Re: custom web app classloader
Jwahar Bammi wrote: Thanks for your quick reply glenn, I was thinking the same way. Please could you confirm the mechanics of hooking the classloader into Tomcat - once I write the class, I tell tomcat to use it by specifying it in the Loader tag of a Context in server.xml Yes. The next releases of Tomcat 4.1 and 5 will also allow a Loader to be nested inside the DefaultContext. - my class itself goes into $CATALINA_HOME/server/lib Yes, or in $CATALINA_HOME/common/lib the docs don't make it clear what the mechanics should be thanks again bammi -Original Message- From: Glenn Nielsen [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 10:20 PM To: Tomcat Users List Subject: Re: custom web app classloader I have done this but I started by extending org.apache.catalina.loader.WebappLoader, then overriding anything I needed to customize. Regards, Glenn Jwahar Bammi wrote: I want to write my own custom web application class loader, for Tomcat 4.1* (and hopefully it will continue to work for Tomcat 5*). From the precious little info that is available, I have gleaned the following: - the class I write should implement org.apache.catalina.Loader interface. - once I write the class, I tell tomcat to use it by specifying it in the Loader tag of a Context in server.xml - my class itself goes into $CATALINA_HOME/server/lib Are my assumptions above correct? It would be a real bonus to see an example. I am sure more than one person in this community has done this before. Any words of advice? Advanced Thanks, Jwahar Bammi Memento, Inc. [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom web app classloader
I have done this but I started by extending org.apache.catalina.loader.WebappLoader, then overriding anything I needed to customize. Regards, Glenn Jwahar Bammi wrote: I want to write my own custom web application class loader, for Tomcat 4.1* (and hopefully it will continue to work for Tomcat 5*). From the precious little info that is available, I have gleaned the following: - the class I write should implement org.apache.catalina.Loader interface. - once I write the class, I tell tomcat to use it by specifying it in the Loader tag of a Context in server.xml - my class itself goes into $CATALINA_HOME/server/lib Are my assumptions above correct? It would be a real bonus to see an example. I am sure more than one person in this community has done this before. Any words of advice? Advanced Thanks, Jwahar Bammi Memento, Inc. [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[ANN] Apache Tomcat mod_jk 1.2.5 Web Server Connector released
[October 11, 2003] The Tomcat team is pleased to announce the release of version 1.2.5 of the Apache Tomcat mod_jk web server connector. Tomcat is the reference implementation of a web application server which implements the Java Servlet and JavaServer Pages specifications. mod_jk is a connector which allows a web server such as Apache HTTPD or IIS to act as a front end to the Tomcat web application server. This version fixes a number of minor bugs. See the file CHANGES.txt in the source distribution for a complete list of changes. Soucre distribtions can be downloaded from an Apache Software Foundation mirror at: http://jakarta.apache.org/site/sourceindex.cgi Binary distributions for a number of different operating systems and web servers can be downloaded from an Apache Software Foundation mirror at: http://jakarta.apache.org/site/binindex.cgi Documentation for using mod_jk with Tomcat 3.3, 4.1, and 5.0 can be found at: http://jakarta.apache.org/tomcat/ The Apache Tomcat team. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with SecurityManager and jmx
Sergio Juan wrote: Hi. I'm currently working in a complex web application. In a stage of development, we wanted to control access to files from the users, and we got all the logic in a SecurityManager of its own. As we were not very familiar with all the capacities of the Security Manager, we chose for the following procedure: - Let Tomcat start normally - In our app start, we get the current SecurityManager if any and create one of ours (setting it as the System SecurityManager). A web application should not be creating or modifying the SecurityManager. The SecurityManager is global to the entire JVM. Our SecurityManager implements the methods related to the java.io.* classes (checkRead, etc.). If any other method is called, we implement it just calling the older SecurityManager (if there was any). There shouldn't be any need for you to write a custom SecurityManager. Instead you should implement your own custom Permission class, then use a custom FileIO class that does the appropriate permission checks. Regards, Glenn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[ANN] Apache Tomcat mod_jk 1.2.4 Web Server Connector released
The Tomcat team has released version 1.2.4 of the Tomcat mod_jk web server connector. This version fixes a number of minor bugs and ports all features from the Apache 1.3 version to the Apache 2 version of mod_jk 1.2. See the file CHANGES.txt in the source distribution for a complete list of changes. The source distribution is available at: http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.4/src/ Binary distributions for different web servers and operating systems will become available in the next week for download at: http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.4/bin/ Linux RPM's can be found when they become available at: http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.4/rpms/ Documentation for the release is available at: http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.4/doc/ Glenn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Failed JK connection
It looks like you have mod_jk 1.2 installed in Apache but have JK2 configured in Tomcat. These two are not compatible. Posting your apache mod_jk config and the connector portion of your tomcat server.xml would make it much easier to answer your question. I would also recommend upgrading apache to the latest 1.3.27 release. This won't solve your problem but their have been security patches to apache since 1.3.22. Regards, Glenn Scherbinko Timur wrote: Hi, I have installed - Apache/1.3.22 (Unix) - mod_jk-ap13-1.2.0-1 - tomcat4-4.1.12 At start Tomcat4 gives out a mistake Starting service Tomcat-Standalone Nov 26, 2002 7:52:31 PM org.apache.jk.common.ChannelSocket init INFO: JK2: ajp13 listening on tcp port 8009 Nov 26, 2002 7:52:31 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=20/295 config=/var/tomcat4/conf/jk2.properties StandardServer.await: Invalid command '' received Nov 26, 2002 7:53:09 PM org.apache.jk.common.ChannelSocket processConnection WARNING: server has closed the current connection (-1) How to solve this problem? Thanks! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Host Context - Unpacking of WARs
Your second Host config sets the appBase to a war file, this is not valid, it has to be a directory. Glenn Andoni wrote: Hello, I have two configurations: 1st one works 2nd doesn't. I want to get the 2nd to work though as it stops .war files unpacking. Can anyone tell me how to make the 2nd one work? The error I get is: Forbidden You don't have permission to access / on this server. But I think that's coming from the Apache server so it isn't even getting to tomcat? Thanks, Andoni. Host name=animo.andoni.[mydomain].ie debug=0 appBase=webapps/animo unpackWARs=true Aliasandoni.[mydomain].ie/Alias Context path= docBase= debug=0 workDir=[disk_name]/apache/jakarta/tomcat/work/animo reloadable=false /Context /Host Host name=animo.andoni.[mydomain].ie debug=0 appBase=webapps/animo.war unpackWARs=false Aliasandoni.[mydomain].ie/Alias Context path= docBase= debug=0 workDir=[disk_name]/apache/jakarta/tomcat/work/animo reloadable=false /Context /Host -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Integrate Tomcat 4.1.12 to Apache 1.3.22 on ASPLinux
If you are using mod_jk 1.2 for Apache your Connector on the Tomcat side needs to be Ajp13 instead of Coyote. Here is an example: Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 minProcessors=5 maxProcessors=75 acceptCount=10 connectionTimeout=0 debug=0/ Regards, Glenn ýÅÒÂÉÎËÏ ôÉÍÕÒ áÌÅËÓÁÎÄÒÏ×ÉÞ wrote: Hello everybody I work on ASPLinux 7.2. I installed: - Apache/1.3.22 (Unix) - mod_jk-ap13-1.2.0-1 - tomcat4-4.1.12 and configured: - worker.property: worker.list=ajp13 worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 worker.ajp13.lbfactor=1 - server.xml: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8009 minProcessors=5 maxProcessors=75 enableLookups=true redirectPort=8443 acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler/ When I tried to start Tomcat, I received the following catalina.out: Starting service Tomcat-Standalone Nov 26, 2002 7:52:31 PM org.apache.jk.common.ChannelSocket init INFO: JK2: ajp13 listening on tcp port 8009 Nov 26, 2002 7:52:31 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=20/295 config=/var/tomcat4/conf/jk2.properties StandardServer.await: Invalid command '' received Nov 26, 2002 7:53:09 PM org.apache.jk.common.ChannelSocket processConnection WARNING: server has closed the current connection (-1) When I try to request http://localhost/index.jsp I see NullPointerException in the catalina.out like this: java.lang.NullPointerException at org.apache.coyote.tomcat4.CoyoteAdapter.log(CoyoteAdapter.java:624) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter. java:230) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:256) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:361) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:563) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSo cket.java:535) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:638) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( ThreadPool.java:533) at java.lang.Thread.run(Thread.java:536) Where did I make a mistake? Help me, please. -- Truly yours Shcherbinko ô.á. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Apache/Tomcat Security
Run Tomcat with the Java SecurityManager (-security startup option) and only grant the minimum permissions necessary to your webapp. See the Security Manager HOWTO in the Tomcat docs. Glenn Anderson, M. Paul wrote: I am preparing to launch my first web site utilizing an Apache/Tomcat configuration. The server will host a single web site, at least for now that uses servlets and jsp with a database backend. I have set up the Apache and Tomcat as discussed in the documentation with much help from people on this list. Now my question concerns whether or not I need to do anything in Apache or Tomcat to protect my site beyond what Apache and Tomcat are already set up to do. How secure can I truly expect my site to be using Apache and Tomcat as is? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
In Tomcat 4.0 the URL used for the codeBase for jar files located in /WEB-INF/lib starts with jar:file:..., your grant below starts with file: Those are two different codeBases! The SecurityManager is very picky about where code comes from when granting permissions, the URL must start with the exact same text. Regards, Glenn [EMAIL PROTECTED] wrote: I am not able to grant security permissions on individual jar files. Can someone tell me what I'm doing wrong? In my policy file (CATALINA_HOME/conf/catalina.policy) I have the following setting: grant codeBase file:${catalina.home}/- { permission java.security.AllPermission; }; I would think this would grant all permissions to all jar files, classes, etc under the catalina directory, including webapps' classes/jars. However, I keep getting the following (I set security debug output according to the following -- java.security.debug=access,failure): access: access denied (java.util.PropertyPermission log4j.defaultInitOverride read) java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1071) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:259) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291) at java.lang.System.getProperty(System.java:611) at org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert er.java:92) at org.apache.log4j.LogManager.clinit(LogManager.java:117) at org.apache.log4j.Logger.getLogger(Logger.java:85) at com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85) at java.security.AccessController.doPrivileged(Native Method) at com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83 ) ... access: domain that failed ProtectionDomain (jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache /log4j/helpers/OptionConverter.class no certificates) WebappClassLoader available: Extension[Struts Framework, implementationVendor=Apache Software Foundation, implementationVendorId=org.apache, implementationVersion=1.0.2, specificationVendor=Apache Software Foundation, specificationVersion=1.0] delegate: false repositories: /WEB-INF/classes/ required: -- Parent Classloader: + other stuff. What gives? I don't understand why this is not working. Please help! Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box Thanks, John -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: security manager problem
Start tomcat with the property javax.security.debug=access,failure so that you can capture debug information for the SecurityManager. Also read the SecurityManager-HOWTO that comes with tomcat. Glenn Mok Swee Loong wrote: Dear all, Just started with tomcat 4.1.2, i am trying to run things a little bit more secure, and try to figure out a good way to start and stop the server. Pls do comment if you have any opinion or good reference regarding this. Thanks a million. - I plan to run the tomcat server as user tomcat - I have changed everything under $CATALINA_HOME owned by tomcat user (is this necessary at all? or we'll just need to change the logging directory to be writable by user tomcat?) and start tomcat using su -c $CATALICA_HOME/bin/startup.sh tomcat - Does tomcat have similar setting like apache httpd server, where u can set user and group permission to run as, you start the server as root to initialize everything that needed root, then the server will change and run as your desired credential? With the above setup it is running fine, but when i try to run it with the security manager using the default catalina.policy # export CATALINA_OPTS=-Djava.security.debug=access,failure # su -c $CATALICA_HOME/bin/startup.sh tomcat -security i got the following exception: Exception during startup processing java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1031) at org.apache.catalina.startup.Catalina.init(Catalina.java:127) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAcces sorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstruc torAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:274) at java.lang.Class.newInstance0(Class.java:306) at java.lang.Class.newInstance(Class.java:259) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:179) what could be wrong? any comments are appreciated. Thanks. regards, mok -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: AccessControlException - java.io.FilePermission
So you can edit the tomcat.policy file but not specify what properties are set when Tomcat is started? What a trusting app hosting service. By default Tomcat will grant a file read permission to the root of your web application context, in this case /home/.sites/5/site513/web/. But all of the java classes on the stack must also have been granted the appropriate read permission. The permissions the code for your webapp has is the intersection of those permissions granted to your webapp and all other code bases for java classes on the stack. So the permission problem could be in another code base grant in tomcat.policy. If you indeed do have permission to set all java properties you might try setting the property javax.security.debug to access,failure programattically in your JSP/servlet, then remove that property in a finally clause at the end of your JSP/servlet. That may turn on security debug for you if you indeed have permission to read/write all properties. Regards, Glenn ben keeping wrote: Hello All, I hope someone can help ... you are my last chance as I have posted on tek-tips forums, the sun.java.com developers forum, read the tomcat documentation, read this address's mail archives, contacted my web host, and still no joy ! I have recently bought some web hosting space, and when testing that all works, I get this error, when invoking a servlet from a jsp page : java.security.AccessControlException: access denied (java.io.FilePermission /home/.sites/5/site513/web/WEB-INF/classes read) This is what the TOMCAT_HOME/conf/tomcat.policy looks like (relative snippet) grant codeBase file:/home/.sites/5/site513/web/- { permission SocketPermission localhost:1024-, listen,connect,resolve; permission java.util.PropertyPermission *, read,write; permission java.io.FilePermission /home/.sites/5/site513/-, read,write,delete; permission java.lang.RuntimePermission accessClassInPackage.sun.io; }; and this is what the server.xml looks like (snippet) Host name=www.mywebsite.com !-- Site site513 -- Context path= docBase=/home/.sites/5/site513/web debug=0/ !-- user web contexts -- /Host I have checked the OS file permissions also, which are : drwxrwsr-x To me it all looks well ??!! I believe they are running 3.2.3 on a Linux Cobalt server. The problem is is that I can't run tomcat in debug or security mode because its a web hosting company, and they are being less than helpful about the matter ! Neither can I gain access to the tomcat log directory. Any ideas ? Thanks for your time, Regards Ben _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Thread count growth, /manager/sessions, and persistence
Regarding sessions, by default a JSP page creates a session. All your JSP pages which don't require a session should have the attribute session=false set in the page directive. The number of threads being used is not related to session management. To troubleshoot problems running out of Processors try telling the JVM to do a thread Stackdump when this happens. On unix you send the java process a QUIT signal. Analyze the thread Stackdumps to determine what the bottleneck is for your application running in Tomcat. i.e. What are all the threads doing when you run out of processors. BTW, 2500 processors seems excessive. Does your site really need to handle 2500 concurrent requests? Also try starting the JVM with the -verbose:gc arg using the CATALINA_OPTS environment variable. This will generate garbage collection data to stdout (catalina.out). Look for very long GC times in the 10's of seconds. You may need to tune your java min/max heap sizes and other GC related options to improve GC performance. When GC happens Tomcat freezes. This can cause requests to build up on the Coyote socket up to your acceptCount limit. And it can cause other failures for things which can timeout such as db connections. Regards, Glenn Mark Walker wrote: I am trying to port an application over to Tomcat v 4.1.12 which has worked fine for two years running in WebSphere on an iSeries. The JSPs were at the .91 level. I have updated them to the 1.2 level. In addition, I have installed the tomcat-util.jar from 4.1.14 to fix the erroneous ssl debug messaging. From the user's perspective everything looks the same. On the server side though, I seem to have a runaway thread problem. The Tomcat manager app shows the number of active sessions to be anywhere between 400 and 700 during the day, dwindling to a few dozen at night. (Incidentally, the session count is always in one group: the 30-40 minute one - I expected a breakdown in 10 minute intervals). But the thread count just keeps rising. When the count reaches the maxProcessors limit a message, [INFO]ThreadPool - -All threads are busy, waiting. Please increase maxThreads or check the servlet status appears in the log. I have tried suggesting garbage collection to the JVM at various times but to no avail. Here are the Connector definitions in use: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=80 minProcessors=5 maxProcessors=2500 enableLookups=true redirectPort=443 acceptCount=25 debug=0 connectionTimeout=2 useURIValidationHack=false / Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=443 minProcessors=25 maxProcessors=2500 enableLookups=true acceptCount=25 debug=0 scheme=https secure=true useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=false keystoreFile=**filename** keystorePass=**password** keystoreType=**type** protocol=TLS/ /Connector (There is also the standard Coyote/JK2 AJP 1.3 Connector on 8009 but it looks like I don't need that as I'm using Tomcat as a standalone server) Here are my questions: Are there any known issues with Tomcat and excessive thread counts? (Grasping at straws here I know. I have not found any other relevant reference to Tomcat having thread issues like these, yet the same Java code has served well for two years.) Could the lack of a breakdown list in the /manager/sessions output be a symptom of a thread problem or is it just a newbie configuration error? Another item that might be an issue is persistent sessions. I don't want them. I invalidate() the session when a user logs out. To that end I have included the following within each context group: Manager className=org.apache.catalina.session.PersistentManager debug=0 saveOnRestart=false maxActiveSessions=-1 minIdleSwap=1800 maxIdleSwap=-1 maxIdleBackup=-1 Store className=org.apache.catalina.session.FileStore/ /Manager (I have also used -1 for the minIdleSwap. I changed it to 1800 to try and keep the sessions in memory in case that was part of the problem.) Is this the right approach to take? I'm concerned that something is wrong here because if I end Tomcat and restart it the cpu usage goes from an average of 6% to 40+%. A second restart puts it up to 99%. The system maintains these rates until I switch to another server (At least the pages still serve fine though). Lastly, in the event that WebSphere has just been covering my tracks well, I would also welcome suggestions of Java discussion lists anyone has had success with where I could post some particulars regarding our multithreaded processing. Thanks in advance! Mark Walker
Re: Tomcat Scalability - Long
I have the following in production: Tomcat 4.1, JDK 1.3.1, and MySQL on a Dual CPU Sun 250 app server and Apache using mod_jk 1.2 on a separate server. We are now getting 4 weeks continuous uptime. I stop and restart Tomcat once each month because the minimum memory the java heap uses over time increases. This is on a site handling 30k Tomcat requests per day. With peak loads of 5k-6k Tomcat requests per hour. When scaling Tomcat there are many issues to address when tuning performance. I would suggest learning more about how the JVM does garbage collection and test different Java startup args related to jvm stack size, etc. Try starting Tomcat with the java arg -verbose:gc, this will collect GC data which can help you when tuning the JVM memory usage. You might also want to profile your applicaiton using OptimizeIt or JProbe to see if it is the source of the problem. And of course the performance tuning should be done on test servers which are as close as possible to your production environment and with a load that simulates your site usage. Consider upgrading to Tomcat 4.1. Especially if your site uses JSP. Jasper 2 which comes with Tocmat 4.1 significantly improves performance of JSP. One final note, I would not set reloadable=true on a production system. That adds alot of overhead. The reloadable option is really there only to make development easier. Regards, Glenn Brandon Cruz wrote: Does anyone have any solid information about the scalability of Tomcat? It seems very limiting to me, but that is hopefully due to improper configuration. Here is our situation and what seems to be happening under a small amount of stress. ---About our Environment--- PIII 1.0Ghz 512 Meg Ram Linux RedHat 7.1 MySQL Database Apache 1.3.x mod_jk - logging turned all the way down Tomcat 3.2.4 - contexts *are* reloadable right now SUN JDK 1.3.1_01 ---About our Application--- Our Application is a content management tool that reads and writes to the MySQL Database and reads and writes files. All the pages within this application are served by Tomcat 3.2.4. About 80-120 people per day log into this application and spend anywhere from 10 minutes to one hour working on the application. At any given time there are between 15 and 50 active database connections. ---What we are seeing--- Tomcat needs to be restarted every few days. If we don't restart it, it seems tomcat eventually locks up and does not respond at all. No errors or anything are reported, it just will not respond. Apache continues to work during this time and all static HTML pages are accessible. CPU - The processor usage seems to slowly increase as time goes on. After about one day, it seems one java process uses 30% of available CPU or more, depending on whether users are performing operations or not. When nobody is doing anything, the processer still seems to be sitting around 30% until tomcat is restarted. This seems to cap after three to five days and not increase too much more. RAM - This slowly increases and never stops increasing. We do not have any special parameters set for the VM when it starts, but this does not seem to matter. The RAM gets up to about 135 MB after four or five days, but would continue to grow if tomcat were not allowed. Can anyone explain this behavior, talk about the scalability of Tomcat, or provide any similar working solutions that perform better than this? Is it normal, should we just throw more hardware at it? Are there configuration parameters that can be used to increase performance, such as set reloadable=false in all contexts? Would we get better performance if we upgraded to 4.x, or would that just be more work for little improvement? -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Tag object pooling and immutability in the servlet spec
Mr. Tomcat wrote: Is there a way to turn off tag object pooling? Object pooling was a cool performance technique in earlier versions of Java, but now object creation is very fast, so it no longer serves a performance function, and it introduces extra complexity into tag object design. Is this misfeature going to be phased out? In more recent JVM's object creation is faster, but those objects also need to be garbage collected later. Large numbers of objects requiring GC can significantly degrade performance. The above statement is a generalization that doesn't apply in all cases. In Jasper 2 custom JSP tag pooling provides a huge boost in performance for JSP pages which use custom tags. Request latency for JSP pages which use custom tags was reduced significantly and the system can now scale to handle larger numbers of concurrent requests. Before upgrading to Jasper 2 we had upgraded the hardware from single to dual cpu's and tripled the system ram. We still had some scaling problems. Upgrading to Jasper 2 a few weeks later solved are problems. It improved performance as much or more than the hardware upgrade. (The site uses alot of JSP pages with custom tags). This is on Sun sparc's running Solaris with JDK 1.3.1. I'll let someone else address your other issue. Regards, Glenn Also, on the immutable object topic, it seems that it would be better to have all the initialization of servlets and filters done in the constructor, not by calling an init function. If everything could be set in the constructor, then all instance fields could be private final, meaning that the servlet or filter object could be immutable, and therefore known to be threadsafe, which is an issue with servlets. Any chance of these changes happening in future releases of the servlet spec? Thanks -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: JkAutoAlias + Apache 1.3 + WAR
Luiz Ricardo wrote: Hello, I can not access an web application deployed in a war archive. I am using Apache 1.3 + mod_jk and in my server.xml the attribute unpackWARs is false, in my mod_jk.conf I use JkAutoAlias. Does anyone knows if JkAutoAlias and unpackWARs=false work? No they do not. For Apache to serve static content for your web application, the web application has to be unarchived. If you leave your application in an unarchived war Tomat has to handle all requests for that context. Regards, Glenn -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: DBCP logAbandoned parameter
The Resource configuration for your JDBC DataSource which uses DBCP in your tomcat server.xml configuration file. [EMAIL PROTECTED] wrote: sounds like I may have missed something here.. What dbcp xml config ? I have seen no reference to such a file before. Cheers, Med Glenn Nielsen [EMAIL PROTECTED]To: Tomcat Users List [EMAIL PROTECTED] net cc: Subject: Re: DBCP logAbandoned parameter 22/10/2002 13:39 Please respond to Tomcat Users List DBCP logging and removal of abandoned connections works for me. Check all your logs, the stack traces should be there. If you don't find any stack traces post your DBCP xml config after obfuscating any sensitive data like passwords of course. Glenn [EMAIL PROTECTED] wrote: Hello, Ive implemented my connection pool on Tomcat 4.1.12, in my apllication context, using theorg.apache.commons.dbcp.BasicDataSourceFactory. Pleased to say its working fine. I have a question though about some of the options I saw in the dbcp example, including such parameters as removeAbandoned, removeAbandonedTimeout and in particular logAbandoned (by the way, i put these options as they are in my server.xml file, within the declaration of my contexts datasource (ResourceParams name =jdbc/mylittledb/...) The log abandoned is supposed to produce a stacktrace of where a connection was taken, and not returned to the pool. Has anyone seen this hapen ? I removed a close connection method from a jsp, and hit it with several threads, sure enough in System.out I got : DBCP could not obtain an idle db connection, pool exhausted ... but i was expecting it (from the docs) to tell me which naughty bit of code was the culprit for eating all the pies. Hope that make sense and at least one person understands my wittering.. Cheers, Med -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Security RISK !
Make sure you configure apache to forbid access to any /WEB-INF/ and /META-INF/ directories. You also may want to forbid access to *.war files in your DocumentRoot. If you use the lastest version of mod_jk 1.2 it will do this for you automatically if you use the JkAutoAlias config directive. Regards, Glenn Sigurður Bjarnason wrote: Hi all I am using apache 1.3 and tomcat 4.0.4 together I use apache to serve all the static content, witch I have a special directory for and Tomcat serve all the jsp and servlet stuff.. The question is.. is there any security risk if I Have the Apache DocumentRoot pointing straight to the webapps folder ?! ¨ Best Regards Siggi -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Looping message in my log
If it keeps looping your index.jsp may be doing a jsp:forward to itself. Renato wrote: Hi all, I'm using Tomcat 4.0.6 and I found the following message that is looping and filling up my log: ) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:347) at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:414) at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:452) at org.apache.jsp.index$jsp._jspService(index$jsp.java:2616) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:201) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:381) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:473) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:683) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:431) at org.apache.catalina.core.ApplicationDispatcher.access$0(ApplicationDispatcher.java:359) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run(ApplicationDispatcher.java:130) ) Anybody know what could possible be ? Thanks -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: DBCP logAbandoned parameter
DBCP logging and removal of abandoned connections works for me. Check all your logs, the stack traces should be there. If you don't find any stack traces post your DBCP xml config after obfuscating any sensitive data like passwords of course. Glenn [EMAIL PROTECTED] wrote: Hello, Ive implemented my connection pool on Tomcat 4.1.12, in my apllication context, using theorg.apache.commons.dbcp.BasicDataSourceFactory. Pleased to say its working fine. I have a question though about some of the options I saw in the dbcp example, including such parameters as removeAbandoned, removeAbandonedTimeout and in particular logAbandoned (by the way, i put these options as they are in my server.xml file, within the declaration of my contexts datasource (ResourceParams name=jdbc/mylittledb/...) The log abandoned is supposed to produce a stacktrace of where a connection was taken, and not returned to the pool. Has anyone seen this hapen ? I removed a close connection method from a jsp, and hit it with several threads, sure enough in System.out I got : DBCP could not obtain an idle db connection, pool exhausted ... but i was expecting it (from the docs) to tell me which naughty bit of code was the culprit for eating all the pies. Hope that make sense and at least one person understands my wittering.. Cheers, Med -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Security manager and request.getParameter() access error
Check your catalina.policy and see if the following 4 permissions are granted in the default policy: // Required for sevlets and JSP's permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*; permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util.*; Java 1.4 is more picky about the RuntimePermission accessClassInPackage and defineClassInPackage permissions. Regards, Glenn Dala wrote: When I use the security manager in Tomcat (4.1.12-LE-jdk1.4) some strange problems occur. When I execute the following simple JSP code: % request.getParameter(foo); % I get the following exception: org.apache.jasper.JasperException: org/apache/catalina/util/ParameterMap at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 48) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain ... I also start tomcat with security debub info enabled (i.e. CATALINA_OPTS=-Djava.security.debug=failure) but the log files do not report any errors, except for the exception of course. I use the standard policy rules as stated in the file catalina.policy. I even tried to grant the additional following rules, but nothing have helped so far: permission java.lang.RuntimePermission accessClassInPackage.javax.servlet; permission java.lang.RuntimePermission accessClassInPackage.javax.servlet.*; If I grant all permissions (i.e. permission java.security.AllPermission;) to my code base, then everything works fine. What is the problem? Have I missed something obvious here? /Tommy -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Ajp13Processor starting background threads under low load
Once an Apache process opens a socket connection to Tomcat for Ajp that connection remains open until that httpd process dies. That way the httpd process can reuse that connection. For Apache 1.3 there is a one to one mapping between apache httpd processes and Tomcat Ajp13Processors. You can end up with as many Ajp13Processors as you have httpd processes. So the MaxProcessors config needs to be greater than the max number of httpd processes used by apache. And each Ajp13Processor runs in its own thread waiting for a request from Apache. Regards, Glenn Lindsay Patten wrote: Thanks for the pointer Glenn, it was much appreciated! So, I've been doing thread stacktrace dumps, but what I found doesn't make a lot of sense to me. After restarting tomcat there were 5 processor threads all blocked on a monitor: Ajp13Processor[8085][0] daemon prio=1 tid=0x0x4f801b28 nid=0x45ae waiting on m onitor [bd9ff000..bd9ff8ac] at java.lang.Object.wait(Native Method) - waiting on 0x446602c0 (a org.apache.ajp.tomcat4.Ajp13Processor) at java.lang.Object.wait(Object.java:426) at org.apache.ajp.tomcat4.Ajp13Processor.await(Ajp13Processor.java:305) - locked 0x446602c0 (a org.apache.ajp.tomcat4.Ajp13Processor) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:490) at java.lang.Thread.run(Thread.java:536) I presume these are waiting for the scheduler thread to pass them a request. A while later a bunch of background threads get spawned and I do another dump/trace, now there are a whole bunch of threads in a runnable state trying to read request packets: Ajp13Processor[8085][21] daemon prio=1 tid=0x0x8289b38 nid=0x70d6 runnable [ba fff000..bafff8ac] at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:116) at org.apache.ajp.Ajp13.readN(Ajp13.java:429) at org.apache.ajp.Ajp13.receive(Ajp13.java:469) at org.apache.ajp.Ajp13.receiveNextRequest(Ajp13.java:274) at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:371 ) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495) at java.lang.Thread.run(Thread.java:536) Despite the name receiveNextRequest, it looks like that method is being called to receive each request including the first. So, the ajp13 processor is sitting blocked waiting for a full ajp13 packet from apache and apache is not sending data and not closing the connection/socket. From the comments in the code it sounds like apache restarts periodically, closing the sockets and unblocking the read calls, at which point these processors return to the pool - so if apache restarts before you reach your threads limit you are ok. What I don't understand is how apache can be starting up ajp13 connections to tomcat and then not sending a full packet without this causing user visible failures. Shouldn't there be users getting page loads timing out on them? That doesn't seem to be happening. Does this indicate a fault in apache or is it normal for apache to send partial requests without closing the connection? Any further guidance? Thanks, Lindsay Glenn Nielsen wrote: One way to start debugging this type of problem is to tell the java process running Tomcat to do a Thread Stacktrace Dump. kill -QUIT java processid Then analyze the stack traces for all threads. Regards, Glenn Lindsay Patten wrote: Hi, I thought I would take a different tack on my problem with the Ajp13Processor using up all of its threads problem. Does anyone know if the Ajp13Processor has a timeout when it is looking for a worker to handle a request? If the worker threads were all swapped out and taking a long time to get going and respond, would the main thread start a new background thread instead of waiting? Or does it just have a list of available workers and blocks until the worker it selects responds? If it is the former that would explain my problem since I have experienced my processes getting swapped out and taking a long time to respond. The question would then become: is a way to specify how long the scheduler should wait before starting a new thread? At least I would have something I could take to my service provider. On the other hand if I knew for sure that the scheduler thread didn't have a timeout on worker threads than I could concentrate on looking elsewhere. Does anyone know? Or know where to look or ask short of reading the source? Thanks, Lindsay Lindsay Patten wrote: Hi, I am having a problem where tomcat keeps intermitantly starting new ajp13 processor threads, eventually it reaches the max and starts refusing connections. My hosting provider (linux machine) provides a private version of tomcat for each user with a single apache web server, there are typically a large number of processes on the machine (4000). My particular tomcat server (v4.0.3) is not being
Re: socket permission catalina.policy question
Did you ever try running tomcat with the property -Djava.security.debug=access,failure set? The debug output from that can usually help you track down the source of a security policy configuration problem. Regards, Glenn Andrew Cheng wrote: I am using tomcat version 4.0. I have tried adding the extra jar: and !/- and restarting tomcat... however it still does not work. I tried removing that extra syntax and it does not work in that case either. (In fact, when I added the extra syntax to all of the jar files in catalina.policy, it complained about bootstrap.jar... so I tried three different cases. [1] absolutely no extra syntax anywhere in the file [2] extra syntax just for the jar files at the end of the file that have to do with my Web applications only [3] extra syntax for every jar file... and none of these cases works) catalina.policy is definitely being used. /var/log/tomcat.log says it is using the security manager. There was a time when it was complaining that my JDBC driver did not have socket permission to connect to the database. However I gave all permission to the JDBC driver and to the code that calls it. That particular socket permission denial was resolved. However the original socket permission denial refuses to submit to this solution. Perhaps I will try listing the actual IP address instead of the machine's name ***Could my directory structure be an issue? In ${catalina.home} I have a directory/Web-application called myApplication: ${catalina.home}/myApplication Inside this directory, I have several servlets... each in their own directory: myServlet1, myServlet2, etc... ${catalina.home}/myApplication/myServlet1 Inside each of these servlet directories, the classes directory is a symbolic link to ${catalina.home}/myApplication/WEB-INF/classes ... ${catalina.home}/myApplication/myServlet1/classes - ${catalina.home}/myApplication/WEB-INF/classes I am assuming that the following entry in my policy file correctly credits the same set of permissions to each of my servlets... is this a good or bad assumption? grant codeBase file:${catalina.home}/myApplication/WEB-INF/classes/- { permission java.security.AllPermission; }; My .policy file is at the very end of this message -Original Message- From: Erik Erskine [mailto:erik;sundayta.com] I'm having similar problems which I've tracked down to a bug in Tomcat 4.0 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7319). If you're using that this may help. Basically if you have grant statements like these the jar files don't get included: grant codeBase file:/path/to/foo/- grant codeBase file:/path/to/foo.jar You have to explicitly refer to a jar file like this: grant codeBase jar:file:/path/to/foo.jar!/- Unfortuanately you get no error, it's just as if you did not specify the grant statement at all :( The file:/foo/- version does pick up class files, so you could unpack each jar file into WEB-INF/classes when you build the WAR file. Having read the bug report this seems to have been fixed in Tomcat 4.1 so I'm about to try that. Erik // // catalina.corepolicy - Security Policy Permissions for Tomcat 4.0 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the -security option. In addition // to the permissions granted here, the following additional permissions are // granted to the codebase specific to each web application: // // * Read access to the document root directory // // $Id: catalina.policy,v 1.14.2.1 2001/10/06 18:51:03 remm Exp $ // // == SYSTEM CODE PERMISSIONS = // These permissions apply to javac grant codeBase file:${java.home}/lib/- { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase file:${java.home}/jre/lib/ext/- { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase file:${java.home}/../lib/- { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase file:${java.home}/lib/ext/- { permission java.security.AllPermission; }; // == CATALINA CODE PERMISSIONS === // These permissions apply to the server startup code grant codeBase file:${catalina.home}/bin/bootstrap.jar { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the common directory grant codeBase file:${catalina.home}/common/- { permission java.security.AllPermission; }; // These permissions
Re: Ajp13Processor starting background threads under low load
One way to start debugging this type of problem is to tell the java process running Tomcat to do a Thread Stacktrace Dump. kill -QUIT java processid Then analyze the stack traces for all threads. Regards, Glenn Lindsay Patten wrote: Hi, I thought I would take a different tack on my problem with the Ajp13Processor using up all of its threads problem. Does anyone know if the Ajp13Processor has a timeout when it is looking for a worker to handle a request? If the worker threads were all swapped out and taking a long time to get going and respond, would the main thread start a new background thread instead of waiting? Or does it just have a list of available workers and blocks until the worker it selects responds? If it is the former that would explain my problem since I have experienced my processes getting swapped out and taking a long time to respond. The question would then become: is a way to specify how long the scheduler should wait before starting a new thread? At least I would have something I could take to my service provider. On the other hand if I knew for sure that the scheduler thread didn't have a timeout on worker threads than I could concentrate on looking elsewhere. Does anyone know? Or know where to look or ask short of reading the source? Thanks, Lindsay Lindsay Patten wrote: Hi, I am having a problem where tomcat keeps intermitantly starting new ajp13 processor threads, eventually it reaches the max and starts refusing connections. My hosting provider (linux machine) provides a private version of tomcat for each user with a single apache web server, there are typically a large number of processes on the machine (4000). My particular tomcat server (v4.0.3) is not being loaded at all but the ajp13processor threads don't seem to not get reused under some circumstances that I don't understand. I have added logging statements in my jsp pages and the pages appear to run to completion. Each jsp page accesses some info from a mysql db and displays it (*Summary) or takes some data from a form and sticks it in the db (Page). The system will often run for several hours and hundreds of requests without starting any threads, but then sometimes, as below, it starts new threads for almost every request for a while. Is there a way to determine if the threads are getting hung up or returned to the pool? If a thread were swapped out and taking a long time to get swapped back in would tomcat start a new thread? The ps command indicates that the processes are there and sleeping. Any help or debugging pointers would be greatly appreciated. Thanks - Lindsay 2002-10-18 03:50:45 Ajp13Processor[8085][14] Starting background thread 2002-10-18 03:50:53 Ajp13Processor[8085][15] Starting background thread 2002-10-18 03:50:59 NationalSummary start 2002-10-18 03:51:00 NationalSummary end 2002-10-18 03:51:10 DistrictSummary start 2002-10-18 03:51:10 DistrictSummary end 2002-10-18 03:51:14 Ajp13Processor[8085][16] Starting background thread 2002-10-18 03:51:14 SubdistrictSummary start 42 2002-10-18 03:51:14 SubdistrictSummary end 42 2002-10-18 03:51:23 Ajp13Processor[8085][17] Starting background thread 2002-10-18 03:51:23 PageFrame start 2002-10-18 03:51:23 PageFrame end 2002-10-18 03:51:24 Ajp13Processor[8085][18] Starting background thread 2002-10-18 03:51:24 Page start 206 2002-10-18 03:51:24 Page end 206 2002-10-18 03:53:32 Ajp13Processor[8085][19] Starting background thread 2002-10-18 03:53:32 Page start 206 2002-10-18 03:53:33 Page end 206 2002-10-18 03:53:56 Ajp13Processor[8085][20] Starting background thread 2002-10-18 03:53:56 NationalSummary start 2002-10-18 03:53:56 NationalSummary end 2002-10-18 03:54:42 Page start 206 2002-10-18 03:54:42 Page end 206 2002-10-18 03:55:06 DistrictSummary start 2002-10-18 03:55:06 DistrictSummary end 2002-10-18 03:55:24 Ajp13Processor[8085][21] Starting background thread 2002-10-18 03:55:24 NationalSummary start 2002-10-18 03:55:24 NationalSummary end 2002-10-18 03:55:34 DistrictSummary start 2002-10-18 03:55:34 DistrictSummary end 2002-10-18 03:55:41 Page start 206 2002-10-18 03:55:41 Page end 206 2002-10-18 03:56:52 Ajp13Processor[8085][22] Starting background thread 2002-10-18 03:56:52 Page start 206 2002-10-18 03:56:52 Page end 206 2002-10-18 03:58:16 Page start 206 2002-10-18 03:58:16 Page end 206 2002-10-18 03:59:31 Page start 206 2002-10-18 03:59:31 Page end 206 2002-10-18 04:00:24 Page start 206 2002-10-18 04:00:24 Page end 206 2002-10-18 04:01:34 Page start 206 2002-10-18 04:01:34 Page end 206 -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail:
Re: Best practices question
For applications which require root permissions we do the following: Apache mod_jk (non root) -AJP- Tomcat (non root) -SSL- Tomcat SOAP server (root) Any business logic which requires root permission is implemented as a SOAP web service in the SOAP server which runs as root. That SOAP server is locked down with the SecurityManager and a very strict catalina.policy. The strict policy protects us from root level exploits and from hurting ourselves. i.e. We lock down file permissions to only those files/directories which the SOAP web services need to administer. The SSL connection is further locked down with X509 certificates. Each side of the SSL connection must present a certificate that the other side has the public key for. Also the catalina.policy restricts what IP's it will allow SSL connections from. The SOAP web services also validate all input which comes from the client. Regards, Glenn Qmail List wrote: I have been wondering about this as well. Apache screams and hollers BIG_SECURITY_HOLE if you compile it with the flags allowing it to run as root. That said, I love the fact that Tomcat runs as root. It makes it easy for your webapp to do things admin applications, servers, and networks from a web interface. But at what cost? Of course it would be best to run Tomcat as nobody or tomcat user or whoever, but if your app needs some root permission at the OS level, is it OK to run as root? I'd imagine the root OK concept must be due to the underlying Java, but can't really see why or how. Anyone know? Great product this Tomcat. Kudos to all involved. - Original Message - From: Turner, John [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, October 17, 2002 1:57 PM Subject: RE: Best practices question I run Tomcat under a separate user account. I avoid running services as root whenever possible. John -Original Message- From: Randy Paries [mailto:randy.paries;unitnet.com] Sent: Thursday, October 17, 2002 1:56 PM To: 'Tomcat Users List' Subject: Best practices question Hello, I was wondering are most people starting tomcat from root, or are they doing it other ways. What is the suggestion for this. How big are the security issues if started by root Would it be ok to start it by user apache? Thanks -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: socket permission catalina.policy question
Start Tomcat with the java property -Djava.security.debug=access,failure defined, then review all the debug output. More information on how the Tomcat SecurityManager works can be found at: http://kinetic.more.net/web/javaserver/security.shtml Regards, Glenn Andrew Cheng wrote: Quick question: I have an applet that communicates with a servlet. The servlet tries to download a DTD file from a third machine. It gets a socket permission access denied exception. I have wrapped the line of code in the servlet that downloads the file with a privileged block. The line of code calls a method inside a jar file. I have used the policy tool to grant all permissions to this jar file. I have even tried granting all permissions to all code temporarily! I have made sure to use the -security option when starting tomcat. I have double checked this by looking at the log file and seeing that the security manager is being used. However, my servlet still gets a socket permission access denied exception. The file I am trying to download is definitely downloadable from the machine that the servlet is running on. Please tell me what I have forgotten to do. Thanks in advance, Andrew grant { permission java.security.AllPermission; }; grant codeBase file:${catalina.home}/_/- { permission java.net.SocketPermission _:8080, accept, connect, listen, resolve; }; grant codeBase file:${catalina.home}/_/jdom.jar { permission java.security.AllPermission; permission java.net.SocketPermission _:8080, accept, connect, listen, resolve; }; grant codeBase file:${catalina.home}/_/jdom.jar!/- { permission java.security.AllPermission; }; -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | -- -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: static rules for jk/ajp13
For Apache 1.3, mod_jk 1.2, and Tomcat 4.1 I use the following generic config on a per virtual host basis. In my case I set the server.xml Host appBase for each virtual host to their Apache Document root. VirtualHost xxx.xxx.xxx.xxx:80 DocumentRoot /path/to/apache/document/root/for/host DirectoryIndex index.html index.htm index.shtml index.jsp # ... other config directives # Automatically mounts web applications found in document root JkAutoAlias /path/to/apache/document/root/for/host # Log tomcat requests processed by mod_jk with request latency JkRequestLogFormat %w %v \%r\ %U %s %T # For JSP JkMount /*.jsp ajp13 # For Struts JkMount /*.do ajp13 # For servlets JkMount /*/servlet/ ajp13 # For the manager app JkMount /manager/* ajp13 /VirtualHost Turner, John wrote: Agreed. In my book, /servlet/* is equal to /whatever-name-you-want-to-put-here-it-doesn't-have-to-be-servlet/*. ;) I'd rather only send particular requests to Tomcat. Seems to make more sense to me that way...sending everything to Tomcat but setting up some convoluted mod_rewrite rules to get Apache to behave seems like more work, but that's me. Messing with Apache also means that you have to hurt everything else that Apache is doing to see your config changes. I haven't had much luck with apachectl graceful. At least by mapping requests to Tomcat, you can take Tomcat up and down without affecting Apache. Tastes great, less filling. :) John -Original Message- From: Milt Epstein [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 2:50 PM To: Tomcat Users List Subject: RE: static rules for jk/ajp13 Well, I don't want to argue either :-), but I'm not sure it's really the conventional way. It used to be -- i.e. using URLs with /servlet/ in them was the original way to invoke servlets, IIRC. But nowadays, with all the changes to the servlet spec and how servlets are defined and invoked, I believe it's out of favor, and even discouraged. And I'm not sure it's the easiest way either (of course, the question is, easiest for whom? This may be easier for the sysadmin, but then it's not necessarily easier for the developer. I'm a developer myself, and I've had some conflict with my sysadmin about things like this :-). Now, with the way things are separated with Tomcat when used in conjunction with Apache, some conflicts naturally arise. Maybe some of the future directions in how this is set up in Tomcat will ease these conflicts. And of course, easiest shouldn't necessarily be the main/only criterion to use to decide these things. Other considerations like security and user-friendliness should probably be more important. We all saw the security problem that popped up recently related to using URL's with /servlet/. Yes, I know there are ways to avoid that problem while still making use of URL's with /servlet/, but it may just be better to avoid them totally. Anyway, there's my $.02 on it :-). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: reloading of jsp page...
If you have the develop init paramter for the JspServlet in $CATALINA_HOME/conf/web.xml set to false JSP page recompiles happen in the background no more frequently than the time set in the JspServlet init paramter checkInterval. The Context/Host reloadable flag is only for performing class reloading checks for jar's in /WEB-INF/lib and classes in /WEB-INF/classes, it does not have any affect on JSP pages. Make sure that your web browser is not showing you a cached version of the page. Regards, Glenn Padhu Vinirs wrote: Tomcat 4.1.12 I have a jsp page that compiles fine. Then I make a change and try to access the page again. The page is not recompiled. I am still getting back the old value. I do have reloadable=true for my context. I have to restart Tomcat to get the new page. Anybody else notice this ? -- padhu -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: DefaultContext vs Context
Johann Uhrmann wrote: Hi, is there a known problem / bug with defining resources in the DefaultContext? Not that I know of. I use the DefaultContext for defining a DataSource which is then available to all web applications. Check your DefaultContext config. Make sure it is located nested within a Host or Engine element. Regards, Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: How to specify the location of a properties file.
Put the properties file in the /WEB-INF/classes directory and use ResourceBundle.getBundle(foo); The name of the properties file without .properties. Regards, Glenn Niaz Habib wrote: Justin, I am facing the same problem. Your approach seems to be an elegent one. Would you mind eleborating on the idea a little bit more. Some code snippet would definitely be helpful. I thank you in advance. niaz. - Original Message - From: Justin Ruthenbeck [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, October 07, 2002 4:06 PM Subject: Re: How to specify the location of a properties file. Shaun -- Consider dynamically loading the properties file from your classpath using a class loader. This way, you can put the files anywhere you please and just include that directory in your classpath (or put them someplace already in your classpath). If you need more specifics, let me know and I'd be happy to help... justin At 01:00 PM 10/7/2002, you wrote: I've got a servlet running under Tomcat and I need to read in the contents of a properties file. There will be different properties files for each system specified using an init parameter. I'm having problems reading this property file at the moment in my java class as the way I am doing it at the moment always looks where I started Tomcat from i.e the /bin directory. I can specify a full path to the file but this is not very system independent and limits me to either Windows or Unix. What I need is to specify the location of the file relative to the webapp directory. I have tried the url class but it doesn't seem to work, or maybe it is working but looking in a different place to where my properties file is. Can anyone suggest what I am doing wrong or provide any help on the use of urls in Tomcat? Thanks Shaun -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Invalid command 'JkAutoAlias'
JkAutoAlias and JkRequestLogFormat are only implemented in mod_jk 1.2 for Apache 1.3. Matt Raible wrote: I'm trying to use the JkAutoAlias directive as documented at: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jk2/jk/aphowto.html#mod_ jk%20Directives Here's is my snippet from httpd.conf: VirtualHost * ServerName customer1.mycompany.com JkAutoAlias /usr/local/customers/tomcat1/webapps JkMount /*/do/ tomcat1 JkMount /*.do tomcat1 JkMount /*.jsp tomcat1 Alias /repository /repository/customers/customer1 Alias /assets /repository/customers/customer1/assets Alias /styles /repository/customers/customer1/styles Alias /library /repository/customers/customer1/library Alias /import /repository/customers/customer1/import Alias /export /repository/customers/customer1/export /VirtualHost But I'm getting the following error: Syntax error on line 1087 of /usr/local/apache2/conf/httpd.conf: Invalid command 'JkAutoAlias', perhaps mis-spelled or defined by a module not included in the server configuration Is this directive not allowed in a VirtualHost? Thanks, Matt -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Another Problem that annoys the hell out of me
Upgarde to the latest 2.x versions of both xerces and xalan. If this fixes the build problem then please file a bug report using bugzilla that recommends that the build docs be updated to recommend the correct versions of xerces and xalan. Glenn Chuck Carson wrote: I am using the latest xalan.jar, but I am using the latest 1.x release of xerces. AShould I use the 2.x versions of xerces? I was going with the recommended version the docs say to, which is 1.4.4 I beleive. ?? -Chuck Glenn Nielsen wrote: Check the version of xalan and xerces being used by Ant. I had similar problems with some older versions of these. I have no problem with the latest releases of both of the above. Chuck Carson wrote: Does anyone run into this problem when building on Solaris. About 75% into the build process is starts crapping out on *.xml files. For example: Docs: snip [style] Failed to process /root/TOMCAT/jakarta-tomcat-connectors-4.1.12-src/jk/xdocs/jk/neshowto.x ml BUILD FAILED file:/root/TOMCAT/jakarta-tomcat-connectors-4.1.12-src/jk/build.xml:433: Fatal error during transformation If I execute another 'ant dist' it gets past this point but fails on another xml file. I have to do this about 15 times to get a successful build. This behavior was the same under 4.0.4 thru 4.1.2. This appears consistent with some file but random with others. For example, I have seen it die on the following files more than once: faq.xml, iishowto.xml, neshowto.xml, and a few others. Anyone else see this problem? -Chuck -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Can someone PLEASE tell me why tomcat uses so much CPU???
This sounds like the bug I fixed in Tomcat 4.1.x where infrequently I saw a POST request put Tomcat into an infinite loop. We run Apache and Tomcat on different servers. I had noticed the increased CPU usage on the Tomcat server but hadn't noticed the increased CPU usage on the Apache server. I went back and reviewed our system load history and verified that when this bug is triggered both Apache and Tomcat cause increased CPU usage. This bug was fixed in the Tomcat 4.1.x branch and I ported it back to the Tomcat 4.0.x branch. This bug fix should be in the Tomcat 4.0.5 release. Regards, Glenn Chris Read wrote: Greetings... Have you also noticed a spike in CPU usage on your Apache server running mod_jk, or your network throughput? The reason I ask is we've got a similar problem here. We've got a slightly different setup (Apache 1.3.x, mod_jk, Tomcat 4.0.3, Sun JDK 1.3.1 - all on Solaris), but the same symptoms. Basically what we're seeing is sometimes mod_jk and the AJP13 connecter get stuck in an infinite loop spewing data at each other as fast as possible (and always the same data: Tomcat asking for a BODY_CHUNK of 8186 bytes, and mod_jk replying with an empty packet). The problem will only affect one connection at a time from the pool, but will slowly step up one connection at a time. Restarting either Tomcat or Apache solves the problem, but I've not been able to find any info on this either. I've been trying for a few days to replicate the problem on demand, but no luck yet Any of this sound familiar? Chris -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Another Problem that annoys the hell out of me
Check the version of xalan and xerces being used by Ant. I had similar problems with some older versions of these. I have no problem with the latest releases of both of the above. Chuck Carson wrote: Does anyone run into this problem when building on Solaris. About 75% into the build process is starts crapping out on *.xml files. For example: Docs: snip [style] Failed to process /root/TOMCAT/jakarta-tomcat-connectors-4.1.12-src/jk/xdocs/jk/neshowto.x ml BUILD FAILED file:/root/TOMCAT/jakarta-tomcat-connectors-4.1.12-src/jk/build.xml:433: Fatal error during transformation If I execute another 'ant dist' it gets past this point but fails on another xml file. I have to do this about 15 times to get a successful build. This behavior was the same under 4.0.4 thru 4.1.2. This appears consistent with some file but random with others. For example, I have seen it die on the following files more than once: faq.xml, iishowto.xml, neshowto.xml, and a few others. Anyone else see this problem? -Chuck -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Best Practices Question
For a medium to high volume site using Apache to serve static content (static html, images, css, etc.) is: 1. Faster and more reliable (no pauses due to JVM garbage collection, etc.) 2. Takes that load off of Tomcat so it can concentrate on dynamic content. (JSPs/Servlets) 3. Allows you to do load balancing if needed. I use Apache 1.3.26 with mod_jk 1.2 and Tomcat 4.1.12. Regards, Glenn Barry Moore wrote: I have not used Tomacat in a couple years. The last time I used it, our companies policy was to integrate with Apache and get Apache to do the serving duties and just use Tomcat as the jsp processor. With Tomact 4 is this still considered a good practice for high traffic sites? Thanks, Barry __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Best Practices Question
Craig R. McClanahan wrote: On Sun, 29 Sep 2002 [EMAIL PROTECTED] wrote: Kent, I think we are on the same track , Apache was designed for that purposes , is more robust and mature and certainly has less security related issues. Regarding maturity, I presume you're talking about 1.3, right? The Apache 2.0 code is quite a lot newer. The latter comment (less security related issues) has not been true lately, if you watch the security bulletins closely. Although Tomcat just had a security update, the problem was exposure of JSP source code -- substantially less of a dangerous problem than the two recent buffer overflow vulnerabilities that Apache has had (both in the last couple of months). The previous Tomcat security problem was also a source exposure issue, and was over a year ago. Thanks primarily to the Java programming language, it's pretty difficult to have the kinds of you can cause the execution of arbitrary code problems that anything written in C (including Apache's httpd server) can be subject to. No such problem has occurred in Tomcat during the four years I've been involved in it, whereas Apache and its associated modules have had several. IMHO, anyone who goes to all the extra effort of configuring Apache+Tomcat, instead of Tomcat alone, is nuts unless they need it. Valid reasons to need it include: * Tomcat standalone is not fast enough (note that this is different from a rule saying select the fastest possible solution -- that turns out not to be a requirement in every scenario). * You need the extra features that Apache provides (such as integration with existing modules). * You need to run on port 80 in an environment that requires root for this. * You already know how to configure it, so there's no extra learning curve. Blindly installing Apache+Tomcat because that's the thing to do is a waste of effort in many scenarios. Blindly using Tomcat to serve static HTTP content for a production system is not the thing to do either. 1. Tomcat running within a JVM is much more brittle than Apache. Apache can run for years w/o a problem. I don't think anyone can say the same for Tomcat, I can't. And this isn't necessarily something specific to Tomcat, it is due to the nature of how the JVM works and how well the applications deployed are written and tested. With Apache in front of Tomcat serving static content, if Tomcat fails (and it will) at least your static pages can still be served. I have never gotten a run time with Tomcat of more than four weeks on a production system before it failed, even with Apache serving static content. 2. Tomcat can cause random latency problems handling requests. Whenever the JVM does garbage collection Tomcat freezes. GC can take only a few seconds now and then on a well tuned system. But that isn't guaranteed, sometimes it can take 10's of seconds. Meanwhile requests are stacking up waiting for Tomcat to serve them. This then causes a cascading effect significantly increasing the number of Processors required and load on the system due to Tomcat. 3. Putting Apache in front to serve static content allows you to take some of the load off of Tomcat, letting it do what it does best, dynamic content. 4. If your site gets hit by the SlashDot affect for a dynamically generated page Tomcat could very easily get overloaded, you could temporarily change that page to a static one served by Apache. (I have had to do this) Apache will handle spikes in traffic much better than Tomcat. 5. And if traffic increases you can setup Apache to do load balancing with multiple Tomcat instances. In the end, it all comes down to testing your site prior to putting it in production and choosing the architecture best suited for your site. It can be very difficult to simulate a production load, and it needs to be done over weeks, not just hours. Regards, Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Can someone PLEASE tell me why tomcat uses so much CPU???
You may want to start Tomcat with the java -verbose:gc arg next time. Information about TC including how long it took will be sent to stdout. This behaviour could be related to your JVM memory configuration/stack usage and garbage collection. Brandon Cruz wrote: Mike, Thanks for answering. I'm using Sun's JDK 1.3.1_01. We have been running this in production for over year and I think we have always had the problem. Since 3.2.4 requires restart whenever a web application is changed, it used to just get restarted often enough so that nobody ever noticed. There are enough people using the application now that it is becoming more and more noticable. I'm afraid that we are getting close to a point where it will be necessary to restart tomcat every day. It also slowly increases the amount of RAM it uses, but that's a whole different story and I just want to find out one answer at a time. Has anyone else experienced this and found a resolution to the problem? I have seen many posts but no answers... -Original Message- From: Mike Jackson [mailto:[EMAIL PROTECTED]] Sent: Monday, September 30, 2002 3:45 PM To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: Can someone PLEASE tell me why tomcat uses so much CPU??? What jdk are you using? I use suse 8, tomcat 3.3.x, apache 1.3.x, mod_jk, etc with IBM's 1.3 jdk and don't experience anything like that. --mikej -=- mike jackson [EMAIL PROTECTED] -Original Message- From: Brandon Cruz [mailto:[EMAIL PROTECTED]] Sent: Monday, September 30, 2002 1:57 PM To: Tomcat Users List Subject: Can someone PLEASE tell me why tomcat uses so much CPU??? Hi, I am using tomcat 3.2.4, mod_jk, apache 1.3.x, linux redhat 7.1. The java processes slowly take more and more CPU power. After about a day, java is taking 15% CPU, after two days, about 30% of a 1GHZ CPU, etc. If I leave it running for more than three or four days, everything is VERY slow. Does anyone know why this happens and if it is normal? I have not been able to find an answer to this anywhere! Brandon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Documentation
Robert L Sowders wrote: Since most of the questions to tomcat-users list concern installation and configuration issues it demonstrates that there is a real need for Tomcat to have a documentation project that it's users can contribute to. Right now most of the documentation consists of the xdocs which are pretty good, but can be so much more. The developers obviously have little time to maintain the present documentation and there is such an apparent need that I wonder why a project for the documentation has not been started. I would tend to agree with the above, those writing the code either don't have the inclination or time to write up good documentation. Have you looked at the latest docs for Tomcat 4.1? Much better jk documentation, existing docs updated, and even some new documents at: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/index.html Regards, Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4.1.12 memory leak, resources leak, what to do ?
Have you used the java arg -verbose:gc to track JVM memory usage? top won't tell you whether you have a memory leak because of how the JVM manages its own memory internally. The amount of memory the JVM uses will grow until it reaches the maximum size set for its stack. Then it will do a garbage collection to free up internal memory, but it _never_ returns that memory to the system. Starting Tomcat with the java arg -verbose:gc will output data about the JVM's memory usage and garbage collection. top is useless for evaluating whether there is a memory leak in a java process. No determinations can be made whether there is or is not a memory leak based on its output. If you want to get serious about understanding what is happening within the JVM regarding memory usage then profile your installation with a tool like OptimizeIt or JProbe. Regards, Glenn Shapira, Yoav wrote: Hi, - What I am doing is http://localhost:8080/ and keep refreshing that with F5 - I am NOT testing my own servlet. I am NOT doing anything else !!! I monitor memory usage using top and sorting the results by memory. I am looking at the SIZE column. What I get is an EVER INCREASING memory usage. Something like 30212 30220 31016 31040 31576 Why is that necessarily a leak??? The JVM will allocate as much memory as it wants even for identical resources, up to when a GC is needed. As long as this is all you're doing, it could go up to close to 64MB (the default limit), before everything will be GCed. Did you try going up that high? I wouldn't rush to put in a bug for this ;) Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: How many people are using 4.1.12 successfully?
The discussion regarding Tomcat 4.1.12 was not related to its stability. I have been using Tomcat 4.1.x in production for over 6 months (but still with Jasper1), and recently upgraded to Jasper 2. IMHO, Tomcat 4.1.x is a much better container for production than 4.0.x. All of the issues raised were about some minor differences in behaviour. Not about stability. Tomcat 4.1.x has been rock solid for me in production on a site that heavily uses JSP pages and has 500k page views per month. Install and test your app in Tomcat 4.1.12. Your app and config may not even notice the difference, or at most there may be a couple of issues to resolve. And if you use JSP with custom tags Jasper2 can really improve performance. Regards, Glenn Turner, John wrote: Hello - We're almost ready to deploy a new app. We have been using 4.0.4 in development. I need to get an idea of how stable 4.1.12 is...based on the traffic in the last week, 4.1.12 looks to be fairly unstable, regardless of its 'release' designation. Should we stick with 4.0.4, or take the plunge with 4.1.12? We will be using Apache with a connector in addition to Tomcat. - John John Turner [EMAIL PROTECTED] Advertising Audit Service http://www.aas.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: HOW TO: How do I allocate memory in JVM for extra virtual hosts
Brad Plies wrote: I am not aware of all the performance implications of this, but it should be possible to create a Thread to run on some interval you define which just infinitely loops a call for garbage collection (gc() right?) then goes back to sleep until next iteration. This is a very bad idea. The JVM is much better at knowing when and how to do GC. Especially the newer JVM's with HotSpot. Regards, Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: DBCP pool always increasing
I checked the catalina code and you are correct. My mistake. I use DBCP with it configured for RemoveAbandoned using MySQL. And it works for me. The config below and the code snippet looks ok. I would suspect it has something to do with the JDBC driver. Perhaps you should try the same code and config (except for db specific config stuff) and see if it works. If it does, then the problem is rleated to the JDBC driver for SQLServer. Regards, Glenn Dennis Muhlestein wrote: I was under the impression also that the BasicDataSourceFactory is a default. On Wed, 2002-09-25 at 04:46, Glenn Nielsen wrote: Your config isn't configured to use DBCP. It is missing the following: parameter namefactory/name valueorg.apache.commons.dbcp.BasicDataSourceFactory/value /parameter That is why none of the DBCP features were working. Glenn Amitabh Dubey wrote: This is what my final working server.xml file looks like Resource name=SQLServerDS scope=Shareable type=javax.sql.DataSource/ ResourceParams name=SQLServerDS parameter nameurl/name valuejdbc:microsoft:sqlserver://dnas07:1113;DatabaseName=NorthWind/value /parameter parameter namevalidationQuery/name value/value /parameter parameter namemaxIdle/name value3/value /parameter parameter namemaxActive/name value5/value /parameter parameter namedriverClassName/name valuecom.microsoft.jdbc.sqlserver.SQLServerDriver/value /parameter parameter namemaxWait/name value6000/value /parameter parameter nameremoveAbandoned/name valuetrue/value /parameter parameter nameuser/name valuesa/value /parameter parameter nameremoveAbandonedTimeout/name value5/value /parameter parameter namepassword/name valuesa/value /parameter /ResourceParams And this was my test program try { // assumes jndi.properties has been configured appropriately Context initCtx = new InitialContext(); Context envCtx = (Context) initCtx.lookup(java:comp/env); // Get a Connection DataSource ds = (DataSource) envCtx.lookup(jndiName); Connection con = null; Statement st = null; ResultSet res = null; ResultSetMetaData meta = null; try { con = ds.getConnection(); st = con.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); res = st.executeQuery(sql); meta = res.getMetaData(); int cols = meta.getColumnCount(); // since this is a scrollable ResultSet, // do something a little strange... while (!res.isLast()) { res.next(); for (int i=1; i=cols; i++) { Object val = res.getObject(i); System.out.print(\t + meta.getColumnLabel(i) + : ); System.out.print(val == null ? : val.toString()); } System.out.print(\n); } } catch (SQLException sqle) { sqle.printStackTrace(); } finally { // PoolMan closes ResultSets and Statements whenever // Connections are closed, no need for it here if (null != res) { try { res.close(); } catch(SQLException e) { } } if (null != st) { try { st.close(); } catch(SQLException e) { } } if (con != null) { try { con.close(); } catch (SQLException sqle2) { } } } } catch (javax.naming.NameNotFoundException nne) { System.out.println(ERROR: No DataSource is registered under the name + jndiName
Re: Tomcat 4.1.12 memory leak
The easiest way to track JVM garbage collection is to start java with the -verbose:gc arg. This enables GC data output to stdout. Regards, Glenn Raj Saini wrote: I am experiencing the same problem with tomcat 4.0.3. I have my JVM memory setting as -Xms=32 -Xmx=384 and running the tomcat on Sun Solaris 2.7, integrated with Apache 1.3.x through warp connector. I have a JSP page monitoring the memory consumption at http://www.emerging-trade.pt/servlets/memory.jsp, The memory consumption pattern of the JSP shows the GC runs as you can see the increase/decerece in the free memory of the current heap size. Raj Saini Raj Saini - Original Message - From: Tim Funk [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, September 26, 2002 2:29 PM Subject: Re: Tomcat 4.1.12 memory leak Each request allocates memory. (And relinquishes accordingly) The garbage collector runs when it feels like it should. The JVM will continually suck up memory until it reaches its startup parameters. (-mx ...) Once a JVM takes memory from the OS - it does not release it to the OS - it only releases it to its own memory heap. Ing. Damiano Bolla wrote: System: Linux redhat 7.2 Java: /usr/local/j2sdk1.3.1 Tomcat 4.1.12 To reproduce the behaviour you install the 4.1.12 distribution, set the JAVA_HOME run startup.sh and then keep refreshing the homepage http://localhost:8080/ If you monitor the memory usage using top and switching it into display memory usage (Capital M) you sull see tipically something like 22824 22832 22840 23576 23676 23684 23904 23908 23934 23938 . This is the SIZE field of the top command. The point is that it never goes down and eventually you run very slowly. Any idea ? Ah, the same behaviour is with jdk 1.4.1 Damiano -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: DBCP pool always increasing
) { System.out.println(ERROR: You cannot execute the DataSource example with + the security permissions you are using. Try using the + poolman.policy file: + java -Djava.security.policy=../lib/poolman.policy PoolManSample.\n); return ae.getMessage(); } I was facing the problem, when i was not explicitly closing the resultset and statement. but if i do, then the connections are reused and the pool grows correctly. But the removeabandoned definitly does not work with Tomcat 4.1.2. I am using this in a webservice and Tomcat 4.1.2 came packaged with the jwsdk from sun. if i find tomcat bugy, i might downgrade. Amitabh -Original Message- From: Glenn Nielsen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 11:04 PM To: Tomcat Users List Subject: Re: DBCP pool always increasing In the config you posted you didn't have RemoveAbandoned configured, by default is is set to false. You also didn't set the maxActive, by default I believe it is unlimited. An example of your code which uses the JNDI named datasource would also be helpfull in debugging these type of problems. Regards, Glenn Amitabh Dubey wrote: I used performance monitor to view the number of user connections to the database. Although i was closing the connection in my client code, the pool size / connections to the database were always increasing. Given that i was executing only one program at a time, i would expect that this number not go on increasing. So i closed not only the connections, but resultset and statements as well. This solved my problem. However, the tomcat dbcp documentation suggests that we have a removeAbandoned and the timeout for this property also set. My remove abandones was set to true and the timeout value was 5 secs. But these values seem to be ignored. So the only sure way out is to close everything explictly. Amitabh -Original Message- From: Glenn Nielsen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:22 PM To: Tomcat Users List Subject: Re: DBCP pool always increasing What do you mean by your pool is increasing in size? That the number of open connections to the db is increaing? What is the indicator that this is happening? The more specific you can be the better chance that someone can answer your question. Glenn Amitabh Dubey wrote: Hello All, I managed to use DBCP with SQL Server and am able to get connections from the pool. After i execute my query, i close the connection also, but it is going back to my pool and i have verified that. However, what I do not understand is this : Why does the pool go on increasing and never decreasing in size. This is what my server.xml looks like ResourceParams name=SQLServerDS parameter namevalidationQuery/name value/value /parameter parameter nameuser/name valuesa/value /parameter parameter nameurl/name valuejdbc:microsoft:sqlserver://dnas07:1113;DatabaseName=NorthWind/value /parameter parameter namepassword/name valuesa/value /parameter parameter namemaxActive/name value3/value /parameter parameter namemaxWait/name value120/value /parameter parameter namedriverClassName/name valuecom.microsoft.jdbc.sqlserver.SQLServerDriver/value /parameter parameter namemaxIdle/name value5/value /parameter /ResourceParams If i understand the parameters correctly, then maxActive -- Maximum number of connections allowed to the database (What happens when this number is reached? For me i get a new connection and the pool increases. Is this the expected behavior? Can i change it to fail or block instead?) maxidle -- Maximum number of idle connections that the pool should hold (For me my pool never goes down to this limit) maxWait -- Maximum time to wait for a dB connection to become available in ms. removeAbandoned -- recycle connections if the removeAbandonedTimeout is reached and the connection is idle. in our case it is true. removeAbandonedTimeout -- 5 If i am correct, why is my pool growing forever and not reducing in size? Any ideas? Amitabh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail
Re: code separation with apache virtual hosts - tomcat hosts
There is a clear separation for the web applications themselves. There isn't when you allow the different virtual hosts to use the manager to deploy web applications. I would configure a different appBase for each Host, that way each host has a separate directory where their webapps are located and you won't run into one host stepping on another when deploying applications. Regards, Glenn Chris Price wrote: Hi; I have a system running Apache 1.3.26, mod_jk and Tomcat 4.1.12. Apache has a number of name-based virtual hosts confgured, of which 2 are setup to route jsp and servlet requests to a ajp13 connector (called 'ajp13'). ajp13 is setup to use a single tomcat instance running on localhost at port 8009. Tomcat itself is setup with seperate Host ... /Host for each of the two corresponding front-end apache virtual hosts. My Question; What kind of code seperation does the Tomcat Host../Host facility provide? In other words; what (if any) kind of safety and security mechanisms exist to ensure that code running under Host name=www.a.com .../Host from Host name=www.b.com .../Host I found the following excerpt in the Tomcat 3.2 doumentation; We want different virtual hosts served by different Tomcat processes to provide a clear separation between sites belonging to different companies Can anyone explain what this means? Cheers TIA Chris -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: DBCP pool always increasing
What do you mean by your pool is increasing in size? That the number of open connections to the db is increaing? What is the indicator that this is happening? The more specific you can be the better chance that someone can answer your question. Glenn Amitabh Dubey wrote: Hello All, I managed to use DBCP with SQL Server and am able to get connections from the pool. After i execute my query, i close the connection also, but it is going back to my pool and i have verified that. However, what I do not understand is this : Why does the pool go on increasing and never decreasing in size. This is what my server.xml looks like ResourceParams name=SQLServerDS parameter namevalidationQuery/name value/value /parameter parameter nameuser/name valuesa/value /parameter parameter nameurl/name valuejdbc:microsoft:sqlserver://dnas07:1113;DatabaseName=NorthWind/value /parameter parameter namepassword/name valuesa/value /parameter parameter namemaxActive/name value3/value /parameter parameter namemaxWait/name value120/value /parameter parameter namedriverClassName/name valuecom.microsoft.jdbc.sqlserver.SQLServerDriver/value /parameter parameter namemaxIdle/name value5/value /parameter /ResourceParams If i understand the parameters correctly, then maxActive -- Maximum number of connections allowed to the database (What happens when this number is reached? For me i get a new connection and the pool increases. Is this the expected behavior? Can i change it to fail or block instead?) maxidle -- Maximum number of idle connections that the pool should hold (For me my pool never goes down to this limit) maxWait -- Maximum time to wait for a dB connection to become available in ms. removeAbandoned -- recycle connections if the removeAbandonedTimeout is reached and the connection is idle. in our case it is true. removeAbandonedTimeout -- 5 If i am correct, why is my pool growing forever and not reducing in size? Any ideas? Amitabh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: DBCP pool always increasing
In the config you posted you didn't have RemoveAbandoned configured, by default is is set to false. You also didn't set the maxActive, by default I believe it is unlimited. An example of your code which uses the JNDI named datasource would also be helpfull in debugging these type of problems. Regards, Glenn Amitabh Dubey wrote: I used performance monitor to view the number of user connections to the database. Although i was closing the connection in my client code, the pool size / connections to the database were always increasing. Given that i was executing only one program at a time, i would expect that this number not go on increasing. So i closed not only the connections, but resultset and statements as well. This solved my problem. However, the tomcat dbcp documentation suggests that we have a removeAbandoned and the timeout for this property also set. My remove abandones was set to true and the timeout value was 5 secs. But these values seem to be ignored. So the only sure way out is to close everything explictly. Amitabh -Original Message- From: Glenn Nielsen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:22 PM To: Tomcat Users List Subject: Re: DBCP pool always increasing What do you mean by your pool is increasing in size? That the number of open connections to the db is increaing? What is the indicator that this is happening? The more specific you can be the better chance that someone can answer your question. Glenn Amitabh Dubey wrote: Hello All, I managed to use DBCP with SQL Server and am able to get connections from the pool. After i execute my query, i close the connection also, but it is going back to my pool and i have verified that. However, what I do not understand is this : Why does the pool go on increasing and never decreasing in size. This is what my server.xml looks like ResourceParams name=SQLServerDS parameter namevalidationQuery/name value/value /parameter parameter nameuser/name valuesa/value /parameter parameter nameurl/name valuejdbc:microsoft:sqlserver://dnas07:1113;DatabaseName=NorthWind/value /parameter parameter namepassword/name valuesa/value /parameter parameter namemaxActive/name value3/value /parameter parameter namemaxWait/name value120/value /parameter parameter namedriverClassName/name valuecom.microsoft.jdbc.sqlserver.SQLServerDriver/value /parameter parameter namemaxIdle/name value5/value /parameter /ResourceParams If i understand the parameters correctly, then maxActive -- Maximum number of connections allowed to the database (What happens when this number is reached? For me i get a new connection and the pool increases. Is this the expected behavior? Can i change it to fail or block instead?) maxidle -- Maximum number of idle connections that the pool should hold (For me my pool never goes down to this limit) maxWait -- Maximum time to wait for a dB connection to become available in ms. removeAbandoned -- recycle connections if the removeAbandonedTimeout is reached and the connection is idle. in our case it is true. removeAbandonedTimeout -- 5 If i am correct, why is my pool growing forever and not reducing in size? Any ideas? Amitabh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: nullpointerexception jdbcstore
A patch to fix the JDBCStore null pointer bug has been committed to CVS. It was too late to make it into the Tomcat 4.1.11 release done this morning. But will be available in the next nightly build or you can wait for the Tomcat 4.1.12 release. Regards, Glenn Ronald Klop wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, Robert L Sowders wrote: | Did you cross post this to the tomcat-dev list? Anyway the PR states it | affects 4.1.10 but your statements in the explanation pertain only 4.0.4. | | Which way is it? I first reported it for 4.0.4, but it wasn't fixed in 4.1.10, so I changed that. To make clear that the bug was still there. I didn't cross-post this to the -dev list. I don't know the policies about that in these mailinglists yet. If -dev is for developers only or for all talk about development. And I was thinking that most developers wil be subscribed to both lists anyway. | It doesn't look like it's gotten much attention in any case. | Perhaps you need to freshen it to bring it to the top again. That is what I'm trying to do with this mail, but I wil try to get some attention to it later today on the -dev list. I hope it wil be used. I have found more bugs which are easy to fix (NPE-stuff, etc.), but I don't want to spent time for fixing it if the fixes aren't used (or rejected with good reasons). Ronald Klop. | | Ronald Klop [EMAIL PROTECTED] | 09/18/2002 01:39 AM | Please respond to Tomcat Users List | | | To: [EMAIL PROTECTED] | cc: | Subject:nullpointerexception jdbcstore | | Hello, | | On September 4th I reported bug 12286 with a fix included. Is somebody | planning to commit this? What is the normal time before fixes get into | the tree and is there something more I have to do to get this committed? | | Greetings, | | Ronald. | | -- | ~ Ronald Klop | ~ Amsterdam, The Netherlands - -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] - -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] - -- ~ Ronald Klop ~ Amsterdam, The Netherlands -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9iGkEPgc4rWsY77MRAqypAJwO9bbtE7YFv2LkoL9hLpgo0lMuTgCfaSSz lmiu+1uha8cKJIR3AZyY8XM= =ZzxS -END PGP SIGNATURE- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Jasper 2, production configuration, problem with development=false
) at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:472) at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:496) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Directory layout - virtual hosts in tomcat
I also use mod_jk 1.2 with virtual hosting and allow the appBase for Tomcat to be the document root for apache. I use JkAutoAlias. It will automatically serve static files for any webapp and return a 403 error if someone tries to access a webapps /WEB-INF or /META-INF directories. See the docs here and search for JkAutoAlias: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jk2/jk/aphowto.html This works great for me. Regards, Glenn mdevin wrote: Hi all, I am looking for some advice regarding the usual directory layout for Virtual Hosts and tomcat. Currently I have a working setup of apache and tomcat using mod_jk. I have set things up the way that tomcat seems to prefer (or what others seem to have done based on the documentation I could find). Essentially, I have apache and tomcat both using the same document root so that apache will serve any static html pages and tomcat will do the jsp and servlet stuff. However, I am concerned that from a security point of view, this may not be the best option. In particular, this means that my cgi-bin directory comes below my document root and I have to explicitely deny access to the WEB-INF directory. Anyway, I am a little confused as to the best way to go in terms of security and at the same time most easily separable into Virtual Hosts so that different people can work on their own projects without interfering with others. Any suggestions welcome. In particular, I am interested in how others have set up virtual hosts for tomcat. Regards. Mark. Currently each of my Virtual Hosts has the following directory layout: /www/hostname/- all static html files - also appBase to tomcat host /cgi-bin/- perl cgi scripts etc. I have configured Virtual hosts like follows in apache: ... cut ... VirtualHost * ServerName www.myhost.com ServerAdmin [EMAIL PROTECTED] DocumentRoot /www/myhost JKMount /servlet/* ajp13 JKMount /*.jsp ajp13 Directory /www/myhost/ AllowOverride None Options Indexes Order Deny,Allow Allow from all /Directory ScriptAlias /cgi-bin/ /www/myhost/cgi-bin/ Directory /www/myhost/cgi-bin/ Allow from all Options ExecCGI /Directory Location /WEB-INF/ deny from all /Location Location /META-INF/ deny from all /Location /VirtualHost And I have the following in my server.xml file: ... cut ... Service name=Tomcat-Apache Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0/ Engine name=Tomcat-Apache defaultHost=localhost debug=0 Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix= timestamp=true/ Realm className=org.apache.catalina.realm.MemoryRealm / ...... ... snip localhost section ... ...... !-- www.myhost.com VirtualHost -- Host name=www.multistep.info debug=0 unpackWARs=false Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=myhost_access_log. suffix= pattern=common / Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=myhost_log. suffix= timestamp=true/ Context path= docBase=/www/myhost crossContext=false debug=0 reloadable=true / /Host /Engine /Service /Server -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: TOMCAT 4.1.0 and JIKES
[EMAIL PROTECTED] wrote: Hello, I would like to use Jikes with Tomcat. There is in the documentation of Tomcat: If you wish to use Jikes to compile JSP pages: Download and install jikes. Set the init parameter compiler to jikes. Define the property -Dbuild.compiler.emacs=true when starting Tomcat. If you get an error reporting that jikes can't use UTF8 encoding, try setting the init parameter javaEncoding to ISO-8859-1. I thus downloaded Jikes 1.16 at IBM I added it to the CLASSPATH Then, in $CATALINA_HOME/conf/web.xml I added these lines: servlet servlet-namejsp/servlet-name servlet-classorg.apache.jasper.servlet.JspServlet/servlet-class init-param param-namejspCompilerPlugin/param-name param-valueorg.apache.jasper.compiler.JikesJavaCompiler/param-value /init-param init-param param-namelogVerbosityLevel/param-name param-valueWARNING/param-value /init-param load-on-startup3/load-on-startup /servlet The documentation in the Tomcat 4.1.10 CATALINA_HOME/conf/web.xml is wrong. Jasper 2 in Tomcat 4 no longer uses the jspCompilerPlugin init parameter. You must use the compiler init parameter and set it to jikes. After I do not understand documentation: Define the property -Dbuild.compiler.emacs=true when starting Tomcat. Add -Dbuild.compiler.emacs=true to your CATALINA_OPTS env variable. This changes how jikes outputs error message so that Jasper can tell you what line number in your JSP the error occurred in. If you get an error reporting that jikes can't use UTF8 encoding, try setting the init parameter javaEncoding to ISO-8859-1. The new documentation on the jakarta site for Jasper is written based on the current source in CVS. There was a bug in the Tomcat 4.1.10 release and Jasper 2 which caused it to not use the javaEncoding you set in the init paramter. If you are having problems with jikes and encoding you will either have to use the nightly Tomcat 4.1.x build or wait for the next Tomcat 4.1.11 release. Can somebody help me? (If you are French, answer me of French) (Si vous êtes français, répondez moi en français) Thank you in advance. Greetings. Ch.BAROIN -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Bug in 4.1.10?
Create the directory temp in your CATALINA_HOME if it doesn't exist. Miguel Angel Mulero Martinez wrote: I just have joining to he list, and I have searched in the old messages but I haven't found this: I have installed the new Tomcat 4.1.10, under Win2000. My problem is that if I execute it like a windows service, Tomcat give me errors compiling any JSP because it don't find the classes under WEB-INF/classes or WEB-INF/lib. If I execute tomcat in the command line (catalina start), all works perfectly. If after execute from the command line, I stopped it and start Tomcat like a service, now it works but only the pages visited when I started it from the command line (pages already compiled). A friend of mine has the same problem. Someone with win2000, JDK 1.4.0_01 has tried tomcat like a service? Thanks!! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat shared libraries
Craig R. McClanahan wrote: Tomcat 3.2 used CLASSPATH the way you are asking for. It resulted in CLASSPATH problems being the second largest catecategory of user problems (behind configuring web connectors, but only barely). Tomcat 3.3 and 4.x ignore CLASSPATH, and this category of user problems has basically vanished. Sounds like a smart move to me (especially since that was my choice, and I've adamantly resisted the idea of regressing back ever since). By the way, symlinks are the right answer to your dilemma (from common/lib to wherever the legacy JAR files are. There is one potential problem with using symlinks, they won't work with the Java SecurityManager for setting a security policy. Perhaps installing those jars in $JAVA_HOME/jre/lib/ext would work. That would be common across all the platforms. Craig McClanahan On Wed, 11 Sep 2002, Herrick, Rick wrote: Date: Wed, 11 Sep 2002 05:29:12 +0200 From: Herrick, Rick [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Tomcat shared libraries I'm currently in the process of developing a web application with Tomcat as the default reference platform. Although we'll support running with BEA, JRun, etc., our installer app will install and modify settings only if you're installing for Tomcat. I have to make a decision on how to proceed with our installer and really need to understand this problem. Now the problem is this: Tomcat doesn't use libraries from anywhere but within its scope. That is, it ignores the system classpath in its default configuration. I've read the class loader how-to (which isn't really a how-to, but whatever), and also worked with it for quite some time, so I understand pretty well how it works. Basically your classes and JARs need to be placed somewhere within the context of Tomcat: WEB-INF\classes, WEB-INF\lib, $CATALINA_HOME/common/classes, $CATALINA_HOME/common/endorsed/*.jar, $CATALINA_HOME/common/lib/*.jar, $CATALINA_HOME/shared/classes, and $CATALINA_HOME/shared/lib/*.jar. The problem is that this is a strictly web app-centric view of the world. In fact, many of the libraries that we need to use from within our web app are standard class libraries that other non-web applications need to use, such as our main server product, our non-web client applications, development tools, and so on. This leaves me three choices: * Replicate the libraries in two places, one for non-web apps and one for web apps (this solution, BTW, has to be cross-platform capable, so using links is out). This is less than desirable because of the maintenance problem with controlling versions. * Place the primary libraries within the Tomcat context and refer the other applications to that location. This doesn't work both for legacy and upgrade reasons (i.e. if you've already got a server installed, it expects to find its support libraries in a particular place and not have them moved over to another location) and because it's nonsensical for a non-web-based application to refer to an app server's repository. * Mung around with the batch files and add the required directories to the classpath for Tomcat. I do the third. This works just dandy: my required libraries remain in their central product-centric location, everyone can find what they need, and there's only one version of the libraries around (well, it's a development machine, so of course there's about 10 versions of every library around, but *I* know where they are :^). I browsed through the archives of this list and found the following quote: From http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg64144.html: How do I add an existing jar to a servlet's classpath, if that jar doesn't want to live under WEB-INF/lib? (I ultimately asked this here, and got a solid you can't response, so I'm satisfied. However, I've seen this asked here often, so it'd make a great FAQ submission.--Paul Brinkley My question is, why is this so? Why is it that you can't? Since I know you can in practice (by setting the CLASSPATH sometime after setclasspath.bat nukes the system classpath or by removing setclasspath.bat altogether), the prohibition seems arbitrary. Is there a security issue with Tomcat doing class loading outside of the Tomcat context? It seems to me that it's mainly due to a provincial view of a web app as a self-contained entity, but in reality most of the people I know writing web apps nowadays are running into *exactly* this sort of issue again and again. So to make our installer work, at this point I'm actually moving the existing setclasspath.bat file to some tmp name and creating a new one that sets the CLASSPATH to what we need. Is there any problem with this other than it's not cool to monkey with another product's settings? Thanks for getting through all this! Any help or explanation is greatly appreciated. Rick Herrick, senior software engineer CIS/TM (303) 362-4892
Re: Multiple instances of Tomcat
Use Object Relational Bridge: http://jakarta.apache.org/ojb/ You can run it on a seperate system and use it to persist objects for all three instance of Tomcat. Regards, Glenn Santosh Kulkarni wrote: Hi, I have multiple instances of Tomcat4.0.3, say, TC1, TC2, TC3 running on different m/c's and all these are talking to the same database. I have some application objects stored in each instance. My requirement: When I refresh an app object say app1 in TC1, I want to refresh this object in TC2 and TC3 too. These app objects store same data from the DB, but are specific to that tomcat instance. How do I achieve this ? Any pointers to this are highly appreciated. TIA Santosh __ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: POST request processing failure
Hah! Back many months ago the problem you are reporting would cause an infinite loop in the Processor. So I fixed the infinite loop bug and added code to report when these POST problems occur. I don't know what the source of the problem is, perhaps the remote client is aborting the connection before the POST completes? If you find out the source of the problem please let me know! Regards, Glenn Rossen Raykov wrote: I have Tomcat 4.0.4/Struts 1.0.2 with Apache 1.3.26 connected by mod_jk/1.2.0, ajp13 protocol, running on Sparc Solaris 8. The problem that I have is that from time to time there are 500 errors in my Apache log. The corresponding error on Tomcat side is: java.lang.RuntimeException: Read of HTTP Request POST parameters failed: read content length A complete trace is included in the bottom of the e-mail. This only happens during POST request. According to the log it happened with many different browsers including MSIE 5 and 6 and different Netscape flavors, that's why I believe this is not a browser related issue. The logged posted data size is either 4276 or 1024 bytes and the reported time processing varies from 1 to more than 7000 seconds! I saw some similar postages but without any useful answers or comments. Is that a known/common bug and is there any solution for it? Regards, Rossen --- COMPLETE ERROR TRACE - java.lang.RuntimeException: Read of HTTP Request POST parameters failed: read content length at org.apache.catalina.connector.HttpRequestBase.parseParameters(HttpRequestBas e.java:658) at org.apache.catalina.connector.HttpRequestBase.getParameterNames(HttpRequestB ase.java:723) at org.apache.catalina.connector.RequestFacade.getParameterNames(RequestFacade. java:165) at org.apache.struts.util.RequestUtils.populate(RequestUtils.java:743) at org.apache.struts.action.ActionServlet.processPopulate(ActionServlet.java:20 61) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1564) at org.apache.struts.action.SecureActionServlet.process(D:/CvsProjects/StrutsEx tTry/src/org/apache/struts/action/SecureActionServlet.java:97) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:475) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66)
Re: POST request processing failure
I fixed the nasty infinite loop bug but there is still a periodic failure happening during POST's. I don't know if the failed POST's are a mod_jk bug or a problem with the remote clients HTTP POST. It happens infrequently. I just haven't had the time to try and track it down any further. What I saw was the mod_jk side kept the socket open but never completed sending the post data that was set in the content length. This left the Processor in an infinite loop trying to read from the socket. On the mod_jk side it can detect when the remote client goes away, it then closes the connection it has to Tomcat. Which would then cause the AJP Processor read to fail. Regards, Glenn Rossen Raykov wrote: I suspected that this may be related to that old issue since it disappeared after the upgrade to 4.0.4. I believe it is connected to the ajp13 protocol but I can not prove it. The strangest thing is the length of the posted request - it is always power of 1K. BW you said that you fix the Processor but how you are detecting that the connection to the httpd is closed without any changes in the C binary? As I remember in the old version of this bug there was an infinite data exchange between the httpd and Tomcat. At that time trus was reporting something like: 0.0703 recv(26, 0xFFBEE4A0, 4, 0) = 4 0xFFBEE4A0: A B\003 0.0710 recv(26, 0x0025D888, 3, 0) = 3 0x0025D888: 061FFA 0.0715 send(26, 0x0025F890, 4, 0) = 4 0x0025F890: 12 4\0\0 0.0720 recv(26, 0xFFBEE4A0, 4, 0) = 4 0xFFBEE4A0: A B\003 0.0723 recv(26, 0x0025D888, 3, 0) = 3 0x0025D888: 061FFA 0.0727 send(26, 0x0025F890, 4, 0) = 4 Was this completely because tomcat connector only? Regards, Rossen -Original Message- From: Glenn Nielsen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 11:06 AM To: Tomcat Users List Subject: Re: POST request processing failure Hah! Back many months ago the problem you are reporting would cause an infinite loop in the Processor. So I fixed the infinite loop bug and added code to report when these POST problems occur. I don't know what the source of the problem is, perhaps the remote client is aborting the connection before the POST completes? If you find out the source of the problem please let me know! Regards, Glenn Rossen Raykov wrote: I have Tomcat 4.0.4/Struts 1.0.2 with Apache 1.3.26 connected by mod_jk/1.2.0, ajp13 protocol, running on Sparc Solaris 8. The problem that I have is that from time to time there are 500 errors in my Apache log. The corresponding error on Tomcat side is: java.lang.RuntimeException: Read of HTTP Request POST parameters failed: read content length A complete trace is included in the bottom of the e-mail. This only happens during POST request. According to the log it happened with many different browsers including MSIE 5 and 6 and different Netscape flavors, that's why I believe this is not a browser related issue. The logged posted data size is either 4276 or 1024 bytes and the reported time processing varies from 1 to more than 7000 seconds! I saw some similar postages but without any useful answers or comments. Is that a known/common bug and is there any solution for it? Regards, Rossen --- COMPLETE ERROR TRACE - java.lang.RuntimeException: Read of HTTP Request POST parameters failed: read content length at org.apache.catalina.connector.HttpRequestBase.parseParameters( HttpRequestBas e.java:658) at org.apache.catalina.connector.HttpRequestBase.getParameterName s(HttpRequestB ase.java:723) at org.apache.catalina.connector.RequestFacade.getParameterNames( RequestFacade. java:165) at org.apache.struts.util.RequestUtils.populate(RequestUtils.java:743) at org.apache.struts.action.ActionServlet.processPopulate(ActionS ervlet.java:20 61) at org.apache.struts.action.ActionServlet.process(ActionServlet.j ava:1564) at org.apache.struts.action.SecureActionServlet.process(D:/CvsPro jects/StrutsEx tTry/src/org/apache/struts/action/SecureActionServlet.java:97) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilt er(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli cationFilterCh ain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardW rapperValve.ja va:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardP ipeline.java:5 66
Re: tomcat 4.0.4 apache ssl 1.3.26 and mod_jk
It would help if you also set debug=10 or so for your Tomcat Connector in server.xml. And captured the Connector debug output. Regards, Glenn Habibak haAlbek wrote: Hello, I have installed and configured Apache 1.3.26 with modssl and openssl + tomcat 4.0.4 with the corresponding Apache mod_jk. I started tomcat then apache and when I attempted to access the index.jsp under ROOT, the browser hangs and goes no where. the following error can be observed when info mode is set in httpd.conf INFO [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (652)]: ajp_connection_tcp_get_message: Error - jk_tcp_socket_recvfull failed [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (1013)]: Error reading reply [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (1150)]: In jk_endpoint_t::service, ajp_get_reply failed in send loop 0 [Mon Sep 09 18:18:39 2002] [jk_connect.c (151)]: jk_open_socket, connect() failed errno = 146 [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (599)]: In jk_endpoint_t::ajp_connect_to_endpoint, failed errno = 146 [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (844)]: Error connecting to the Tomcat process. [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (1153)]: In jk_endpoint_t::service, ajp_send_request failed in send loop 1 [Mon Sep 09 18:18:39 2002] [jk_connect.c (151)]: jk_open_socket, connect() failed errno = 146 [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (599)]: In jk_endpoint_t::ajp_connect_to_endpoint, failed errno = 146 [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (844)]: Error connecting to the Tomcat process. [Mon Sep 09 18:18:39 2002] [jk_ajp_common.c (1153)]: In jk_endpoint_t::service, ajp_send_request failed in send loop 2 And the followin is observed under DEBUG mode [Wed Sep 11 16:53:04 2002] [jk_uri_worker_map.c (460)]: Into jk_uri_worker_map_t::map_uri_to_worker [Wed Sep 11 16:53:04 2002] [jk_uri_worker_map.c (477)]: Attempting to map URI '/test.jsp' [Wed Sep 11 16:53:04 2002] [jk_uri_worker_map.c (558)]: jk_uri_worker_map_t::map_uri_to_worker, Found a suffix match jakarta-tomcat-4.0.4 - *.jsp [Wed Sep 11 16:53:04 2002] [jk_worker.c (132)]: Into wc_get_worker_for_name jakarta-tomcat-4.0.4 [Wed Sep 11 16:53:04 2002] [jk_worker.c (136)]: wc_get_worker_for_name, done found a worker [Wed Sep 11 16:53:04 2002] [jk_ajp_common.c (1355)]: Into jk_worker_t::get_endpoint [Wed Sep 11 16:53:04 2002] [jk_ajp_common.c (1079)]: Into jk_endpoint_t::service [Wed Sep 11 16:53:04 2002] [jk_ajp_common.c (280)]: Into ajp_marshal_into_msgb [Wed Sep 11 16:53:04 2002] [jk_ajp_common.c (413)]: ajp_marshal_into_msgb - Done [Wed Sep 11 16:53:04 2002] [jk_connect.c (116)]: Into jk_open_socket [Wed Sep 11 16:53:04 2002] [jk_connect.c (123)]: jk_open_socket, try to connect socket = 9 [Wed Sep 11 16:53:04 2002] [jk_connect.c (132)]: jk_open_socket, after connect ret = 0 [Wed Sep 11 16:53:04 2002] [jk_connect.c (140)]: jk_open_socket, set TCP_NODELAY to on [Wed Sep 11 16:53:04 2002] [jk_connect.c (148)]: jk_open_socket, return, sd = 9 [Wed Sep 11 16:53:04 2002] [jk_ajp_common.c (589)]: In jk_endpoint_t::ajp_connect_to_endpoint, connected sd = 9 [Wed Sep 11 16:53:04 2002] [jk_ajp_common.c (613)]: sending to ajp13 #379 [Wed Sep 11 16:53:04 2002] [jk_ajp_common.c (854)]: ajp_send_request 2: request body to send 0 - request body to resend 0 Why is the browser locking and what is happening? Thanks! - Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Possible Memory Leak in Apache Tomcat/4.1.10-LE-jdk14
The JVM will grow to as much memory as you configure for its max, you can set this with the java arg -Xmx. Then the JVM manages its heap internally. Add this arg to java when you start Tomcat -verbose:gc, this will cause information about garbage collection to be output. And show you data about the internal JVM memory usage. Regards, Glenn Billy Ng wrote: I ran the Hello World page on the Tomcat's Servlet Examples, then kept refreshing it. The free memory is continuously going down on my Linux box and never came back up. Is it memory leak? I am running the Apache Tomcat/4.1.10-LE-jdk14. Billy Ng. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat scalability question
The permission denied can be generated one of two ways. First, the catalina.policy file must grant the correct FilePermission. Even if the correct FilePermission is granted in catalina.policy, you still have to comply with normal unix file ownership/permissions. If it is a catalina.policy configuration issue try defining the following property when starting tomcat: -Djava.security.debug=access,failure Then review the logs for the failed file permission and look at what CodeBase is identified as failing for the FilePermission. Regards, Glenn Presenting Tomcat Server and Application Security session at ApacheCon 2002, Las Vegas, NV Nov 18-21. Pat Schaider wrote: Hello all -- I have a configuration problem on my setup of Tomcat (v 4.0.3). I am managing this machine for my university's CS department, so there are issues of security that must be followed, namely that students should not be able to view each others source code (== cheating). We are using the security manager to enforce this (so one context cannot open files in another). Less than 5% of the pages on the system are static, so we are using Tomcat in standalone mode on a Linux system. We have made contexts for each user so that we can override the location of home directories, log files, etc. Note that students do not have logins on this machine; their Tomcat-related files are exported to student use machines. See the bottom of this email for pertinent config info. The server starts up correctly (./startup.sh -security) and deploys and serves the webapps fine. But here's the problem: when a user decides to make a new jsp file, Tomcat cannot compile or process that new file. The old files in the directory still display properly; Tomcat gives a Permission Denied error citing the working directory version of the new file in question. - message /usr/local/jakarta-tomcat-4.0.3/work/localhost/user/tomcat/webapps/jsp/graderFiles/graderC$jsp.java (Permission denied) Here's some site-specific config info that will be useful. Tomcat version: 4.0.3 Standalone from binaries There are about 250 contexts that get loaded when the server starts. A `ps aux` listing shows about 500 processes associated with Tomcat running. The machine is a P3-800 with 512 MB of memory, and does not have any other heavy services running on it, so Tomcat has full run of the box. If you need more info for diagnosis, email me and I will provide it. Does anyone have experience setting up a system along these lines? I realize it's probably an extension of what Tomcat is supposed to be used for with all the different contexts, but there has to be a way! Any help is appreciated. server.xml without comments === Server port=8005 shutdown=SHUTDOWN debug=0 Service name=Tomcat-Standalone Connector className=org.apache.catalina.connector.http.HttpConnector port=8080 minProcessors=5 maxProcessors=75 enableLookups=true redirectPort=8443 acceptCount=10 debug=0 connectionTimeout=6/ Engine name=Standalone defaultHost=localhost debug=0 Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Host name=localhost debug=0 appBase=webapps unpackWARs=true !-- user1 -- Context path=/user1 docBase=/tomcat/user1 debug=0 reloadable=true crossContext=false /Context !-- user2 -- Context path=/user2 docBase=/tomcat/user2 debug=0 reloadable=true crossContext=false /Context /Host /Engine /Service /Server === Thanks in advance for any help you can provide. Apologies for the lengthy email. Pat Schaider doctor {at} wt {dot} net -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: How to configure tc-4.1.10 to use Jikes?
I found a few problems using jikes with Jasper 2. These have been fixed and should be in the new nightly build and will be in the next Tomcat 4.1.x release. Refer to the comments in conf/web.xml for configuring jikes. The jspCompilerPlugin init paramter no longer exists. You now use the compiler init paramter and set it to jikes. Regards, Glenn Glenn Nielsen wrote: Tomcat 4.1 uses Jasper 2. Jasper 2 was changed to use Ant to compile JSP pages and no longer supports the config below for using Jikes. But you can tell Ant to use jikes for compiling by defining the following property to java when starting Tomcat: -Dbuild.compiler=jikes Regards, Glenn Zsolt Koppany wrote: Hi, I try to configure tc-4.1.10 to use Jikes to compile jsp files. The configure below in web.xml does work with tc-4.0.4. Why doesn't it work tc-4.1.10? I don't have any errors, just jikes it not called. init-param param-namejspCompilerPlugin/param-name param-valueorg.apache.jasper.compiler.JikesJavaCompiler/param-value /init-param Zsolt -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: How to configure tc-4.1.10 to use Jikes?
Brian Millett wrote: On Sun, 2002-09-08 at 08:39, Glenn Nielsen wrote: I found a few problems using jikes with Jasper 2. These have been fixed and should be in the new nightly build and will be in the next Tomcat 4.1.x release. Refer to the comments in conf/web.xml for configuring jikes. The jspCompilerPlugin init paramter no longer exists. You now use the compiler init paramter and set it to jikes. Regards, Glenn Glenn, I must be reading something you are not. In the web.xml comments that you referred to: !-- If you wish to use Jikes to compile JSP pages: -- !-- * Set the classpath initialization parameter appropriately -- !-- for this web application. -- !-- * Set the jspCompilerPlugin initialization parameter to-- !-- org.apache.jasper.compiler.JikesJavaCompiler.-- So if it diesn't exist, then the comments in the web.xml for 4.1.10 need to be fixed. However, for me, Tomcat 4.1.10 is already released, I _did_ fix the comments in conf/web.xml, but the fix is in CVS. Try the nightly build tomorrow morning or wait for Tomcat 4.1.11 to be released. Regards, Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: How to configure tc-4.1.10 to use Jikes?
Tomcat 4.1 uses Jasper 2. Jasper 2 was changed to use Ant to compile JSP pages and no longer supports the config below for using Jikes. But you can tell Ant to use jikes for compiling by defining the following property to java when starting Tomcat: -Dbuild.compiler=jikes Regards, Glenn Zsolt Koppany wrote: Hi, I try to configure tc-4.1.10 to use Jikes to compile jsp files. The configure below in web.xml does work with tc-4.0.4. Why doesn't it work tc-4.1.10? I don't have any errors, just jikes it not called. init-param param-namejspCompilerPlugin/param-name param-valueorg.apache.jasper.compiler.JikesJavaCompiler/param-value /init-param Zsolt -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: What about setting a script/servlet/jsp timeout?
Nicholas Orr wrote: Well is there a way to isolate it to a context?? Reason I'm asking is in IIS it lets you specify a script timeout value, I was just wondering if there is a similar feature in Tomcat. NO Nicholas Orr -Original Message- From: Glenn Nielsen [mailto:[EMAIL PROTECTED]] Sent: Friday, 6 September 2002 6:51 AM To: Tomcat Users List Subject: Re: What about setting a script/servlet/jsp timeout? Concurrent requests to Tomcat each run in their own thread. There is no easy way to timeout a thread running arbitrary application code. So there is no way to timeout a request. Regards, Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: What about setting a script/servlet/jsp timeout?
Concurrent requests to Tomcat each run in their own thread. There is no easy way to timeout a thread running arbitrary application code. So there is no way to timeout a request. Regards, Glenn Nicholas Orr wrote: Hi, I know you can set session timeouts, is there a way to set script/servlet/jsp timeouts, so it applies over the whole Tomcat Instance? At the moment I am doing a lot of loops and some of them, by accident, end up being never ending and I have to kill tomcat to stop them. I have had a of look in the doc but haven't been able to find anything. Nicholas Orr ** The information contained in this e-mail is confidential and is intended only for the use of the addressee(s). If you receive this e-mail in error, any use, distribution or copying of this e-mail is not permitted. You are requested to forward unwanted e-mail and address any problems to the MIM Holdings Limited Support Centre. For general enquires: ++61 7 3833 8000 Support Centre e-mail:[EMAIL PROTECTED] Support Centre phone: Australia 1800500646 International ++61 7 38338042 ** -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: jkmount possibilities
If you are using mod_jk 1.2 you can use the JkAutoAlias directive to tell Apache to automatically serve static content for all webapps. pUse the mod_jk JkAutoAlias directive to map all web application context directories into Apache's document space. Attempts to access the codeWEB-INF/code or codeMETA-INF/code directories within a web application context or a Web Archive code*.war/code within the Tomcat Host appBase (webapps) directory will fail with an HTTP 403, Access Forbidden./p p Example configuration for an Apache VirtualHost: pre # Static files in all Tomcat webapp context directories are served by apache JkAutoAlias /export/home/web/host2/webapps /pre /p Chris Stokes wrote: Hi I was wondering if what I want to do is possible Tomcat 4.03 Apache 1.3.20 RHLinux 7.3 I have not defined any contexts in my server.xml I just want them auto generated when I start tomcat4. To do this I tried a number of different settings for jkmount and eventually settled on JkMount /*/servlet/* ajp13 This seemed to work as all my html and serlvets seemed to work fine. However - now I discover that Tomcat is serving all content ie. JkMount /*/servlet/* ajp13 Seems to work the same as JkMount /* ajp13 Is this the case? I only want tomcat to serve anything with servlet in the uri no matter what precedes it eg http://server/context1/servlet/myservlet http://server/context2/servlet/myservlet This is in my httpd.conf LoadModule jk_module modules/mod_jk.so AddModule mod_jk.c IfModule mod_jk.c JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile logs/mod_jk.log JkLogLevel error /IfModule NameVirtualHost 192.168.192.103 VirtualHost 192.168.192.103:80 ServerAdmin email@address DocumentRoot /home/bass/iAP21 ServerName server.name.com ErrorLog logs/ap21-error_log CustomLog logs/ap21-access_log common JkMount /*/servlet/* ajp13 /VirtualHost Chris Stokes Senior Systems Consultant Bass Software Pty Ltd [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Processor Availability
A good way to debug these types of problems is to tell the JVM to do a Thread stack dump. By reviewing the stack for each processor you can get an idea of what may be causing a problem. On unix you send the JMV a -QUIT signal. On Windows I think you use CTRL-D in the console for Tomcat. Another thing to check is whether long JVM garbage collection (GC) times are causing requests to stack up. While the JVM is doing GC handling of requests by Tomcat freezes. To get GC data add the arg -verbose:gc to your JVM startup options. Regards, Glenn Marinko, Jeff wrote: Thanks for the reply, Craig. I pretty much figured that was how it worked, but I was hoping for some kind of time out mechanism. Somehow, someway, I am able to lock up all 200 processors I defined for my Connector in TC (4.0.4, Java 1.4, Win2K). I'm guessing it is the machine that is at fault (very low powered), and that since each request potentially opens a connection to another machine, that may be the cause of the locking. Thanks! -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 4:19 PM To: Tomcat Users List Subject: Re: Processor Availability On Tue, 27 Aug 2002, Marinko, Jeff wrote: Date: Tue, 27 Aug 2002 13:45:05 -0700 From: Marinko, Jeff [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Processor Availability Greetings! Tomcat uses processors to service requests, as processors free up, they then move on and process other requests. Each processor also possesses a thread, so you can think of the set of available processors as a thread pool. My question is this: Is there any way to lock up all the processors? Sure ... if you send n+1 simultaneous requests when you've only got n available processors, you're going to run out (assuming that each request takes enough time for all of them to get submitted before the first ones start completing. Such things happen occasionally when you get spkies of request activity, but it's usually a transient condition. The analog in plain old web sites is when a site gets Slashdotted :-). Is there a maximum time before a processor becomes available again, assuming it is taking to long to process a request? The amount of time your app takes to process a request is totally up to your app. There's nothing Tomcat can do if you decide to execute a database query that takes 5 minutes because you're selecting through a million rows without using an index. The time it takes Tomcat to return the processor to the pool when a request is completed is as small as we can make it (a few milliseconds on a typical configuration). There's no motivation (or code in Tomcat) for keeping a processor unavailable any longer than it has to be. Besides processors, there might be contention for available threads and/or TCP/IP socket resources in your operating system. There are also VERY wide variations in the maximum number of threads a particular OS+JVM combination can support -- the Volano Report http://www.volano.com makes interesting reading in this regard. Any way to check how many processors are active/in use? There's nothing built in, but it would be straightforward to create a Valve that was stuck on the Engine (so it could see all requests to all webapps). Because this Valve will be executed by multiple threads at the same time, maintaining a simple counter that is incremented at the start of a request and decremented at the end would give you an active count. For the requests being processed by a particular webapp, you could do the same thing (and portably to boot) using a Filter mapped to /*. Jeff Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: jkmount possibilities
Oops, I should have clarified that those directives are only available for Apache 1.3. Sorry. Ray Madigan wrote: I have tried to insertthis directive in a VirtualHost section of httpd.conf and apache2 will not start - Invalid Command: JkAutoAlias perhaps mispelled... How did u get this to work? Thanks -Original Message- From: Glenn Nielsen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 28, 2002 4:46 AM To: Tomcat Users List Subject: Re: jkmount possibilities If you are using mod_jk 1.2 you can use the JkAutoAlias directive to tell Apache to automatically serve static content for all webapps. pUse the mod_jk JkAutoAlias directive to map all web application context directories into Apache's document space. Attempts to access the codeWEB-INF/code or codeMETA-INF/code directories within a web application context or a Web Archive code*.war/code within the Tomcat Host appBase (webapps) directory will fail with an HTTP 403, Access Forbidden./p p Example configuration for an Apache VirtualHost: pre # Static files in all Tomcat webapp context directories are served by apache JkAutoAlias /export/home/web/host2/webapps /pre /p Chris Stokes wrote: Hi I was wondering if what I want to do is possible Tomcat 4.03 Apache 1.3.20 RHLinux 7.3 I have not defined any contexts in my server.xml I just want them auto generated when I start tomcat4. To do this I tried a number of different settings for jkmount and eventually settled on JkMount /*/servlet/* ajp13 This seemed to work as all my html and serlvets seemed to work fine. However - now I discover that Tomcat is serving all content ie. JkMount /*/servlet/* ajp13 Seems to work the same as JkMount /* ajp13 Is this the case? I only want tomcat to serve anything with servlet in the uri no matter what precedes it eg http://server/context1/servlet/myservlet http://server/context2/servlet/myservlet This is in my httpd.conf LoadModule jk_module modules/mod_jk.so AddModule mod_jk.c IfModule mod_jk.c JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile logs/mod_jk.log JkLogLevel error /IfModule NameVirtualHost 192.168.192.103 VirtualHost 192.168.192.103:80 ServerAdmin email@address DocumentRoot /home/bass/iAP21 ServerName server.name.com ErrorLog logs/ap21-error_log CustomLog logs/ap21-access_log common JkMount /*/servlet/* ajp13 /VirtualHost Chris Stokes Senior Systems Consultant Bass Software Pty Ltd [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: sweeping stale connections - Commons DBCP and Tomcat 4.1.9
I had this same problem, appending ?autoReconnect=true to your connect URL does work. Regards, Glenn Paul Phillips wrote: Hello I would suggest trying either of the following: parameter nameautoReconnect/name valuetrue/value /parameter I know that the above does not work... I tried it. or parameter nameurl/name valuejdbc:mysql://localhost:3306/javatest?autoReconnect=true/value /parameter I didn't try this, because I think that the ? in the url is already being provided by the code somewhere, so to add it here would duplicate it. From what I could tell by reading the code, there is some way to trigger an expire mechanism at regular intervals - I just don't know how to set that up... Thanks, Paul Phillips -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: connection pooling
The advantage of letting the container (Tomcat) setup a JNDI DataSource is abstraction. It abstracts out the source of data from the web application. You no longer have to configure somewhere within your web application the db connection, user, password, etc. This allows you to have a development Tomcat container configured with a DataSource to a test db and your production system to have a DataSource to a production db. As long as each container creates the same JNDI name you can install the webapp and use it for development or production without any changes. Regards, Glenn michael wimmer wrote: hi, I use protomatter (protomatter.sourceforge.net) for connection pooling and for now it seems to work pretty well. However, in this group and in the tomcat documentation, connection pooling seems always been mentioned in relation to JNDI or tyrex. Could anybody provide me with some information about the difference in these approaches and their relative merits and demerits? thanks, Michael -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Loading properties files
java.util.ResourceBundle.getBundle() uses the current ClassLoader to load your resource bundle. That means that your properties have to either be located with a jar file in /WEB-INF/lib or in your /WEB-INF/classess directory. This isn't a limitation of Tomcat, this is how resource bundles work. Regards, Glenn randie ursal wrote: why is it tomcat could not locate the property file if i place it on the package directory structure of my servlets?...it is still on the WEB-INF/classes directory isnt it? just need some more clarifications. e.g WEB-INF/classess/com/test/MyProperty.properties thanks Alan Tingley - Iperia wrote: Your properties file must be in a location that Tomcat knows about via its classpath (WEB-INF/classes is on Tomcat's classpath, that's why it worked when your file was there). See the Tomcat docs under Classpath How-to, which describes the class loaders in Tomcat. Alan Tingley - Original Message - From: Laurent Michenaud [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 27, 2002 4:40 AM Subject: Loading properties files Hi, Could u tell me what is not correct with that : Before we had that ( the properties files were in WEB-INF/classes ) and that works : package com.a2a.util ; public interface A2aConstantes { public static final String SCHEMA = java.util.ResourceBundle.getBundle(db).getString(schema); } Now we want to have properties files in WEB-INF/config so we change the file like this : package com.a2a.util ; public interface A2aConstantes { public static final String SCHEMA = java.util.ResourceBundle.getBundle(/WEB-INF/config/db).getString(sche ma); } But it doesnot work, it can't find the db.properties. I have tried with WEB-INF/config/db and /WEB-INF/config/db.properties but it doesnot work too. Can u tell me what's wrong ? Michenaud Laurent - Adeuza - [ Développeur Web - Administrateur Réseau ] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Loading properties files
Why do you insist on putting your property file in /WEB-INF/config? Just create a jar with your property file and put it in /WEB-INF/lib, or put the property file in /WEB-INF/classes. Regards, Glenn Laurent Michenaud wrote: So, how can i modify my interface so that it reads the file properties db in WEB-INF/config ? -Message d'origine- De : Glenn Nielsen [mailto:[EMAIL PROTECTED]] Envoyé : mardi 27 août 2002 15:32 À : Tomcat Users List Objet : Re: Loading properties files java.util.ResourceBundle.getBundle() uses the current ClassLoader to load your resource bundle. That means that your properties have to either be located with a jar file in /WEB-INF/lib or in your /WEB-INF/classess directory. This isn't a limitation of Tomcat, this is how resource bundles work. Regards, Glenn randie ursal wrote: why is it tomcat could not locate the property file if i place it on the package directory structure of my servlets?...it is still on the WEB-INF/classes directory isnt it? just need some more clarifications. e.g WEB-INF/classess/com/test/MyProperty.properties thanks Alan Tingley - Iperia wrote: Your properties file must be in a location that Tomcat knows about via its classpath (WEB-INF/classes is on Tomcat's classpath, that's why it worked when your file was there). See the Tomcat docs under Classpath How-to, which describes the class loaders in Tomcat. Alan Tingley - Original Message - From: Laurent Michenaud [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 27, 2002 4:40 AM Subject: Loading properties files Hi, Could u tell me what is not correct with that : Before we had that ( the properties files were in WEB-INF/classes ) and that works : package com.a2a.util ; public interface A2aConstantes { public static final String SCHEMA = java.util.ResourceBundle.getBundle(db).getString(schema); } Now we want to have properties files in WEB-INF/config so we change the file like this : package com.a2a.util ; public interface A2aConstantes { public static final String SCHEMA = java.util.ResourceBundle.getBundle(/WEB-INF/config/db).getSt ring(sche ma); } But it doesnot work, it can't find the db.properties. I have tried with WEB-INF/config/db and /WEB-INF/config/db.properties but it doesnot work too. Can u tell me what's wrong ? Michenaud Laurent - Adeuza - [ Développeur Web - Administrateur Réseau ] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: connection pooling
Yes, any J2EE compliant app server will have the ability to create a JNDI DataSource. The choice of whether to use a container provided DataSource or your own connection pool within the webapp is up to you. I prefer a container managed JNDI DataSource. Regards, Glenn Ashish Kulkarni wrote: Hi, A Question about JNDI, to use it i have to configure it in server.xml file, suppose if i have to change my app server , say to JRun, or Weblogic or websphere...how will it affect me,i think since all these are J2EE compliant servers, they must have some place for defining it, also what if i keep a xml file, with all the parameters for database connection in it, and keep it in web-inf of the application, and load it while starting the application from a startup servlet. so if i change the app server, i dont have to worry about setting JNDI in that app server, Ashish --- Glenn Nielsen [EMAIL PROTECTED] wrote: The advantage of letting the container (Tomcat) setup a JNDI DataSource is abstraction. It abstracts out the source of data from the web application. You no longer have to configure somewhere within your web application the db connection, user, password, etc. This allows you to have a development Tomcat container configured with a DataSource to a test db and your production system to have a DataSource to a production db. As long as each container creates the same JNDI name you can install the webapp and use it for development or production without any changes. Regards, Glenn michael wimmer wrote: hi, I use protomatter (protomatter.sourceforge.net) for connection pooling and for now it seems to work pretty well. However, in this group and in the tomcat documentation, connection pooling seems always been mentioned in relation to JNDI or tyrex. Could anybody provide me with some information about the difference in these approaches and their relative merits and demerits? thanks, Michael -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Using a Webapp on a network share
Yes, I do this. Apache, webspace, and webapps are located on one server. Tomcat is running on its own dedicated server which can access the webapps via NFS. Regards, Glenn Marc-Henri PAMISEUX wrote: Hi, Is it possible to use Tomcat with a Webapp on a network share (with NFS or SMB) ? If i mount a network share in /mnt/Dev could i write appBase=/mnt/Dev/webapp in the Host section of server.xml file ? I believe some problem... Thanks Marc-Henri -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Does closing a Connection variable and setting it to null close all of the ResultSet and Statements?
Hmm, this example code should get added to the Tomcat JNDI-DataSource-HOWTO. :-) Craig R. McClanahan wrote: On Tue, 27 Aug 2002, Short, Dave wrote: Date: Tue, 27 Aug 2002 09:08:58 -0700 From: Short, Dave [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Subject: RE: Does closing a Connection variable and setting it to null clo se all of the ResultSet and Statements? By closing you mean set the ResultSet and Statement objects to null - correct? No ... explicitly call close() on them first. My most common pattern for JDBC calls goes like this: Connection conn = null; Statement stmt = null; // Or PreparedStatement if needed ResultSet rs = null; try { conn = ... get connection from connection pool ... stmt = conn.createStatement(select ...); rs = stmt.executeQuery(); ... iterate through the result set ... rs.close(); rs = null; stmt.close(); stmt = null; conn.close(); // Return to connection pool conn = null; } catch (SQLException e) { ... deal with errors ... } finally { if (rs != null) { try { rs.close(); } catch (SQLException e) { ; } rs = null; } if (stmt != null) { try { stmt.close(); } catch (SQLException e) { ; } stmt = null; } if (conn != null) { try { conn.close(); } catch (SQLException e) { ; } conn = null; } } This way, you always clean up after yourself as quickly as possible, and never forget to return the connection to the connection pool -- even if exceptions occur. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Does closing a Connection variable and setting it to null closeall of the ResultSet and Statements?
Per the javax.sql javadocs... When a Connection is closed it closes any open Statements. When a Statement is closed, it closes any open ResultSets. If you just dereference a connection (non connection pool) when the Connection is GC'd it is closed. If you use DBCP 1.0 as your connection pool it tracks Statements and ResultSets used by a connection. When you close the connection it will ensure the Statements and ResultSets still open for that Connection are closed. Regards, Glenn Michael Nicholson wrote: Well, I guess the subject line says it all. I'm having memory issues, and having read the OOM error messages on the list, I've checked and found some open and not being closed connections, so I'm going back and closing them all. The question is do I need to explicitly close/dereference (set to null) all statements and recordsets too? Right now the system takes about 4% of my available memory just for the beans in question, so I'm trying to minimize what I store so that I could conceptually have more than one user. Thanks in advance, Mike Nicholson -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: connection pooling on tomcat
What connection pool are you using, DBCP? Rick Reumann wrote: I have connection pooling set up on Tomcat. In my server.xml file I have added to the ResourceParams: parameter namevalidationQuery/name valueSELECT 'CRAP' FROM DUAL/value /parameter The connection pooling seems to work fine, UNLESS the connections are manually killed (which are DBA ends up doing each morning for some reason when she comes ..just because she hates some of us:). When the connections are killed no one is able to do anything because the following error comes up: java.sql.SQLException: ORA-01012: not logged on Is there some way I can get this pooling to still work even if the connections are manually killed? I thought by adding the validationQuery param this would fix the problem, but it didn't. Thanks for any help. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: AW: apache-tomcat
That article is for using mod_webapp as the connector between Tomcat 4 and Apache. I wouldn't necessarily consider that a best practice. I have found mod_jk 1.2 a better solution for my needs. With mod_jk 1.2 I use the Apache mod_jk config directive JkAutoAlias. This automatically maps Apache to serve static files for all web contexts. Or you could do it individualu with yhe apache Alias directive. The only docs I see for JkAutoAlias are in the jakarta-tomcat-connectors CVS repository in file jk/doc/mod_jk-howto.html. Regards, Glenn [EMAIL PROTECTED] wrote: Hi Tal, never done it myself but here is a best practices Making Tomcat Work with Apache: http://dcb.sun.com/practices/howtos/tomcat_apache.jsp Hope that helps, Carsten -Ursprüngliche Nachricht- Von: Adar Wesley [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 26. August 2002 15:14 An: 'Tomcat Users List' Betreff: apache-tomcat Hi Group ! I have a tomcat connected to apache. I would like to use apache for static content and tomcat for dynamic. Any ideas how to do that ? Any references ? Tal Moshaiov Log-On [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Commons DBCP and closing connections
When using a pooled db connection you should always set your connection object = NULL after closing the connection. In a connection pool, calling close() returns the connection back to the pool so that it can be reused. It could get reused immediately by another request. Here is the sequence of events you were seeing: Request 1 running in Thread 1 gets a db connection. Request 1 closes the db connection. The JVM switches the running thread to Thread 2 Request 2 running in Thread 2 gets a db connection (the same db connection just closed by Request 1) The JVM switches the running thread back to Thread 1 Request 1 closes the db connection again in your finally block. The JVM switches the running thread back to Thread 2 Request 2 Thread 2 tries to use the db connection but fails because Request 1 closed it. A better way would be as follows: Connection con; try { con = datasource.getConnection(); // Do some db stuff con.close() con = NULL; } finally { if (con != NULL) { con.close(); con = NULL; } } Regards, Glenn Jakarta Tomcat Newsgroup (@Basebeans.com) wrote: Subject: Re: Commons DBCP and closing connections From: Matt Raible [EMAIL PROTECTED] === I changed my closeConnection method (see below). It seems to work better (no close connection error), but I am wondering about the open connections to mysql. When I monitor them (show status; watch Threads_connected), there are 3 at first (I'm guessing from my monitor connection, JDBCRealm and Connection pool). It gets up to 5, how can I tell if connection pooling is working? Especially since my open connection says non-pooled? /** Closes a connection from the connection pool */ public void closeConnection(Connection con) throws ServiceLocatorException { try { con.close(); } catch (SQLException sqle) { logger.error(SQLException: + sqle.getMessage()); throw new ServiceLocatorException(sqle); } finally { //if (!con.isClosed()) { // try again try { if (!con.isClosed()) { con.close(); } } catch (SQLException csqle) { // ignore } //} } } Thanks, Matt On 8/23/02 9:03 PM, in article [EMAIL PROTECTED], Andrew Conrad [EMAIL PROTECTED] wrote: That's what I saw. - Andrew -Original Message- From: Peter Davison [mailto:[EMAIL PROTECTED]] Sent: Friday, August 23, 2002 10:56 PM To: Tomcat Users List Subject: Re: Commons DBCP and closing connections Correct me if I'm wrong but if the first con.close() call succeeds your code will still execute the second con.close() call in the finally block won't it? Closing the connection won't necessarily dereference the con variable, so it's trying to close a connection that is already closed, which would explain the exception you're getting. P. On Fri, 23 Aug 2002 19:10:09 -0700 Jakarta Tomcat Newsgroup (@Basebeans.com) [EMAIL PROTECTED] wrote: Subject: Commons DBCP and closing connections From: Matt Raible [EMAIL PROTECTED] === I am trying to upgrade from using Tyrex 0.9.7 to DBCP (from Struts 1.1 b2) - and I have the following method that used to work fine: /** Closes a connection from the connection pool */ public void closeConnection(Connection con) throws ServiceLocatorException { try { con.close(); } catch (SQLException sqle) { logger.error(SQLException: + sqle.getMessage()); throw new ServiceLocatorException(sqle); } finally { if (con != null) { // try again try { con.close(); } catch (SQLException csqle) { // ignore } } } } But now it causes a connection closed error?? I thought when you were using a connection pool, closing the connection just releases it back to the pool. Am I doing this right?? Matt -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Peter Davison [EMAIL PROTECTED] Don't everyone thank me at once! -- Han Solo -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4.1.9 + MySQL + jdbc driver
I have also seen this with the following setup. Solaris 8 on Sun Sparc Java 1.3.1_04 Tomcat 4.1.8/Jasper 1 mm.mysql 2.0.14 Apache 1.3.26 with mod_jk and Ajp13 connector. DBCP In my case from reviewing all of the tomcat logs I found that the Communication link failure looks like a symptom of some other failure. When reviewing my Engine logs for the ajp connector it looks like Tomcat was not completing requests for a period of 5 minutes. I saw a cascading of log entries like this in a 5 minute period where over 100 new Ajp13Processor's were started. 2002-08-25 10:20:11 Ajp13Processor[8009][184] Starting background thread I have seen this same behaviour a number of times, and each time the length of the problem is about 5 minutes long. I have also checked the CPU load stats for these time periods and I am seeing the load increase by a factor of 3 while this is happening. To a load 1 on a single CPU system. I checked the mysqld error logs, no errors reported. These weren't due to a spike in the number of requests. And there was no start/stop/reload of any Contexts which triggered this. No JSP pages were recompiled at the times this happened. Nothing was changed. I also start Tomcat with the java arg -verbose:gc so that garbage collection data is logged. I reviewed the GC times and I have several long Full GC's of 15 and 22 seconds which might explain some of the problems, but not a problem that seems to last 5 minutes. I bet a thread stack dump while this is going on would be very interesting reading. I don't know yet what the source of my problem is. The system Tomcat is running on will be upgraded to faster dual CPU's and another 512MB of ram in the next week or so. Perhaps that will help. I just thought the trouble shooting process I went through might help you do forensics on your logs so you can track down your problem. Regards, Glenn Paul Phillips wrote: I have used the Mark Matthews MySQL jdbc driver with Tomcat on three or four projects and never had any trouble. I recently started using the newest version of the driver, now called MySQL Connector/J version 3.0.0 beta. I am using it with Tomcat 4.1.9 on a Sun Ultra 5 with Solaris 9. I am also using the DBCP connection pool as described in the 4.1 docs. I have never used this combination (the particular machine, Sol 9, this new version of Tomcat and this driver) together to do database lookups before, so I'm not sure where to look for the trouble. However - the trouble is this... I just installed my webapp a couple of days ago, for use in low level production (meaning if there are problems, it is not the end of the world...) Each morning, when I come in, and fire up my webapp, the database connections don't work. The Tomcat logs report this: java.sql.SQLException: Communication link failure: java.net.SocketException at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:810) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1265) at com.mysql.jdbc.Connection.execSQL(Connection.java:1935) at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:1800) at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:445) at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:394) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthen ticator.java:263) and etc back through the trace. So there is some problem with the socket. If I simply shutdown and restart Tomcat, the problem goes away and my app works fine and happily all day long. So, what would cause this to happen? Connection pool problem? Driver problem? I don't even know where to start looking... I would appreciate any ideas. Regards, Paul Phillips -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4.0.4: Unnecessary $TOMCAT/temp/ directory?
It is done for security reasons so that the JVM instance for Tomcat isn't using the same temp directory as other applicaitons on the system. Also so that there is a common temp directory path that is system neutral. This is more secure when you lock down Tomcat with the SecurityManager and a strict catalina.policy. Regards, Glenn Eddie Ruvinsky wrote: Thanks Glenn. The following Java API link has a quick blurb about the java.io.tmpdir system property: http://java.sun.com/j2se/1.3/docs/api/java/io/File.html#createTempFile(java.lang.String, java.lang.String, java.io.File) The JDK sets the default value for this property to be /tmp on Unix and c:\temp on Windows. So, it does not seem necessary to override the default value of java.io.tmpdir when starting Tomcat. My follow-up question then is, why is this done? Is it to be able to create a separate namespace for temp files generated by the Tomcat JVM process versus the other temp files on the file system? Thanks in advance, Eddie -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat/unix security manager questions
Richard Smith wrote: Hi All, Just wondering if you could help me clarify a few questions I have about tomcat and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with mod_jk on solaris with about 300+ users, all of whom can deploy jsp/servlets from their public_html directory. I have never setup Tomcat to do this, but from reading the docs it looks like Tomcat instantiates a separate web application context for each user. A user requirement is that they must is to be able to read/write files in their home directory. This is what im a little confused about. I understand I can put an entry like: permission java.io.FilePermission /home/-, read,write,delete,execute; I would never grant the execute permission, this allows Tomcat to use Runtime.exec() to execute shell scripts, etc.! The above permission w/o execute should be fine. in catalina.policy, but how does this enable tomcat to write to other user's home directories (when tomcat is running as a user with minimal privledges)? Or must I change permissions on the file to allow the user that is running tomcat to write to it (is this the normal practice?). Yes, if you want to allow the user web applications to write and delete files in their own home directory Tomcat would need r/w file permissions. This can be done by adding the tomcat user tomcat to the group(s) which your users are members of. Then setup permissions on the public_html directory of mode 2775. Also, this is probably more a java question, but do standard unix permissions always take precedence over what is set in catalina.policy? (In my understanding the unix permissions take precedence, but I just wanted to make sure(please excuse my java ignorance)) Yes, unix file/dir ownership and permissions take precedence. Any help appreciated, Cheers, -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4.0.4: Unnecessary $TOMCAT/temp/ directory?
Do not remove this temp directory. This is the temporary directory configured in the Tomcat startup with -Djava.io.tmpdir. This temp directory is used by the JVM for internal things like jar files, etc. Regards, Glenn Eddie Ruvinsky wrote: I don't believe this is the case. According to the source, if the workDir attribute of StandardHost is null (default case), the temp dir will be generated inside $CATALINA_BASE/work/. Otherwise, it will be generated in the StandardHost's workDir. I believe that it's unused and doesn't belong in the Tomcat distribution. Can someone confirm? -Eddie --- Mona Wong-Barnum [EMAIL PROTECTED] wrote: Hi Eddie: When I unpacked the distribution of Tomcat 4.0.4, I noticed an empty temp/ directory in the Tomcat root directory. I don't believe it gets used anywhere in the code. Should it be cleaned up? No leave it. It will be used a temp directory in your servlet code (javax.servlet.context.tempdir) Cheers, Mona == Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ The truth shall set you free, but first it will piss you off A Landmark instructor == -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: dynamic webapp deployment and mod_jk
For mod_jk 1.2 you can use JkAutoAlias to automatically server static pages for any web application context, even new ones which get added. Here is an example for the apache httpd.conf: JkAutoAlias /usr/local/tomcat/webapps JkMount /*.jsp ajp13 JkMount /*/servlet/ ajp13 Regards, Glenn David S. Soleno wrote: Looking through the Apache + Tomcat configuration examples we see how to configure Apache to serve static files from its root directory and forward to Tomcat if the request matches one of the registered context paths. Our problem occurs from the fact that our system allows for webapps to be deployed and undeployed dynamically, which means the list of context paths that require forwarding changes. While we don't mind restarting Tomcat when this happens but we don't want to restart Apache. The list of directories that contains static files for Apache to serve is constant so it seems what we need is a way to configure Apache to redirect all requests to Tomcat EXCEPT those that match the list of context paths. Does anyone know how to achieve this? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat in a multiuser webhost environment
I have done alot of work with Apache 1.3/Tomcat 4.1.X setting up virtual hosting in a web hosting environment. Please see my attached document. Regards, Glenn Hans Kaiser wrote: Hi, nobody knows how to solve it, or is it too simple for an answer? best regards, Hans Hello all! Is this list a closed one? I tried to post a message to the list, without being subscribed, but that failed (I think so, I couldn´t see the mail on the archives) I will go on directly to my problems: I am running an Apache 1.3.x and I have all my virtual hosts under /home/web/host[anyhostnaming] Now I need a servlet and a JSP Engine, therefore I want to use the Tomcat 4.x. But my users should be able to define their own contexts for the tomcat. So my questions are: - how to configure the apache and tomcat to forward all JSP and servlet request from apache to tomcat. - how should I setup tomcat to make it possible, that only a defined list of users are able to use jsp/servlet? - how to setup tomcat or must I setup the apache (if forwarding the servlet/jsp request from apache to tomcat), that users are able to define their own contexts? Is it a security problem? I thought about something like a distributed web.xml in a defined location in the users home dirs. - Is it possible to limit the maximum used resources (load, memory ) of tomcat? Or even better per user basis? many thanks, and best regards, Hans -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Web Hosting with Tomcat 4 and Apache Overview There are a number of configuration issues and security concerns which must be addressed when setting up Apache and Tomcat 4 for virtual hosting of customer sites in a web hosting environment. The major conerns are: 1. Delegating to untrusted customers maintenance of their applications without compromising server security. 2. Configuring Apache and Tomcat for virtual hosting. 3. Surviving poorly written web applications installed by customers. This includes fault tolerance and identifying which customer's web application is causing problems. 4. Mimimize the amount of hand holding or config changes the apache and tomcat system administrators have to make. This is written based on my experiences setting up this type of hosting environment on Sun Solaris hardware. Some of this will be specific to Solaris, but in general should work for almost any flavor of Unix. Unix accounts and groups The user tomcat was created for running tomcat, it should be created similar to the nobody account used for running Apache. The tomcat user is assigned to the group tomcat. The tomcat user is a member of group user. The group tomcat was created as the group the user tomcat is assigned to. The group user was created, this is the group customer ftp accounts are assigned to. The tomcat account is a member of this group so that both customers and tomcat can write files in directories assigned to group user. Each customer has their own ftp account which is in group user. There is a webmaster administrator shell account. This account is for your virtual host administrator. The webmaster account is assigned to group user and is also a member of group tomcat. Directory layout The layout of directories is designed to make it as easy as possible for customers to maintain their own web space content and applications. Here is an example of how I do it: The customer is assigned an FTP account which has permission to read their virtual host directory and write to a subset of that. For example, a customer may be assigned the following directory: /export/home/www.customer.com root:other 755 Within that directory are sub directories which the customer can read and/or write. Listed are the directory names, ownership, and mode. www webmaster:user 2775 -- Apache document root directory. Customer and tomcat can both read/write directories and files. logs root:other 755 --- Directory where apache access_log and error_log are placed. We also rotate these logs weekly and use bzip2 to compress any log files older than 5 weeks. Log files less than 5 weeks old are left uncompressed so that they can be used by web statistic software like Analog. Customer can read files in this directory but not write files. tomcat tomcat:tomcat 755 Directory used for the tomcat work and tomcat virtual host logs. Only tomcat can write in this directory. Customer can read files in this directory. tomcat/work tomcat:tomcat 755 - Tomcat work directory for virtual host. Only tomcat can write files. Customer can read files. This allows customer to review java source files generated during a JSP
Re: tomcat.policy limitation?
Joe Flowers wrote: I am trying to grant a servlet in the /usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/joe/ directory write permissions to the /test.txt file. //--- The following code snippet from my tomcat.policy file seems to work correctly; I can write to the /test.txt file just fine with my servlet. grant codeBase file:/usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/- { permission java.io.FilePermission /test.txt, write; }; Just a quick note, you may already know this, but the FilePermission path is not Context relative. So in the above, you were granting permission to write to the root / of the file partition. Use: permission java.io.FilePermission ${tomcat.home}/webapps/ROOT/test.txt, write; if you want to write a file into the root of the ROOT context directory. //--- BUT, the following code snippet does NOT work correctly. grant codeBase file:/usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/- { permission java.io.FilePermission /test.txt, write; }; Tomcat 3.x only allows one set of permissions for an entire Context, configured for the web application root, as in your first example. You can not set different permissions for jar's located in WEB-INF/lib or to class files in WEB-INF/classes. The Tomcat 4 Java SecurityManager implementation is more sophisticated. It does allow you to grant different permissions for different CodeBase's within a single web applicaiton. I get the following error message :-(( Error: 500 Location: /servlet/joe.joe1 Internal Servlet Error: java.security.AccessControlException: access denied (java.io.FilePermission /test.txt write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) at java.security.AccessController.checkPermission(AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at java.lang.SecurityManager.checkWrite(SecurityManager.java:978) at java.io.FileOutputStream.(FileOutputStream.java:96) at java.io.FileWriter.(FileWriter.java:52) at joe.joe1.doGet(joe1.java:64) ... etc. //--- What the heck?!?! Anyone have any ideas for me to try? I want to create a bunch of user/programmer subdirectories like /usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/joe/ /usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/tom/ /usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/henry/ etc. so that I can grant all servlets in these directories and subdirectories read/write access to their own separate directory structure so they won't be able to write over anyone elses files, including the system files, of course. The above isn't possible with the Java SecurityManager. A permission is granted to a CodeBase, all classes in WEB-INF have the same CodeBase. What I would recommend is that the developers setup Tomcat on their local desktop systems for doing development work, and leave the server for combined testing. We do this where I work by using CVS repositories and setting up Ant to build the applicaiton. This is a wierd one. Thanks for any help! Joe -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | --
Re: [ANNOUNCEMENT] Tomcat 4.0-beta-6 Released
Look in the CVS repository jakarta-tomcat-connectors. Glenn Jeff Hoare wrote: Ok, So where is the src for the updated Apache connector? It used to be under src/connectors. I've downloaded the binary and src tarballs and can't see it anywhere? Or does you note imply that the connector will be released seperately Jeff On Friday 20 July 2001 17:20, you wrote: The Tomcat team is proud to announce the availability of the latest beta release of Tomcat 4.0. This next-generation servlet and JSP container boasts the following new and improved features: * Fix for the security vulnerability reported on July 16, 2001. * Support for the Proposed Final Draft 3 versions of the Servlet 2.3 and JSP 1.2 Specifications. * Many bug fixes and performance improvements. * Support for executing external CGI scripts and programs. * An updated version of the Apache web connector (binaries for various platforms will be available soon) * A new experimental installer for the Windows platform that lets you download and install Tomcat 4.0 in a manner typical of other Windows based programs (including installation of Tomcat as an NT service). Binary distributions of Tomcat 4.0-beta-6 are available at: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0-b6/ and source distributions are available at: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0-b6/src/ Please see the included RELEASE-NOTES-4.0-B6.txt file for details about the changes included in this release. Craig McClanahan -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | --
Re: tomcat.policy limitation?
Joe Flowers wrote: I want to create a bunch of user/programmer subdirectories like /usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/joe/ /usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/tom/ /usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/henry/ etc. so that I can grant all servlets in these directories and subdirectories read/write access to their own separate directory structure so they won't be able to write over anyone elses files, including the system files, of course. The above isn't possible with the Java SecurityManager. A permission is granted to a CodeBase, all classes in WEB-INF have the same CodeBase. Thanks a lot Glenn! In your above comment, did you mean that it isn't possible with the Java SecurityManager with Tomcat 3.x or 4.x or both? It isn't possible at all for any application. In case you have questions in the future, you may want to refer to the presentation I did on Tomcat Server and Application Security at ApacheCon 2001. http://www.more.net/events/apachecon2001/ Regards, Glenn -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | --