards so how do they do that. > > Look at this link. > http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html > and look at the byte range header spec. I would build the servlet to > that. > > With such large files I think the biggest problem to solve is > interruptions ie give the user the ability to close the client and go > home... tomorrow it starts where it left off. I think file change > headers (almost RSS) type stuff comes into this as well, in case the file > is modified before it all downloaded, in which case it MUST start again > > Nice question I'm surprized I cant find code like this on the web > already have a good look around it must be there. Perhaps not the *fastest*, but there *is* code to deal with transferring files across flaky paths. You just didn't look far enough back in history. UUCP over TCP works well, remembers how far it got, and will keep trying on a schedule you specify until the job is done. I still use it to throw huge files across WAN paths, even dialup links. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] "Don't throw the past away. / You might need it some rainy day." pgpjPpH7E7dZP.pgp Description: PGP signature
Tomcat 5.5: org.apache.catalina.startup.HostConfig logs too much
When Tomcat scans for things to auto-(un)deploy, it has been logging every check it makes, every ten seconds. I realized that I have about 10GB of catalina.out that is mostly this chatter. I'm currently a bit baffled by the logging changes 5.0 -> 5.5 -> 6.0, so would someone please help me figure out how to adjust logging.properties so I don't miss important stuff, but I don't fill up my storage with: Oct 15, 2007 4:51:52 PM org.apache.catalina.startup.HostConfig checkResources FINE: Checking context[/host-manager] redeploy resource /etc/tomcat-5.5/Catalina/localhost/host-manager.xml -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpOxPa7PBlzd.pgp Description: PGP signature
Re: tomcat/java process strangeness
On Wed, Oct 17, 2007 at 10:11:36AM -0400, Christopher Schultz wrote: > > Second strange case: > > When I start tomcat using /opt/tomcat/bin/catalina.sh start, I get 21 > > processes that running the same command(different PIDs). And my tomcat > > instance seems to run fine without problem. When I kill one of the > > process, the rest will go down as well. > > You are seeing each thread as a Linux process. This is perfectly fine > depending on the kernel version (can't remember which ones do what). > Linux uses processes to model threads, so it's nothing to worry about. It's a little more complex than that. Linux recognizes this overarching abstraction called a Context of Execution. Two COEs that have the same virtual address space are what most people would think of as "threads". A "process" is the set of all COEs sharing a given virtual address space. Apparently the thing that 'ps' is looking at is actually a table of COEs, not processes. To make things more fun, different versions of 'ps' work differently. procps v3 by default coalesces all of a process' threads into a single line, but 'ps -eLf' will show individual threads. IIRC procps v2 shows individual threads by default, and I don't recall whether it has the option of coalescing them. For still more fun, procps forked between v2 and v3, so it's possible you are still getting fresh updates of procps v2. At one point I had one Tomcat running on Red Hat Linux and another on Gentoo Linux, and one showed a huge number of Tomcat "processes" while the other showed only one. Switching attention between the two was, uh, interesting. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp5bIMKkeLaj.pgp Description: PGP signature
Re: Best Linux distribution
Yes, before anyone can tell you which is best, you need to work out for yourself, and tell us, what makes a distro "best". Do you want to just pour it into a machine and have everything done for you? Do you chafe at the very notion that someone could know your needs better than you? Do you need someone to talk to when things go wrong? to sue when the answers don't satisfy? Do you have uncommon hardware to support? Will your hardware vendor return your calls if you don't use his preferred distro? do you care? I've run Red Hat, Debian, Suse, and Gentoo, and I'll take Gentoo any day, but I'm a very hands-on, tweak-the-last-cycle-out, do-it-with-a-text-editor-or-don't-do-it sort of sysadmin. There are good reasons to choose any of those, or others, and you have to decide which reasons are yours. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpbQROJhdvoJ.pgp Description: PGP signature
Re: User roles
I wonder if the OP means the shutdown password? That's in server.xml, and the only consequence of changing it that I know of is that your shutdown script needs to be kept in sync. with this or it won't work. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp2m04ozUWAV.pgp Description: PGP signature
Re: Why use a Web Server over Tomcat?
On Tue, Jan 08, 2008 at 03:17:38PM +0100, Mikolaj Rydzewski wrote:
> There's no simple answer. Running apache in front of tomcat has advantages:
>
>* load balancing / failover
>* static content handling (I know, tomcat behaves better and better,
> but some people want to have apache handle this)
>* easy integration of webapps from remote hosts
>* probably more...
* no need to fiddle with the weird Java-only truststore library files
when providing certificates
* no need to discover the specific incantation for your system that
will allow Tomcat to open low-numbered ports (80, 443) and yet run
as a nonprivileged user (not an issue on Windows, which lacks the
notion of "privileged" ports)
* easily throw up an informative page ("service will resume by nn:nn")
when taking services down for maintenance, instead of returning
port-not-reachable
* many many well-tested specialty modules for Apache HTTPD should you
need to do something out of the ordinary
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
smime.p7s
Description: S/MIME cryptographic signature
Re: Is Tomcat FIPS compliant
That probably depends on which FIPS you mean. There are at least 201 different U.S. Federal Information Processing Standards. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpIAd1MXCWI6.pgp Description: PGP signature
Re: How can I preserve a directory on Deployment?
Well, I probably wouldn't put that directory anywhere near $TOMCAT_HOME; I'd want it somewhere on /var with other volatile and temporary stuff. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpM42K5LPgaD.pgp Description: PGP signature
Re: Ordered loading of WAR files
On Wed, Jan 23, 2008 at 05:01:35PM +0300, Konstantin Kolinko wrote: > > On windows my issues appears to be that the context.xml from the > > auth.war is being cached inside tc/conf/Catalina/localhost/... > > "cached" is not the right word. It is how deployment mechanism works > in tomcat. The presence of .xml in > tc/conf/Catalina/localhost/ means that you application has been > successfully deployed. Removal of the file means that you trigger > the auto-deployment mechanism for your application. See > http://tomcat.apache.org/tomcat-6.0-doc/config/context.html for details > (look for "$CATALINA_HOME/conf/[enginename]/[hostname]/" there) Well, I can understand his confusion, as it mirrors my own. Here is what it says: Context elements may be explicitly defined: * in the $CATALINA_HOME/conf/context.xml file: the Context element information will be loaded by all webapps * in the $CATALINA_HOME/conf/[enginename]/[hostname]/context.xml.default file: the Context element information will be loaded by all webapps of that host * in individual files (with a ".xml" extension) in the $CATALINA_HOME/conf/[enginename]/[hostname]/ directory. The name of the file (less the .xml) extension will be used as the context path. Multi-level context paths may be defined using #, e.g. context#path.xml. The default web application may be defined by using a file called ROOT.xml. * if the previous file was not found for this application, in an individual file at /META-INF/context.xml inside the application files * inside a Host element in the main conf/server.xml In addition to explicitly specified Context elements, there are several techniques by which Context elements can be created automatically for you. Note: "explicitly defined." This says to me that $CATALINA_HOME/conf/[enginename]/[hostname]/contextname.xml, if it exists, is configuration data provided by the person deploying the application. It doesn't say anything about Tomcat owning these files and being allowed to create and destroy them at will. The documentation apparently doesn't reflect the behavior of the code. Let me say that I find the documented behavior much more useful than what we actually get. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpILC1cF60dV.pgp Description: PGP signature
Re: 30 Mb of common jars in each of 5 war files, should i consolidate?
On Thu, Jun 07, 2007 at 11:19:06AM -0600, Larry Meadors wrote:
[Consolidating 69 different copies of libraries from '.war's into
${CATALINA_HOME}/common/lib]
> It's one of those ideas that looks
> good on paper, but sucks in practice.
Okay, I'll ask: why?
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
pgpeFZrT5TC4a.pgp
Description: PGP signature
Re: Programmatically Determine JVM Version used by Tomcat
If you fetch 'java.runtime.version' in freestanding code then you'll
get the version of the current default JRE, which might not be what
Tomcat is using. But if you fetch it in a servlet, then you should
get the version of the JRE that's running Tomcat, no?
<%@ page language="java" contentType="text/html; charset=US-ASCII"
pageEncoding="US-ASCII"%>
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
http://www.w3.org/1999/xhtml";>
Dummy Web Application
This is a test.
Java Runtime Environment version
<%=System.getProperty("java.runtime.version")%>
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
pgp9Ukc2i0fiz.pgp
Description: PGP signature
Re: Programmatically Determine JVM Version used by Tomcat
Well, that was silly. The Tomcat HTML Manager already provides the JRE version at the bottom of the page, if you wanted to manually check it. To check by script, you could use the plain Manager: [EMAIL PROTECTED] ~ $ wget --quiet -O - --user USER --password PASSWORD http://localhost:8080/manager/serverinfo OK - Server info Tomcat Version: Apache Tomcat/5.5 OS Name: Linux OS Version: 2.6.18-gentoo-r6 OS Architecture: i386 JVM Version: 1.5.0_11-b03 JVM Vendor: Sun Microsystems Inc. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpklqOS3Iihc.pgp Description: PGP signature
Re: Embed license to tomcat
As others have noted, this may be doable but it's the wrong approach. You are trying to solve a legal problem with information technology. It is very rare for such an approach to accomplish much, other than to irritate customers who are behaving properly. MAC address is a particularly poor choice: o Many hosts have multiple NICs. Which MAC address is used? o NICs fail and must be replaced. Now your legitimate customer's product accuses him of theft. o Customer backs up failing host A and restores on new host B. Legally licensed product again refuses to run, because host B has different NIC(s). Having to re-register a product for reasons unrelated to the product is a negative Customer Experience, and the marketplace will punish such designs. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpXOdO80QtxU.pgp Description: PGP signature
Re: Stop deployOnStartup for only one webapp
Could you give the host another name and set up a separate virtual host for your standby Sakai instance? The Host container seems to be the only one that defines deployOnStartup. This separation might have other minor benefits. What happens when you place the application outside of appBase, create an explicit Context (PATH.xml) with docBase pointing to it, and flip the Context file into/out of $CATALINA_HOME/config/Catalina/localhost ? It shouldn't be too hard to arrange for a startup script to delete certain Context files before Tomcat starts, and then you can copy one in later when you want it. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpyToR6JHnz1.pgp Description: PGP signature
Re: JavaMail SMTP authentication in JSP
If you *do* get it working with TLS, I'd appreciate hearing how. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpvqA6KJOlKV.pgp Description: PGP signature
Re: Tomcat and JRE redistribution
On Wed, Jul 18, 2007 at 01:06:04PM -0400, broken connection wrote:
> At the end, the only thing that should matter to TOMCAT or ANT is that they
> should be able to find the classes in the JREso I don't understand, why
> you guys don't recommend this
Because if everybody did it that way, customers' machines would be
littered with dozens of copies of the JRE, each a different version,
and the customers would descend into the Java annex of DLL Hell. Not
good customer relations. Remember: you are not the only software
vendor in the universe, and your product is not the only product.
Oh, wait...everybody *does* do it that way. :-{
Wearing my sysadmin. hat: I would say that it is perfectly okay for
your install package to *use* its own copy of JRE to run its own copy of
Ant to install your product. It is NOT OKAY to leave these behind
like muddy footprints on the carpet after the work is done. A proper
installer should:
1. check the PATH and JAVA_HOME to see if there is already a JRE, and
not install another one if so;
2. never install Ant;
3. check CATALINA_HOME to see if there's already a Tomcat installed,
and not install another one if so;
4. ask the person running it for corrections to all of these paths,
and for permission to install *anything* other than the product
itself;
5. (a bit offtopic) accept all of this information on the commandline
so that it can be scripted.
A good installer never installs anything that the customer has already
provided. A good installer never behaves as though it thinks it is
smarter than the customer, even if it is.
A polite installer might simply report that it cannot find X, version
M.N is available on the CD for the sysadmin.s convenience, and would
he be pleased to install that, to install an equal or better version
while this installer waits, or to abort the installation of this
product. To be frank, most days I'd be satisfied if an installer just
told me *exactly* what it wanted and then quit. That's a lot better
than many installers that have afflicted me over the years.
Yes, it's a lot of work. The first time. After that, if you built
your installer well, you only need to tweak it a bit for the next
product. Your customers will remember that your product told them
what they needed to know, did what you said it would do, and didn't
cause any trouble. That is so rare that they will think of you first
the next time they need software.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
pgpCWYrsu9OB6.pgp
Description: PGP signature
Re: Tomcat with 8 GB memory
On Fri, Jul 27, 2007 at 07:25:26PM -0400, Christopher Schultz wrote: > The reverse is true. First of all, no home user ever bought an 8-bit > machine. Um, ask the owner of an Apple ][ about that. Likewise my Synertek SYM-1 used an 8-bit 6502 processor, as did designs by Atari, Commodore, etc. Then there were a number of designs built around the Zilog Z80, by Radio Shack, Sinclair, and others. Intel's line never caught on beyond the industrial and hobbyist markets until the 8086, but there were plenty of others. CP/M's market was 8-bit machines. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpA8kcMoJEn5.pgp Description: PGP signature
Re: Tomcat with 8 GB memory
I think what we're seeing here is the reason for the oft-heard, seldom-heeded advice that the only benchmark which means anything is *your application*. Once you see how the code you care about performs, *then* you can bum a few cycles here and there to tune it up. Generalities such as "64-bit machines are faster/slower" really don't say much outside the context of a specific application. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp78pRVntwp4.pgp Description: PGP signature
Re: Recovery from OutOfMemoryError?
Would you (or anyone) care to provide a link to where I can learn more about swatch? Everything I've turned up so far points to a wanna-be replacement for UTC called "internet time" promoted by a watchmaker. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpWyQYLJ0sxf.pgp Description: PGP signature
Re: Installing Tomcat on Linux
On Thu, Aug 02, 2007 at 05:51:27PM -0400, Steve Ochani wrote: > LOL, I would ask him if he sits there and examines all the code of > everything that is on his system. Ya know, I don't do that before I install most stuff, but I *do* tend to open the source kit and read it when I want the product to do more, or when I think it's failing, or just when I don't understand why it does *that* when I say *this*. In a former position I wound up reading maybe 70% of the entire operating system over the course of several years. It really does happen. In fact I have some bits of Tomcat source on my desk right now, and a pile of somebody else's servlet code as well. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpu9wPj3oawH.pgp Description: PGP signature
Re: How to avoide delete context.xml - 6.0.14
On Fri, Aug 03, 2007 at 02:05:07PM +0200, [EMAIL PROTECTED] wrote: > I'm using /conf/Catalina/localhost/myapp.xml context configuration. > My deployment works as ant-copy directly to the /webapps directory. > > After the copy, the previous installed > /conf/Catalina/localhost/myapp.xml will be deleted by the server > automatically. > > So I have to provide the file again, and to restart the server ;( > > In 5.0.30 it works so cool... If you get an answer off-list, please share. 5.5 has the same problem. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpmDIt4nCM7q.pgp Description: PGP signature
Re: Installing Tomcat on Linux
Well, the security argument depends more on "you *could*" than on "you *do*". Somewhere out there is someone crazy enough to comb through any given source kit looking for evil. Would any counterfeiter have the guts to set up his print shop on the sidewalk outside a police station? Much of security boils down to convincing the bad guys that they *could* be caught. The efficiency argument (you can tune it to your specific setup) doesn't really apply to Java programs (like Tomcat) because the (virtual) "hardware" is the same everywhere. If the build process isn't configurable, I wouldn't give this one any weight for Java app.s. There's the self-maintenance argument: if you see anomalous behavior, or want to make modifications, or just want to better understand what's going on, you can read or modify the source. If you're not at least part programmer, though, you probably won't do that. The other argument is that you know what goes into your system. For example, I know that Gnome is a big fat pig because I have one Slackware system where I've had to spend hours pulling down library after library after huge library just to get one or two tiny app.s to compile. :-) Again, this has little application to Java app.s because their packaging teams always throw in whatever pile of .jar files is needed to make them work, no matter how many copies of any library you may have already. So, if you're not going to inspect the code yourself, it makes little difference whether you build Tomcat yourself or let someone else do it for you. The one weak argument against is that popularity of source packages tends to make the risk of corrupting them seem larger, so you could lie to the bad guys by fetching a source kit that you intend to blindly install. I doubt this would sway many sysadmin.s. As another Gentoo fan, I'd certainly get source and tweak the living daylights out of the build configuration and compiler switches of any non-Java app. I wanted. But I probably wouldn't do the same for a Java app. unless I had some reason to dig into the source myself. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpbsOETUsCLz.pgp Description: PGP signature
Re: RES: RES: Context.xml file
All the solutions I ever heard of boil down to two approaches: 1) The secrets are stored in the computer, and protected by filesystem permissions. This is what you have now. Ensure that the filemode/ACL/whatever is correct to prevent unauthorized access to the files containing the secrets. There is no way to improve on that. Add as many layers of encryption as you like, but if the machine can start without assistance then ultimately there must be a secret stored as cleartext in a file somewhere, and your security depends on protecting that file. 2) The secrets are not stored in the computer; when the application starts, it must notify an operator and wait for him to supply the secrets, whether by typing in a passphrase, plugging in a smartcard, or whatever. The application cannot serve users until a human has responded. Your security depends on the trustworthiness of that human. The choice is made based on whether you think you are likely to lose more by someone breaking into the machine's privileged accounts, or by ignoring customers until a human notices the request for secrets. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpKdcI13V6Bv.pgp Description: PGP signature
Re: Tomcat Feature List
I take it that you found http://tomcat.apache.org ? In what way does it not answer your question? Your question is rather vague -- the answer depends on what you consider to be a "feature". What do you expect to find? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpnGYe8brzMo.pgp Description: PGP signature
Re: Need info on IPv6 support for Tomcat in RHEL and SLES distros
Well. That depends on what the application does. An application which makes no assumptions about the size of an address and does not inspect or process addresses in any way should not care whether it is dealing with IPv6. Things like the RemoteAddrValve should be checked carefully before depending on them to be unaffected. (RemoteAddrValve itself shouldn't be a problem, but your patterns might be, and so might the JVM's treatment of v4 vs. v6 addresses.) There are also URI manipulation subtleties. I expect that *most* applications won't care -- the spec. writers seem to have done a thorough job. But I wouldn't be surprised to find that there are applications which will need some fixing for v6. Have a look at this for starters: http://java.sun.com/javase/6/docs/technotes/guides/net/ipv6_guide/index.html -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp2PqEWDE6tf.pgp Description: PGP signature
Re: Context deletion on redeploy
On Wed, Sep 12, 2007 at 09:38:45AM -0400, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Balázs, > > [EMAIL PROTECTED] wrote: > > 4. Using Tomcat Administrator application the admin changes environment > > settings defined in conf/Catalina/localhost/warname.xml (which was > > extracted > > from the war). > > Why would you make an administrator do this when you can make it part of > the deployment process? Why would you make the deployment process so hostile when you could let the administrator control his own machine? > > The only way was to put resource links to the war/META-INF/context.xml that > > link to GlobalResources. > > This isn't true. You can put "real" resources into META-INF/context.xml. > Why not just do that? Perhaps because one is deploying on several different hosts and each needs different settings? > > But now I have to deploy the same unmodified war many times to the same > > tomcat > > so I have to use different settings at each webapp. > > I would highly recommend changing your deployment strategy so that you > are deploying a /modified/ copy of your WAR file each time -- one that > has the correct settings for your environment. Ewww. I've seen this come up several times (and brought it up myself), and everyone is dancing around the real issue: Tomcat seriously violates the Principle of Least Surprise. Programs should not muck with their own configurations on their own initiative. Sysadmin.s expect the settings they make to stay set. If they need to override default values within a .war, their changes shouldn't be blown away with every redeployment. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpbdOea3tLOE.pgp Description: PGP signature
Re: is jsvc not used here? Re: slow shutdown with jsvc
Gentoo Linux comes with its own startup script for Tomcat (using, I believe, tools from Debian) that fits into the Gentoo startup structure, so one doesn't need jsvc there. I suppose that many other distro.s do likewise, although some may use jsvc "under the covers". -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp5Tfd1MchDE.pgp Description: PGP signature
Re: Xmx and Xms size
What kind of processors specifically? In a 32-bit address space, there's no point in giving Tomcat more than 2GB, because the JVM won't use it. If you have 64-bit userspace and a JVM built for it then you can use more, but remember to leave a bit for OS caches, other processes, etc. (Starve the block cache and your disk I/O throughput will suffer.) From somewhere I recall a rule of thumb: if the box's primary duty is to run a single Java app., give that app. up to 75% of physical memory. But that's a rule of thumb, and could be made nonsense by unusual hardware or an unusual app. Any answer you get here should be taken as initial conditions for a tuning exercise: start there, measure performance and resource utilization, theorize, adjust, repeat until you get the performance you need or are convinced that you can't without changing something else (application design, bigger/faster hardware, network optimization, whatever). -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpDnJKNkbGhr.pgp Description: PGP signature
Re: Xmx and Xms size
Ah, yes, I addressed only -Xmx. For -Xms, you could try this. Throw a typical load at your app. and monitor it until memory use seems to be fairly stable. Round that up to a convenient number and use that for -Xms. That way, your app. should not have to ask for more until the load goes above typical, meaning rarely. -Xmx is useful mainly to keep your app. from starving other critical memory users, such as disk I/O, and staving off swapping. Set it anywhere from a low multiple of -Xms to as much as you don't want to reserve for system caches and any other app.s you need to run regularly. Again, you either know all about your system and can calculate this already, or you pick any non-ridiculous number and measure/adjust until you are satisfied. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpd7kxj9LVzk.pgp Description: PGP signature
Re: Using mod_jk with other Java programs
Implementing AJP just to get proxying may be more than you want to do. However, to address your question, notice in jk-workers.properties that mod_jk doesn't point to programs; it points to host:port pairs. Whatever is listening to that port on that host will get the requests that mod_jk siphons off for that worker. (The URL/worker mapping is done with jkMount directives in the main config.) -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpgPnqFeVfpe.pgp Description: PGP signature
Re: Apache2 adn/or Tomcat6?
I must've missed the place in the documentation where it explains how to get Tomcat to start as root, then drop privileges after opening listening sockets on low-numbered ports that are only accessible by root, like Apache HTTPD does. On most Unix-alikes, you have to choose: o tell people to use port 8080 or whatever nonprivileged port you configured; o use a packet-mangling firewall rule to remap port 80 to port 8080 or whatever; o place a proxy (such as Apache HTTPD) in front of Tomcat to forward port 80 traffic; o run Tomcat as root, allowing buggy app.s to make arbitrary changes anywhere on your server. If I ever have time to do something about that, I'll be sure to submit a patch. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpCDIbpZ5Mr3.pgp Description: PGP signature
Re: Apache2 adn/or Tomcat6?
On Fri, Feb 22, 2008 at 12:57:22PM -0800, Alan Chaney wrote: > Or as I mentioned in a recent email, you can run something like jsvc and > set the user to 'tomcat' which allows you to bind to the port and then > changes the user. Okay, either I wasn't paying attention the last time I looked at jsvc, or the documentation has improved quite a bit. I've tried it before and it wouldn't do what I wanted. Time to try again. Thanks. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpdmhe8rTLkl.pgp Description: PGP signature
Re: Configuring Tomcat for multiple users
Note that the user web application mechanism only recognizes one webapp per user. If you need more than that, you might write up a little gadget (to be run setuid) which collects and vets enough information to construct a context descriptor file and then deposits it in $CATALINA_HOME/config/Catalina/$HOST/$CONTEXTNAME.xml on the user's behalf. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpvEJOFTk10Q.pgp Description: PGP signature
Re: Security and Performance Configuration
Well, IF you are sure you want to use Apache HTTPD to frontend Tomcat, there's no reason for Tomcat to run an HTTP connector at all. Just use the AJP connector, and only allow it to listen to your frontend service(s), or firewall it away from the Big Bad Internet. (Or both.) -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp1TCnSsBXIK.pgp Description: PGP signature
Re: mod_jk or mod_proxy_ajp - encryption benefits?
A hollow voice whispers, "IPSec". -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpXHb0gRtjuo.pgp Description: PGP signature
Re: tomcat-users.xml
On Tue, Mar 11, 2008 at 06:37:03PM +, Mark Thomas wrote: > Tomcat re-writes the file. Any comments are lost. Real users, groups etc > will be kept. Since the question came up, would someone please tell me *why* Tomcat does such a strange thing? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpo7uekc1VJN.pgp Description: PGP signature
Re: Making the most of 8G of RAM
On Mon, Mar 17, 2008 at 11:16:49PM +, Stephen Nelson-Smith wrote: > I plan to test running with a newer JVM shortly. I have been told by > the developers that the application needs to run under 1.4.2. Whatever they mean by that. If they mean, "needs 1.4.2 or newer", that's quite reasonable and you are in good shape for an upgrade. If they mean, "we tested it aeons ago when 1.4.2 was current and don't know what it will do with a newer JVM" then they should do the testing again with a contemporary version. If they mean, "must have 1.4.2 *exactly* or it will croak" then your developers are insufficiently trained. Code so haywired that it depends on the quirks of a single version of anything in its environment is too fragile for production use. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpvDTlSSE2Jl.pgp Description: PGP signature
Re: [OT] RE: Making the most of 8G of RAM
Don't forget to leave some space for the OS' buffer cache. If your app.s do a lot of I/O then they can benefit a great deal from having the most commonly accessed storage blocks cached all the time. W.r.t. Tomcat tuning this means you don't try to use up all of physical memory with Tomcat instances. Set the heap maxima so that the total, plus fixed overhead for Tomcat itself and the JVM, leave enough room for the OS and generous caches. You'll have to monitor and retune iteratively to find out how much "generous" should be. If you see *any* swapping then you probably ought to reduce the maxima until it goes away. Also monitor how much of your heap space is actually used during peak usage periods. Giving your app.s a huge slab of memory is a reasonable first step in exploring performance issues, but you may be unable to make use of all that memory in your app.s. In that case you may want to see if giving some of it back to the OS (see caching above) would give better overall performance. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpiyolwU14ia.pgp Description: PGP signature
Re: Top mail servers
Another happy multiple Exim user here. I migrated from Smail, and also operated an MMDF descendant called PMDF for several years, so that may explain my preference. I would suggest investigating several different MUAs and deciding which one best balances the capability you need with the pain of configuring it. Properly setting up an MUA, *any* MUA, is not simple. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpNOiorupUkj.pgp Description: PGP signature
Re: Securing Tomcat on FC8
Aside from packet-mangling the port numbers between the interface(s) and Tomcat's sockets, there are two other ways to use "privileged" ports but not run Tomcat with special privilege: 1. Run behind something like Apache HTTPD, which already does the privilege separation for you. This is a heavyweight approach, probably too heavy if you don't have any other reason to run HTTPD. (Reasons would include already having HTTPD for other purposes, or needing some esoteric module whose function hasn't made its way into Tomcat yet.) 2. Commons Daemon, also known as 'jsvc'. This is what most people will recommend. They never say how it works, though, so I investigated a little, and now I think I'm ready to believe in it. jsvc is a native program which, after daemonizing itself, will start up a JVM, have it load a given class, and invoke several methods of that class. jsvc will bring up a daemon in two stages. In the first stage it runs as the invoker's UID (e.g. root) and calls a method in a given class to set up privileged stuff like low-numbered ports. Then it changes to a given UID and calls another method to actually run the daemon's service. This is a rather clever way of leveraging Java's classloading features to achieve the same effect as familiar privilege-dropping, without forking and with isolation of the platform-specific code in a single executable. Anyway, recent Tomcat exposes the necessary methods to be run by jsvc. I don't use jsvc yet, but I want to experiment a bit and eventually submit patches to Gentoo to replace the current complicated rigmarole in their Tomcat startup script with something simpler built around jsvc. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpqvfZdn0IFL.pgp Description: PGP signature
Re: Deleting context xml files
Oh, yes, I've seen that too. I've spent so much time fighting this problem that I now keep both 'ctx.xml' and 'ctx.xml.saved' in each host directory, and always edit the .saved version and copy it over, so that I don't lose my work when Tomcat destroys the live context file. But I haven't seen it happen recently. I may have been keeping the affected '.war's in the appbase directory, and then moved them out. The fundamental rule seems to be: don't keep any part of your app. in Tomcat's own directories, except a context specifier, if you expect Tomcat not to meddle with it. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpsLQrxV1fdI.pgp Description: PGP signature
Re: Tomcat has stopped working
"iSeriesNavigator" sounds like some application that came with your IBM i-Series hardware. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp61d45t1yD0.pgp Description: PGP signature
Re: Why use SOAP in Java
I wonder if the real question here is not more like: what advantage does one gain in using RPC rather than some other method? I must admit that I sometimes ask myself that question. I must also admit that this whole thread is too general to be topical on the Tomcat list. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpZ4rN15tb8D.pgp Description: PGP signature
Re: jsvc creates pid file owned by root
Do you *really* want that file to be world-writable? Why not 644? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp8EEJOzvw1S.pgp Description: PGP signature
Re: Changing the Webapps directory
Consider also that, depending on your Windows version and perhaps other factors, your service may have *no network credentials* and be unable to map drives. Recent versions (sorry, I have been away from Windows for a while) added several system accounts specifically for the use of services that need access to remote resources. On older versions you'd need to create or select a domain account, grant it sufficient rights and privileges on the host, and use that account to run your service. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpynPxwoUBJK.pgp Description: PGP signature
Re: Problem with datasource connecting to postgresql
You must be careful to distinguish the two different users involved. The OS user would determine whether there is a permissions problem with the JAR containing the PostgreSQL JDBC driver, but be insignificant in actually connecting to the DBMS. Ensuring that the JAR is world-readable should eliminate this as a source of trouble. The PostgreSQL user (I think it was "testmanager") partially determines which entry in pg_hba is used to authorize the connection -- the other determinant is the type of connection (local or network socket, and (for network socket) the client host address). The OS user is not involved in this unless the DBMS is configured to pass credentials through to e.g. PAM. You might check the PostgreSQL monitor log for clues. You may have to adjust the logging configuration to be sure you get enough information to be useful. If you see no connection attempted, it wouldn't appear to be a problem with the database user. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpotqU5kaI4g.pgp Description: PGP signature
Re: tomcat disappearing...
First guess: the Linux "OOM killer". When memory gets desperately tight, the kernel picks a victim process and terminates it to recover some memory. Large processes lacking controlling terminals, such as Tomcat, tend to be the preferred victims. Check your OS log files to see if there are signs of severe memory pressure. You could also investigate by experiment: try to provide a lot more swap space and see if the problem is alleviated. If this is it, the real cure is more memory. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpIYCRXrJsiH.pgp Description: PGP signature
Re: httpd SSL -> Tomcat VS. Tomcat SSL standalone?
On Mon, Apr 28, 2008 at 11:27:09AM -0400, Larry Prikockis wrote: > I know the latest edition of the O'Reilly Tomcat book by Brittain and > Darwin strongly advocates the use of standalone Tomcat as opposed to the > traditional httpd->Tomcat approach, but this seems to be somewhat of a > paradigm shift for most people. I'm interested in hearing what the wider > community thinks... "Always do this" vs. "never do this" is a little oversimplified. Some sites will have reasons to run HTTPD anyway, for example, so then you get to choose between using an odd port for Tomcat and front-ending with HTTPD. There might be other reasons (like I *loathe* keytool, for example). > Specifically, we have a webapp on a Windows 2003 server that utilizes > Apache 2.2 SSL as a frontend and mod_proxy_ajp to send requests to Tomcat > 5.5.17 (on the same server). By eliminating the Apache frontend and just > using a Tomcat SSL connector directly, we saw performance increases that > absolutely dwarfed (400+%) everything else we were achieving by tuning > various connection parameters of Apache httpd and Tomcat. That's certainly worth thinking about. What exactly do you mean by "performance"? o round-trip time for a single transaction? o throughput (pour in transactions as fast as the system will take them, for (say) an hour, and measure how many you completed per second)? o processor utilization under typical load? o something else? > My questions: > 1) Any thoughts on why the Apache SSL -> Tomcat combination should be so > much slower? Back-resolving client addresses to names for some reason? (Check your logging directives, for example.) Not enough entropy? Check your random-number generator setup. Some generators will stall until they can gather enough randomness to provide a good result; others will do the best they can immediately; some will mix several sources to produce pretty-good results even when the blocking sources are exhausted. HTTPD is probably using OpenSSL facilities plus its own "mixer", and I don't know what your JRE uses. If your processor provides a source of randomness that you trust, be sure it's being used, since a number of sources (keyboard and mouse event timing, for example) are of little use on a server. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp2vpuHoRzKA.pgp Description: PGP signature
Re: Hot deploy deletes my context file...
On Fri, May 02, 2008 at 05:32:58AM -0700, Michael Burbidge wrote: > By experimenting from the shell copying files I can see what Tomcat is > doing. I think that it deletes associated contexts whenever an application > is undeployed by deleting the .war file. I think you are right. This drove me crazy for a while. Eventually I began keeping the .war files *out* of /webapps and I haven't seen this problem for a while. You'll need to add the docBase attribute to the Context to point to such an "external" webapp. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpEfuWZmVlOq.pgp Description: PGP signature
Re: Best practice? configuration of a web application
If I wanted to do that, I'd explicitly create the application context (that is, make a context descriptor file at $CATALINA_HOME/conf/Catalina/$HOST/$APP/context.html) and enclose a context-parameter to point to the configuration file. And I don't think it's at all unreasonable to want to do that. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpL6aT0Blf51.pgp Description: PGP signature
Does HTTPRequest.getParameter() return encoded or decoded?
If there's a better place to ask, please direct me. I'm tracking down a problem with third-party code which looks more and more like double URI-decoding. But I can't find anywhere in the servlet documentation where it says whether getParameter returns decoded or encoded data. ??? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpsGaQmY2a8V.pgp Description: PGP signature
Re: Does HTTPRequest.getParameter() return encoded or decoded?
Sorry, I didn't fully specify the problem. I do refer to URI-(en|de)coding, not to character encoding issues. So, if I've understood the answers I've seen so far, the value returned by getParameter() should *not* be subjected to URI-decoding, because it has already been URI-decoded and doing so again would lead to trouble with a parameter value which, before URI-encoding, contained a percent character. I'm debugging code we got from elsewhere which URI-decodes stuff it got from getParameter(), and as I am not very familiar with the code in question and am only a beginner in working with servlet code myself I want to be very sure there is not a good reason for these calls. I think now I'm sure enough to take them out. Thanks! -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpTAr9oPO11H.pgp Description: PGP signature
Re: request for simplistic Tomcat 5.5 log config
On Fri, Jun 06, 2008 at 12:54:26AM +0200, André Warnier wrote: > Mark Thomas wrote: >> André Warnier wrote: >>> (This is Linux Debian Etch, with Tomcat5.5 out of the box, standard >>> apt-get install.) >> Without knowing if/how 5.5.x has been mangled by the packaging process it >> is going to be difficult to help you. The packaging process tends to play >> all sorts of games with file locations and default configurations. > > Yes, it mangles quite a bit. Tomcat5.5 is split (as files and links) > between /etc/tomcat5.5, /var/lib/tomcat5.5, and /usr/share/tomcat5.5. > I suppose the Debian packagers have their very good and smart reasons for > doing this, but it doesn't make searching config files easier. They do. On Linux, for example, see the FileSystem Standard or whatever it's called now. On a production system, /usr might be mounted read-only, so you can't keep log files or scratch stuff (like auto-expanded .war files) there. /usr might not even be physically connected to the box; you might have racks of machines all mounting a common /usr image from some NFS server. /usr is a great place to put stuff which is changed only by replacing the whole file when the system is not available to end users, like executables and JARs. Since each host may require different settings, configuration data (like server.xml and context descriptor files) go in /etc so they can be customized per-host. Stuff that has to be writable should be in /var, which had better be mounted read-write or nearly every program on the box will break. /var is the place for state data or scratch storage -- stuff created at runtime or, if we must, empty structured files built by the installation process. Things just copied from the install kit don't belong here. If log files are hidden away outside of /var/log, the sysadmin will mutter something unprintable and either move or symlink them there. /var/log might be on its own volume, so that applications won't fail when they go to write scratch files and find that the logs have eaten up all the available space. If /var/log fills up, we lose a few data that have a 1:1 chance of being interesting; if /var fills up, we lose customers because nothing works for them. So, that's why some people insist on separating files that have different lifetime, scope, and access requirements. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgp4cXSNZyjTp.pgp Description: PGP signature
Re: log viewer
Oh, come on, guys. The log4j package includes the log viewers "chainsaw" and "lf5". There are probably others, but these are the only ones I can recall quickly. (And I'm not at all experienced with either one yet, sorry.) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpvOPeRgW3DD.pgp Description: PGP signature
Re: Allocated memory and VMWare
As others have said, try a VMware forum for more definite answers. I use VMware slightly but I'm not anything like an expert. Meanwhile, one thing to keep in mind is that the guest OS can't tell when VMware trims the guest's memory. The guest always sees as much as it was allocated. VMware can page some of that memory in and out if it is overcommitted, but it won't inform the guest because it has no way to do that. IF VMware permits one to change a running guest's memory allocation, then it MIGHT try to signal a memory-hotplug event, but I doubt that it does this. It would be dicey to assume that a guest even knows what hot-pluggable memory is, since such hardware is far from ubiquitous. But that wasn't the OP's question. Anyway you may not like the performance you get if there is swapping at any level. People talk about virtual memory as if the ability to run V>R is what it is for, but really that is a side effect and we do well to avoid it. The real benefit is that, at the cost of some complexity, paging is far less laborious and time-consuming than shuffling whole address-spaces. Best to run V=R and just use VM to enable the best memory packing with the least delay. Running overcommitted is really just another way of saying that one is running underprovisioned, and should be corrected. I have a moderately overcommitted VMware Server instance just to my left as I write this, and it is painfully slow, on a blazing fast Pentium 4. OTOH, while it is often said that memory is cheap, reality is more complex. Memory comes out of the supplies budget while configuration juggling is paid out of salaries, and these are separate budget lines. Configuration can be done right now, while procurement takes time -- often a lot of time. So overcommitting a VMware host might be a reasonable short-term approach while one is budgeting, pushing papers, and waiting for one's purchase to arrive. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgp5KVksBmkqe.pgp Description: PGP signature
Re: Securing Tomcat Applications from Reverse Engineering
Reverse engineering is not a technical problem; it is a legal problem. You need a lawyer, not a program. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpRmc02QIJYG.pgp Description: PGP signature
Re: [OT] Re: Securing Tomcat Applications from Reverse Engineering
On Thu, Jan 21, 2010 at 03:02:41PM +, Peter Crowther wrote: > 2010/1/21 Mark H. Wood > > > Reverse engineering is not a technical problem; it is a legal > > problem. You need a lawyer, not a program. > > > > Mmm, yes and no. Burglary is also a legal problem, but I have locks (on / > around the things I want to keep, of a cost and quality appropriate to my > expected loss) as well as being able to engage a lawyer if required. The analogy is imprecise. If you lease a house to someone, you have no feasible technical means to control who enters your house -- the lessee possesses a key and can let in anyone he pleases. But you could write a lease which constrains the set of people lessee is permitted to allow in. (Dunno why, but you could.) The house would be useless to lessee without a key. Similarly a program, distributed to a user, would be useless unless an intelligible version can be loaded or derived by the user's equipment. But if the user's equipment can load or derive an intelligible version of the program, the program can be reverse-engineered. That's why software licenses almost always contain specific language about reverse engineering. In both cases the owner has *necessarily* given up technical control of the property, and can only exert control through legal means. You can't stop people abusing property that you hand over to them, but you may be able to punish them if they do. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpQk69NLchSH.pgp Description: PGP signature
Re: JSP Page "hangs"... clues?
On Wed, Feb 10, 2010 at 12:26:42PM -0800, Jordan Michaels wrote: > Yeah, it's hanging permanently. We've let it sit there for what... 15 > mins or so? Which should be plenty since no one is using it right now > except us. Maybe, maybe not. Did you monitor CPU and memory utilization, I/O load and I/O wait time on the server during one of these spells? I've seen a certain web browser get hold of some badly-written script or something, spend *minutes* blowing up to a huge size while running 100% of CPU the whole time with the UI completely unresponsive, then give all that memory back and continue as if nothing had happend. Maybe you've found a way to do something similar with Tomcat, but it takes 16 minutes to cycle. Just waiting until you think it's been long enough is not a very strong test. What's it doing while you wait? is a question you need to consider. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpv9cWBGPvLs.pgp Description: PGP signature
Re: [OT] Tomcat dies suddenly
Heh, when I was in another building I was issued an ADDS Viewpoint terminal which would, every so often, begin typing all by itself and quite at random. Eventually we determined that my cubicle was directly underneath an arc welding station in the welding shop one floor up, and when welding classes were in session the EMI was picked up by my keyboard. (Written from one of my xterms.) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpu1LttJE0ti.pgp Description: PGP signature
Re: [OT] Batch-processing of emailed log4j log messages
An alternative approach: you could pump the messages through a mailing-list digest builder. You may get 100 messages in five minutes, but you only get interrupted once. Sorry, I've never run a digested list so I don't have a name handy. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpKRZKNFSpY2.pgp Description: PGP signature
Re: Apache Tomcat 5.5.34 Question (UNCLASSIFIED)
Consider something like: $ openssl rand -base64 32 DJaLgg+fcT8ygQVCd1uKcpLAuxGPmEWhv7j+aorobVs= if you want help coming up with reasonably hard-to-guess secrets. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpiuMMjY4F6L.pgp Description: PGP signature
Re: Denying IPs using the Valve command in context.xml
Part of the problem with this valve is that regex matching is such a (IMHO) bizarre choice for IP address matching. IP addresses have a structure which is very unlike text, and the customary and expected matches take a bit of finagling to do in regexes. I should try writing netmask and CIDR address matchers. Likewise the hostname valve. Domain names also are structured, and people who have just discovered the valve may be expecting quite a different type of matching than what they get. I had to read the documentation very slowly and carefully before I could get the customary match styles out of my head. Again, I should try writing a DNS-style globber. It might be fun. (But don't hold your breath waiting for it.) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpBlPBdN6hmN.pgp Description: PGP signature
