(Debian) Linux 2.6.11.12-xenU
Tomcat 5.5.20
Java 1.5.0_04
This question concerns access to a running Tomcat instance by a
previously unseen/unknown user agent.
I have been developing commercial sites in Java for a number of years
now but this is the first time I have
deployed a commercial
Hi list.
I'm interested in implement the log described in this URL:
http://www.devx.com/Java/Article/32730/1954?pf=true
How I compile the ResourceTrackingAccessLogValve.java?
Where I put the class?
Thanks in advice.
--
Nadie es tan joven que no se pueda morir mañana, ni tan viejo que no
Curl is a command line http client. It is available for almost all unix/linux
platforms.
It is easy to use in scripts to download stuff from http servers. It is not a
hacking tool.
You should look at what people are downloading/requesting with it.
Ronald.
On Thu Aug 23 09:25:51 CEST 2007
From: Lyallex [mailto:[EMAIL PROTECTED]
curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.
I have been to http://curl.haxx.se/ and it seems to my (currently)
inexperienced eye
that this software _could_ be used to do all sorts of despicable
things to a web site.
Or it could be
Lyallex wrote:
This question concerns access to a running Tomcat instance by a
previously unseen/unknown user agent.
[...]
Is it a 'Tomcat' question ?... I'm not sure but here goes anyway.
No.
The following might be quite harmless but it would be nice to hear of
others exp' in this area
You should look at the client query, not agent to get an idea about
security. Curl client is not that uncomon. I use is (as long as wget,
depending on server) to download files from public server directy to my
own server. Example of use here are
- download a JVM from sun website (wget 'url' or
Hello,
we are planning to activate our intranet with ssl. Along with this, we
would like to make this intranet available to our employees from their home.
Insite, without ssl, there is no need to identify our user. Anonymous
browsing is to be allowed. From outside however, we want to force
OK, that's all good advice ...
[EMAIL PROTECTED]:/usr/tomcat/logs$ cat access.log | grep curl
69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] GET /favicon.ico
HTTP/1.1 200 2238 - curl/7.12.1 (i386-redhat-linux-gnu)
libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
69.25.212.171 - -
www.who.is
Much more info
...tracking the perpetrator down now ... this is fun.
On 8/23/07, Lyallex [EMAIL PROTECTED] wrote:
OK, that's all good advice ...
[EMAIL PROTECTED]:/usr/tomcat/logs$ cat access.log | grep curl
69.25.212.171 - - [22/Aug/2007:16:40:41 +0100] GET /favicon.ico
I just find it hard to believe that there is no open-source
project/library to mange users that includes the above functionality.
Web server logins are dismal across the board, but its so easy to write
a filter so I think nobody bothered.
Peter
Stephen More wrote:
On 8/22/07, Christopher
Filip
At the beginning of this conversation you said that you would validate
my web app for me.
I have created a very simple web app that shows the difference in
behaviour in terms of where a RuntimeException is logged in Tomcat
5.5.23 and 6.0.14. It doesn't seem to matter whether or not Log4J
Hi All,
We are doing some load testing on our setup and find that the cpu use
age of tomcat reported by top on the two systems is not equal.
Typically we see figures like ~400% to 800% cpu on one machine and
~50% on the other machine for the java process. We would expect that
the two cpu values
Hi
How do I setup domains for webapplications-mapping in tomcat5.5? I can
read that there should be defined a context-element in either
META-INF/context.xml or server.xml file, but I find it very hard to find
a working solution or example. Should i define both host and context
element or...
Aha! Yes I am. Kinda makes sense that would be it. Thanks so much for
thinking deep enough to ask the question.
I'm already forwarding everything that starts with my servlet. I coded all
JSPs to use relative paths. Can I tell mod_jk to forward everything with a
relative path to tomcat as well?
Hi,
I'm trying to allow my users to download a password protected zip file
from a link in an email but I keep being told the zip file is corrupt
when I do even though I know it's not.
It's using standard tomcat form authentication, if you go to the front
page of the site and login normally and
Probably, I haven't done a lot of work with connectors.
Maybe a better question at this point is, if you're going to pass
everything to Tomcat anyway, is there still a benefit to using Apache
HTTPD as a front end? Tomcat and the JVM have both made huge strides
in performance over the last few
The benefit is the client is already doing it this way and wants us to it
the same. The realities of the IT world.
Alas...
-Original Message-
From: Ben Souther [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 23, 2007 8:23 AM
To: Tomcat Users List
Subject: RE: URL mangling
Probably, I
remmons wrote:
I am trying to use HSQLDB for container authentication in Tomcat. When
I start Tomcat, I get this message in the catalina.-MM-DD.log:
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Aug 2, 2007 3:10:29 PM org.apache.catalina.realm.JDBCRealm start
SEVERE:
Hi All
I have installed tomcat5.5 with apache2.2 on a debian box following the
guide at http://www.howtoforge.com/apache2_tomcat5_mod_jk
I have followed this guide relatively strictly, the only things i have
changed are the jdk version used (JDK 6 update 2) and the mod_jk
installation method (i
yes, feel free to send it to that address
Filip
Ashley Hollands wrote:
Filip
At the beginning of this conversation you said that you would validate
my web app for me.
I have created a very simple web app that shows the difference in
behaviour in terms of where a RuntimeException is logged in
Hi Will,
Can you post the contents of your workers.properties file? It could be a
problem with the naming of the worker set up in this file.
Cheers, Ben
On Thu, 2007-08-23 at 23:49 +1000, Will Parkinson wrote:
Hi All
I have installed tomcat5.5 with apache2.2 on a debian box following the
Is there a way to have the manager web application just upload a .war
and not deploy it? Or a way to have it upload a .war to a location
outside of the appBase?
-
To start a new topic, e-mail: users@tomcat.apache.org
To
From: Jens Rosenberg [mailto:[EMAIL PROTECTED]
Subject: Domain mapping
How do I setup domains for webapplications-mapping in
tomcat5.5?
Why do you want to? It's not normally necessary, unless you want
separate sets of webapps available for each domain. If you do want
segregated webapps,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robert,
* Correct: connectionURL=jdbc:hsqldb:data/Auth
* Incorrect: connectionURL=jdbc:hsqldb:/localhoast/data/Auth
Thanks for posting a followup to this when you found the answer. Often,
dead threads will end in no solution as the OP will
Have a look at
http://tomcat.apache.org/connectors-doc/generic_howto/timeouts.html
You could lower you prepost_timeout. The Timeouts will help for
unplanned downtimes. For planned downtimes you should administratively
change the activation attribute of the load balancer members.
Regards,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stephen,
Stephen More wrote:
Both of these would require a Filter that checks for the existence of
the role expiredPassword and redirect as needed.
Yes. That's why I did it myself all in a single filter (including
loading the user's state, rather
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ping,
Ping Yu wrote:
set JAVA_OPTS=%JAVA_OPTS%
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties
-Dderby.system.home=C:\Absolute_Path_To_\sql
That's an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ali,
Ali Ok wrote:
I use Tomcat's JDBC realm for security. However, I want to use a very
customized login form (like remember me option or javascript based modal
login form). How can I make these work?
I recommend using securityfilter
Hi,
Tomcat runs fine, but the log contains this message:
Java HotSpot(TM) Client VM warning: Can't detect initial thread stack location
- find_vma failed
Another thread said this was most likely due to the tomcat user not having
access to the /proc file system, and that it's not a biggie.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David,
From outside however, we want to force authentification on all the
webapp. So we would like to have a security-constraint on / that
applies *only* when webapp is reached using SSL connector.
You might be able to avoid the entire problem by
what is missing from the Tomcat 6 docs, is that you put log4j.properties
in TC_HOME/lib to configure Tomcat's global logging
Filip
Filip Hanik - Dev Lists wrote:
yes, feel free to send it to that address
Filip
Ashley Hollands wrote:
Filip
At the beginning of this conversation you said
Ole Ersoy wrote:
Hi,
Tomcat runs fine, but the log contains this message:
Java HotSpot(TM) Client VM warning: Can't detect initial thread stack
location - find_vma failed
Another thread said this was most likely due to the tomcat user not
having access to the /proc file system, and that
Ben,
So I assume you have two web servers fronting two app servers - or there
are two servers both of which have a web server and an app server? For
the restart you talk about - did you restart both web servers? Do you
have a good load balancer (local director, content director like an F5)
in
I have configured a servlet to display an error message and a stack trace for
500 errors 9defined in web.xml). It works sometimes and not at others? By this
i mean some 500 errors are caught and reported the others just cause an error
and failure.
In Response To:
Does anybody have an
try to put something like this into your web.xml (i hope that is what
you've been asking for):
error-page
exception-typejava.lang.Throwable/exception-type
location/errorPages/generalError.html/location
/error-page
That page should just display some message like general error
That's exactly what I have done. I have even tested it by having a servlet do a
int i = 500/0; which causes a 500 error and a divide by zero exception which
invokes the page correctly with the error and the stack trace; however,
sometimes for errors (like trying to access a null object) the
Hi,
I added a jdbc datasource to $TOMCAT_BASE/conf/context.xml using W3C DOM.
But I have to restart the server find the new resource.
I wonder is there a way to add new resources to
$TOMCAT_BASE/conf/context.xml on Tomcat 5.5.23, without restarting server to
find it?
Regards,
cun
--
View
On 8/23/07, Rainer Jung [EMAIL PROTECTED] wrote:
Guofeng Zhang schrieb:
# Define Master
worker.master.host=192.168.225.195
worker.master.port=8009
worker.master.type=ajp13
worker.master.lbfactor=1
worker.master.cachesize=10
worker.master.cache_timeout=600
Ok... this begs the question: Why did you add the datasource to
$TOMCAT_BASE/conf/context.xml? The datasource should be in your
individual webapp's context.xml file where all you have to do is restart
the webapp via the manager webapp.
--David
shunhecun wrote:
Hi,
I added a jdbc
Once you find them, you might be hard pressed to actually do anything
about it beyond getting in touch with their ISP.
It might be easier to just block them at the firewall or on the server
tomcat runs on with something like iptables.
Mark
On 8/23/07, Lyallex [EMAIL PROTECTED] wrote:
On 8/23/07, Lyallex [EMAIL PROTECTED] wrote:
On 8/23/07, Lyallex [EMAIL PROTECTED] wrote:
So, looking for favicon.ico and doing a HEAD on my entry page, doesn't
look to suspicious I guess.
...tracking the perpetrator down now ... this is fun.
While the exercise may be fun, you are most
David Rees schrieb:
On 8/23/07, Rainer Jung [EMAIL PROTECTED] wrote:
Guofeng Zhang schrieb:
# Define Master
worker.master.host=192.168.225.195
worker.master.port=8009
worker.master.type=ajp13
worker.master.lbfactor=1
worker.master.cachesize=10
worker.master.cache_timeout=600
Just to nip this one early before the discussion strays too far, curl is
NOT a hacking tool. It's just a command line http client useful in all
sorts of linux/unix OS scripts.
To determine if it's being used to probe your site, you need to pay
attention to WHAT is being requested. The brief
What is the preferred API for accessing MBeans from within servlets or JSPs?
MBeanServerConnection jmxServerConnection = JMXConnectorFactory.connect(new
JMXServiceURL(urlForJMX),null).getMBeanServerConnection();
jmxServerConnection.getAttribute(new
[EMAIL PROTECTED] schrieb:
Ben,
So I assume you have two web servers fronting two app servers - or there
are two servers both of which have a web server and an app server? For
the restart you talk about - did you restart both web servers? Do you
have a good load balancer (local director,
On 8/23/07, lightbulb432 [EMAIL PROTECTED] wrote:
What is the preferred API for accessing MBeans from within servlets or
JSPs?
MBeanServerConnection jmxServerConnection = JMXConnectorFactory.connect
(new
JMXServiceURL(urlForJMX),null).getMBeanServerConnection();
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
[EMAIL PROTECTED] wrote:
however, sometimes for errors (like trying to access
a null object) the page is not invoked but there's a stack trace in
the logs.
Is it possible that the exception is being caught and logged before it
can fall
Sorry to reply to my own post, but I have sort of figured it out. There were
about 2000 classes in /WEB-INF/classes, only one servlet though. Instead of
making the war from here, we only have the servlet class in WEB-INF/classes
and jar up the rest of the packages and place that jar into
if you have reloadable=true (and maybe even if it is not set, not
sure) Tomcat adds files to a list for monitoring the timestamp of them
changing. Hence many classes will add to more stuff to add to the list
and monitor
but that doesn't seem like it should take 80sec anyway
Filip
Dan
On 8/23/07, David Smith [EMAIL PROTECTED] wrote:
Just to nip this one early before the discussion strays too far, curl is
NOT a hacking tool. It's just a command line http client useful in all
sorts of linux/unix OS scripts.
Yep, I understand what curl is now ... spent some time on the
Is it unpacking the war during startup? Unzipping 2000 files takes a
while (even if they're small).
--
Len
On 8/23/07, Dan Beaulieu [EMAIL PROTECTED] wrote:
Sorry to reply to my own post, but I have sort of figured it out. There were
about 2000 classes in /WEB-INF/classes, only one servlet
Sorry, I wasn't after you. I was just trying to catch a discussion that
could easily lose sight of the original question.
For the benefit of people on the list, curl can be use for good purposes
like downloading packages, a test of server status (e.g. in heart beat
script activating a backup
He's already using a low prepost_timeout of 50ms (IMO is way too low
and should be set to 250-500ms).
Sorry, I had only little time and directly ran into our old problem,
that some timeouts are seconds, and some are milliseconds. Your are
right, 50 is way too small, se my new Timeouts docs
On 8/23/07, Lyallex [EMAIL PROTECTED] wrote:
Although ... depending on what you consider hacking it certainly seems
like it could easily be used to run a crude DOS attack (for example)
simply by writing a shell script with a loop in it, like many other
otherwise benign applications out there
Rainer,
Thanks very much for the clarification! Since I have playing with the
load balancing strategy set to session (worker.router.method=S on my
load balancer), is there a way to tell roughly how many sessions have
been pinned to each worker/tomcat? In this case would the load balancer
value
Can someone provide a java code snippet showing how to get the port that
Tomcat is listening on? Is there a way to access the settings in the
server.xml file from within a running instance of Tomcat?
I'm running a Struts-based app on Tomcat 5.5 (multiple Tomcat instances
actually) and need to
I do not know if this info is helpful... ServletRequest has getServerPort()
and getServerName() methods that should give the port and server through
which the request came.
Vamsi
On 8/24/07, Brian Barnett [EMAIL PROTECTED] wrote:
Can someone provide a java code snippet showing how to get the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Duncan,
Not to belabor this thread too much, but...
Lyallex wrote:
I never actually suggested [curl] was a
hacking tool
See the subject line.
Although ... depending on what you consider hacking it certainly seems
like it could easily be used
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/ServletRequest.html#getLocalPort()
You can only get the port from a request. This is because a sepecific
webapp can be served from serveral hostname and from several port, all
sharing same instance of servlet.
(basic example is tomcat with
Yes of course, that makes sense. I will use Vamsi's suggestion with
ServletRequest.getServerPort(). Thank you.
-Original Message-
From: David Delbecq [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 23, 2007 2:03 PM
To: Tomcat Users List
Subject: Re: How to get port of a running Tomcat
The following link describes using JMX with Tomcat. Step #4 talks about the
mbeans-descriptors.xml file, but it seems to make no difference when using
it. If I don't include elements in that file that I do in MBean interface,
it still works in JConsole properly - and the descriptions entered
Reloadable is true, and unpack is false.
If we tell it to unpack it'll take a long time to start up, but then
subsequent start ups with out deleting the webapp dir are fast.
Agreed, reloadable shouldn't have that much of an impact.
-Original Message-
From: Len Popp [mailto:[EMAIL
Christopher Schultz a écrit :
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David,
From outside however, we want to force authentification on all the
webapp. So we would like to have a security-constraint on / that
applies *only* when webapp is reached using SSL connector.
You might
even then, you should set reloadable=false
the flag name is misleading, all apps are reloadable, regardless of what
that setting is (basically autoDeploy=true - webapps are reloadable)
read up on the reloadable flag, you'll see that it actually would add
all 2000 files to be monitored by
This is probably a far fetched request but does anyone know a good way of
nulling the Siteminder header when a user logs out so that they'll be
challenged by Siteminder again when they hit a protected URL? I am invalidating
the user session and in HTTP watch I can see that the SM session is
Jérôme Etévé wrote:
Is there a way to setup tomcat to do a nice graceful reload where all
the current requests are allowed to finish and the new one putted into
a queue until the application is fully loaded and ready to serve them
?
Multiple Tomcat instances and httpd as a load balancer.
I have a struts-based application running on multiple tomcat instances, load
balanced by a hardware load balancer, i.e., no Apache Web Server. I need a way
at run-time to know which tomcat instance it is. Is there a way to access info
in the server.xml or context.xml file at run-time? Can I
I have a servlet that does a direct read from a mapped drive in
Windows. It works fine in tomcat as long as I use a drive on the local
machine. However, I need to access a mapped drive on a different
machine. When I run the program, I get a FileNotFound error in JAVA and
(access denied)
What's your server OS?
In Response To:
I am running Tomcat 5.0.28 and Apache 2.2 using mod_jk. I am constantly seeing
the following error show up in the catalina.log:
WARNING: Exception executing accept
java.net.SocketException: Invalid argument
at
Sun v245 running Solaris 10
Aaron Steele
Technology Lead
Natural Wellness USA, Inc.
http://www.veria.com
701 Highlander Blvd, Suite 200 | Arlington, Texas 76015
p (817) 804-4646 | c (817) 879-7528 | f (817) 804-4696
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
By looking at the stack trace it looks like setsockopt() is trying to set an
option on the underlying socket that's not supported by your TCP/IP
implementation. It probably is some performance related option that's being
ignored. You could turn up the logging level by setting JkLogLevel debug.
Daniel L. Gross wrote:
I have a servlet that does a direct read from a mapped drive in
Windows. It works fine in tomcat as long as I use a drive on the local
machine. However, I need to access a mapped drive on a different
machine. When I run the program, I get a FileNotFound error in JAVA
From: Daniel L. Gross [mailto:[EMAIL PROTECTED]
Subject: Mapped File Access Problems in Servlets
However, I need to access a mapped drive on a different
machine. When I run the program, I get a FileNotFound error
in JAVA and (access denied) next to it.
Are you running Tomcat as a
Looks like the SO_LINGER option isn't being set. I would look into that.
In Response To:
By looking at the stack trace it looks like setsockopt() is trying to set an
option on the underlying socket that's not supported by your TCP/IP
implementation. It probably is some performance related
[EMAIL PROTECTED] schrieb:
Rainer,
Thanks very much for the clarification! Since I have playing with the
load balancing strategy set to session (worker.router.method=S on my
load balancer), is there a way to tell roughly how many sessions have
been pinned to each worker/tomcat? In this case
75 matches
Mail list logo