Tomcat hangs with lots of DBCP Object.wait processes
I have a customer running Tomcat 4.0.18. About twice a week their system is locking up - obviously we don't know why or I would not be asking. Symptoms 1) CPU usage per TOP is not very high. 2) When requesting the main web page, the page goes white and never returns. When this happened yesterday I was able to get a thread dump. It was quite different than I've seen on this system before, almost 4000 lines long. What was particularly noticable was that it had 74 threads that were almost identically waiting (my interpretation, not sure its accurate, but it seems to be saying so) in Commons DBCP objects. I've got an annotated (and somewhat shortened) version of the thread dump below. Additional info: Sun Java jdk1.5.0_04 Tomcat is of course fronted by Apache 2.0.48 and mod_jk. CPU does not appear to be high, but the # uname -a Linux acme2.acme.com 2.4.22-1.2115.nptlsmp #1 SMP Wed Oct 29 15:30:09 EST 2003 i686 i686 i386 GNU/Linux I believe its Linux Fedora FC2, dual Xeon processors, 2GB RAM Oh, the data source is defined with pretty much default parameters: Context path= docBase=httpdocs reloadable=true debug=0 Resource name=jdbc/acme.com auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/acme.com parameter nameurl/name valuejdbc:mysql://localhost/acme?autoReconnect=trueamp;zeroDateTimeBehavi or=convertToNullamp;noDatetimeStringSync=true/value /parameter parameter namedriverClassName/name valuecom.mysql.jdbc.Driver/value /parameter parameter nameusername/name valueacme/value /parameter parameter namepassword/name valueacme/value /parameter /ResourceParams /Context Any ideas or assistance in tracking this down are appreciated Thanks in advance - Richard - Annotated stack trace follows --- Full thread dump Java HotSpot(TM) Server VM (1.5.0_04-b05 mixed mode): Thread-421 daemon prio=1 tid=0x085f8bc0 nid=0x686f in Object.wait() [0x85826000..0x85827680] at java.lang.Object.wait(Native Method) - waiting on 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at java.lang.Object.wait(Object.java:474) at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(Unknown Source) - locked 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at org.apache.commons.dbcp.AbandonedObjectPool.borrowObject(AbandonedObjectPool .java:117) - locked 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.ja va:110) at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:3 12) at com.acme.Connector.CreateConnection(Connector.java:69) at com.acme.OpenMailData.insert(OpenMailData.java:282) at com.acme.trackopenmail.doPost(trackopenmail.java:48) at com.acme.trackopenmail.doGet(trackopenmail.java:19) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:260) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:170) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
RE: Suppress Connection reset by peer: socket write error.
Hi Robert,
What a truly fantastic answer! Very detailed and
educational. Your timeis deeply appreciated.
What I'd like to know is: do I have to do it in every
JSP (I have hundreds). And is there a configuration
solution as was alluded by Bill previously?
Once again, very many thanks!!!
Dola
--- Robert Graf-Waczenski [EMAIL PROTECTED] wrote:
Hi!
First, some background:
The exception your app actually gets internally is a
SocketException with the text you mention below.
It occurs if the client browser prematurely cancels
an http request before tomcat has completed sending
the full response data to the client.
Another manifestation may be a SocketException with
the text Socket closed, which *may* occur if your
app serves big download data streams and the client
cancels the download.
The bottom line is that these two exceptions simply
happen in real life web apps and that they can be
safely ignored.
However, you correctly want to know how your app can
perform the magic to safely ignore these two
exceptions outomatically, right?
So you will need to add some error handling that
would
basically consist of wrapping everyting in your app
inside a try/catch block that would swallow the
two variants of SocketException above. But the
problem
with this approach is that you must not simply
swallow
*all* SocketExceptions.
Here's what we do in our app:
catch(SocketException e) {
String stackTrace = Util.getStackTrace(e); //
this extracts the full
stack trace
if ((stackTrace.indexOf(socket write error) -1
|| stackTrace.indexOf(Socket closed) -1)
(stackTrace.indexOf(org.apache.tomcat.service.http.HttpResponseAdapter
) -1
||
stackTrace.indexOf(javax.servlet.http.HttpServlet.service()
-1))
{
log(Client signalled end of socket
communication);
}
else
throw e;
}
(Note that you may have to re-construct the full
lines
of the source code above as my mail client may have
introduced linebreaks at bad places...)
Yes, we log an error message even if this particular
client
aborted request situation was detected. You may
want to swallow
this silently, but i would suggest to not do this
because you
(and we) never are sure if the stack trace analysis
above is
perfect. The other down side of this approach is
that future
versions of Java and/or Tomcat may change the
exception message
texts and/or the structure of the stack trace. But
currently
(JDK 1.5 / Tomcat 5.5) this approach does what was
intended.
Robert
-Original Message-
From: Dola Woolfe [mailto:[EMAIL PROTECTED]
Sent: Friday, October 14, 2005 3:17 AM
To: Tomcat Users List
Subject: Re: Suppress Connection reset by peer:
socket write error.
Hi Bill,
Thanks for your answer and sorry for the delay in
my
reply!
I'm using standalong Tomcat 5.5 listening on port
80.
I'm using jdk 1.5 on WinXP. I'm not using any
special
logging. I'm running Tomcat in a console, simply
by
typing startup in tomcat/bin.
What I don't want happening is for the Connection
reset by peer: socket write error to be displayed
in
the console window.
Given this detailed information, would you mind
refining your recommendation?
Thank you very much in advance,
Dola Chin
--- Bill Barker [EMAIL PROTECTED] wrote:
Dola Woolfe [EMAIL PROTECTED] wrote in
message
news:[EMAIL PROTECTED]
Hi,
I apologize for asking this question again for
I
remembering asking this question in the past,
but
I
can't find the response.
What setting (and where) will suppress the
aforementioned exception in the tomcat log?
Including the Tomcat version helps ;-).
I'm assuming that this is for the AJP/1.3
Connector.
The answer is to
change the logging level for that component to
be
one higher than the level
in the message (in the latest version, it's at
DEBUG
level and I don't
remember what it used to be). For example, if
you
are using JDK1.4 logging
you would do something like:
org.apache.jk.common.level=SEVERE
in your logging.properties file.
Thank you very much in advance, again!
Dola
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe,
RE: Suppress Connection reset by peer: socket write error.
Hi Dola,
right off of my head, i can't come up with a smart configuration
solution that would selectively swallow the message as our approach
does. Our app has two shared JSPs that are included in every JSP, one at
the top and one at the bottom. The top-included JSP opens the try block
(making it illegal for many IDEs such as IntelliJ or similar), the
bottom-included JSP contains the catch block with the handling code.
(Actually, our approach differs slightly from what i described to you:
Our top/bottom JSPs take care of logging everything to a central logger
class and the logger class, in turn, inspects the stack trace and avoids
to perform a critical logging if the stack trace looks as i described
it.)
But, yes, if your hundreds of JSPs do not have two such globally shared
include JSPs, then you are in some trouble and have to introduce the two
include statements, one at the top and the other at the bottom. (You may
want to use smart shell scripting for this...) Then, add your two
top/bottom JSPs and you are done with your JSPs.
And don't forget your servlet classes: If any of your web requests are
served by a servlet, you have to add the try/catch block to the servlet
class, too.
Robert
-Original Message-
From: Dola Woolfe [mailto:[EMAIL PROTECTED]
Sent: Friday, October 14, 2005 8:43 AM
To: Tomcat Users List
Subject: RE: Suppress Connection reset by peer: socket write error.
Hi Robert,
What a truly fantastic answer! Very detailed and
educational. Your timeis deeply appreciated.
What I'd like to know is: do I have to do it in every
JSP (I have hundreds). And is there a configuration
solution as was alluded by Bill previously?
Once again, very many thanks!!!
Dola
--- Robert Graf-Waczenski [EMAIL PROTECTED] wrote:
Hi!
First, some background:
The exception your app actually gets internally is a
SocketException with the text you mention below.
It occurs if the client browser prematurely cancels
an http request before tomcat has completed sending
the full response data to the client.
Another manifestation may be a SocketException with
the text Socket closed, which *may* occur if your
app serves big download data streams and the client
cancels the download.
The bottom line is that these two exceptions simply
happen in real life web apps and that they can be
safely ignored.
However, you correctly want to know how your app can
perform the magic to safely ignore these two
exceptions outomatically, right?
So you will need to add some error handling that
would
basically consist of wrapping everyting in your app
inside a try/catch block that would swallow the
two variants of SocketException above. But the
problem
with this approach is that you must not simply
swallow
*all* SocketExceptions.
Here's what we do in our app:
catch(SocketException e) {
String stackTrace = Util.getStackTrace(e); //
this extracts the full
stack trace
if ((stackTrace.indexOf(socket write error) -1
|| stackTrace.indexOf(Socket closed) -1)
(stackTrace.indexOf(org.apache.tomcat.service.http.HttpRespon
seAdapter
) -1
||
stackTrace.indexOf(javax.servlet.http.HttpServlet.service()
-1))
{
log(Client signalled end of socket
communication);
}
else
throw e;
}
(Note that you may have to re-construct the full
lines
of the source code above as my mail client may have
introduced linebreaks at bad places...)
Yes, we log an error message even if this particular
client
aborted request situation was detected. You may
want to swallow
this silently, but i would suggest to not do this
because you
(and we) never are sure if the stack trace analysis
above is
perfect. The other down side of this approach is
that future
versions of Java and/or Tomcat may change the
exception message
texts and/or the structure of the stack trace. But
currently
(JDK 1.5 / Tomcat 5.5) this approach does what was
intended.
Robert
-Original Message-
From: Dola Woolfe [mailto:[EMAIL PROTECTED]
Sent: Friday, October 14, 2005 3:17 AM
To: Tomcat Users List
Subject: Re: Suppress Connection reset by peer:
socket write error.
Hi Bill,
Thanks for your answer and sorry for the delay in
my
reply!
I'm using standalong Tomcat 5.5 listening on port
80.
I'm using jdk 1.5 on WinXP. I'm not using any
special
logging. I'm running Tomcat in a console, simply
by
typing startup in tomcat/bin.
What I don't want happening is for the Connection
reset by peer: socket write error to be displayed
in
the console window.
Given this detailed information, would you mind
refining your recommendation?
Thank you very much in advance,
Dola Chin
--- Bill Barker [EMAIL PROTECTED] wrote:
Dola Woolfe [EMAIL PROTECTED] wrote in
message
news:[EMAIL
RE: Tomcat hangs with lots of DBCP Object.wait processes
One thing I forgot, that might be relevant. Another Tomcat instance on the server continued to function just fine. It also accesses a different MySQL database, but its served by the same MySQL instance. - Richard -Original Message- From: Richard Mixon [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 11:27 PM To: users@tomcat.apache.org Subject: Tomcat hangs with lots of DBCP Object.wait processes I have a customer running Tomcat 4.0.18. About twice a week their system is locking up - obviously we don't know why or I would not be asking. Symptoms 1) CPU usage per TOP is not very high. 2) When requesting the main web page, the page goes white and never returns. When this happened yesterday I was able to get a thread dump. It was quite different than I've seen on this system before, almost 4000 lines long. What was particularly noticable was that it had 74 threads that were almost identically waiting (my interpretation, not sure its accurate, but it seems to be saying so) in Commons DBCP objects. I've got an annotated (and somewhat shortened) version of the thread dump below. Additional info: Sun Java jdk1.5.0_04 Tomcat is of course fronted by Apache 2.0.48 and mod_jk. CPU does not appear to be high, but the # uname -a Linux acme2.acme.com 2.4.22-1.2115.nptlsmp #1 SMP Wed Oct 29 15:30:09 EST 2003 i686 i686 i386 GNU/Linux I believe its Linux Fedora FC2, dual Xeon processors, 2GB RAM Oh, the data source is defined with pretty much default parameters: Context path= docBase=httpdocs reloadable=true debug=0 Resource name=jdbc/acme.com auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/acme.com parameter nameurl/name valuejdbc:mysql://localhost/acme?autoReconnect=trueamp;zeroDateTimeBehavi or=convertToNullamp;noDatetimeStringSync=true/value /parameter parameter namedriverClassName/name valuecom.mysql.jdbc.Driver/value /parameter parameter nameusername/name valueacme/value /parameter parameter namepassword/name valueacme/value /parameter /ResourceParams /Context Any ideas or assistance in tracking this down are appreciated Thanks in advance - Richard - Annotated stack trace follows --- Full thread dump Java HotSpot(TM) Server VM (1.5.0_04-b05 mixed mode): Thread-421 daemon prio=1 tid=0x085f8bc0 nid=0x686f in Object.wait() [0x85826000..0x85827680] at java.lang.Object.wait(Native Method) - waiting on 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at java.lang.Object.wait(Object.java:474) at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(Unknown Source) - locked 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at org.apache.commons.dbcp.AbandonedObjectPool.borrowObject(AbandonedObjectPool .java:117) - locked 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.ja va:110) at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:3 12) at com.acme.Connector.CreateConnection(Connector.java:69) at com.acme.OpenMailData.insert(OpenMailData.java:282) at com.acme.trackopenmail.doPost(trackopenmail.java:48) at com.acme.trackopenmail.doGet(trackopenmail.java:19) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:260) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at
RES: Tomcat Log4j Log Level Configuration
Hi Jojo, I'm with the same problem: I'd like to change the log level e also the appender configurations without redeploy my war (my log4j.properties file is bundled into the web-inf/classes)... I have thought about a few - not very good - approaches (of course the best one would be an out-of-box solution): - I was wondering if I could change the log level by programming against Log4j memory beans...have you already tried that? I have already done this kind of configurations with Java code to initialize the appenders and levels, but I'm not sure if there are performance or thread safe issues related to modified them on fly... - Try to put my log4j.properties out of the war (something like each war's log4j file into subdirectories of Tomcat's log directory). This would also require app code to reload log4j configuration - I don't know if it's possible... - Manage log4j configurations as JMX beans...I'm not using JMX in depth but it seems that I'd be able to modify the configuration this way. Did you already get any answer about this subject? Thanks! Paulo -Mensagem original- De: Jojo Paderes [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 8 de setembro de 2005 07:45 Para: Tomcat User List Assunto: Tomcat Log4j Log Level Configuration How do I configure Tomcat or Log4J to change the log level output during runtime? Anybody already done this successfully with Tomcat 5.5.9? -- My Blogs http://jojopaderes.blogspot.com Google Talk http://www.google.com/talk (ID: jojo.paderes) In preparing for battle I have always found that plans are useless, but planning is indispensable. - Eisenhower - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
where do the access and error logs go
I installed 5.5.9 and in the course of debugging some opencms stuff I'm wondering where access and error logs go when the jk connector is used - that is, when tomcat fulfills the request. Then I would not expect the error caused by an inaccessible resource to be logged in apache2\logs but rather in ..\jakarta...\logs. But there I only can see stdout and stderror logs of the day which only seem to log server startup and shutdown. Do I have to enable logging separately? -- Chris Christoph P. U. Kukulies kuku_at_kukulies.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat hangs with lots of DBCP Object.wait processes
Is the Tomcat instance making connections to MySQL? Have you checked MySQL to see if there are an abnormally large number of connections at the time Tomcat fails? Do the MySQL logs tell you anything that suggests some of these threads/sessions might be deadlocked? -Original Message- From: Richard Mixon [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 3:12 AM To: 'Tomcat Users List' Subject: RE: Tomcat hangs with lots of DBCP Object.wait processes One thing I forgot, that might be relevant. Another Tomcat instance on the server continued to function just fine. It also accesses a different MySQL database, but its served by the same MySQL instance. - Richard -Original Message- From: Richard Mixon [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 11:27 PM To: users@tomcat.apache.org Subject: Tomcat hangs with lots of DBCP Object.wait processes I have a customer running Tomcat 4.0.18. About twice a week their system is locking up - obviously we don't know why or I would not be asking. Symptoms 1) CPU usage per TOP is not very high. 2) When requesting the main web page, the page goes white and never returns. When this happened yesterday I was able to get a thread dump. It was quite different than I've seen on this system before, almost 4000 lines long. What was particularly noticable was that it had 74 threads that were almost identically waiting (my interpretation, not sure its accurate, but it seems to be saying so) in Commons DBCP objects. I've got an annotated (and somewhat shortened) version of the thread dump below. Additional info: Sun Java jdk1.5.0_04 Tomcat is of course fronted by Apache 2.0.48 and mod_jk. CPU does not appear to be high, but the # uname -a Linux acme2.acme.com 2.4.22-1.2115.nptlsmp #1 SMP Wed Oct 29 15:30:09 EST 2003 i686 i686 i386 GNU/Linux I believe its Linux Fedora FC2, dual Xeon processors, 2GB RAM Oh, the data source is defined with pretty much default parameters: Context path= docBase=httpdocs reloadable=true debug=0 Resource name=jdbc/acme.com auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/acme.com parameter nameurl/name valuejdbc:mysql://localhost/acme?autoReconnect=trueamp;zeroDateTimeBehavi or=convertToNullamp;noDatetimeStringSync=true/value /parameter parameter namedriverClassName/name valuecom.mysql.jdbc.Driver/value /parameter parameter nameusername/name valueacme/value /parameter parameter namepassword/name valueacme/value /parameter /ResourceParams /Context Any ideas or assistance in tracking this down are appreciated Thanks in advance - Richard - Annotated stack trace follows --- Full thread dump Java HotSpot(TM) Server VM (1.5.0_04-b05 mixed mode): Thread-421 daemon prio=1 tid=0x085f8bc0 nid=0x686f in Object.wait() [0x85826000..0x85827680] at java.lang.Object.wait(Native Method) - waiting on 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at java.lang.Object.wait(Object.java:474) at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(Unknown Source) - locked 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at org.apache.commons.dbcp.AbandonedObjectPool.borrowObject(AbandonedObjectPool .java:117) - locked 0x49d33258 (a org.apache.commons.dbcp.AbandonedObjectPool) at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.ja va:110) at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:3 12) at com.acme.Connector.CreateConnection(Connector.java:69) at com.acme.OpenMailData.insert(OpenMailData.java:282) at com.acme.trackopenmail.doPost(trackopenmail.java:48) at com.acme.trackopenmail.doGet(trackopenmail.java:19) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:260) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at
Tracking open database connections in a pool
Hi, Is there any way to know how many open connections are in the database connection pool? I'd like to know how many connections are active/idle at any point in time. I'm using the javax.sql.DataSource with the MySQL JDBC driver. Tomcat version 5.5.9. Thanks, Dhiren
Re: secure application using Tomcat
I would recommend placing Apache in front of Tomcat. You can also use mod_security on Apache to further lock down your application. I have found that if you want security, do not use Tomcat by itself. I never liked the idea of placing keystore passwords in XML files. At least Apache prompts you for a password when it starts up. As far as authenticating users based on their key(s), you would have to enforce mutually authenticated SSL, get the certificate and validate it against a CA inside of Tomcat. This all is fairly easy to do. On 10/14/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello! I am a newbie to Tomcat. I have configured Tomcat as a standalone web server for HTTP and HTTPS. and now I am trying to develop a secure aplication (using SSL) which will do user authentication and perform user specific actions. I need some help/tutorial (JAVA) which can guide me to authneticate user using symmetric keys. For instance how to generate/exchange symmetric key and how to authenticate user etc. Thanks a lot in advance Jawwad - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: RES: Tomcat Log4j Log Level Configuration
Thank you, Jess... I'm now trying to use the (log4j) ConfigurationServlet in order to learn more about these problems...the information bellow is very usefull! Alvim. -Mensagem original- De: Jess Holle [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 14 de outubro de 2005 10:05 Para: Tomcat Users List Cc: Tomcat Users List; [EMAIL PROTECTED] Assunto: Re: RES: Tomcat Log4j Log Level Configuration Paulo Alvim wrote: Hi Jojo, I'm with the same problem: I'd like to change the log level e also the appender configurations without redeploy my war (my log4j.properties file is bundled into the web-inf/classes)... This is a major failing of the WAR format as I see it. You have to redeploy everything to change anything but the deployment descriptor. That seems less than realistic for a large web application. I have thought about a few - not very good - approaches (of course the best one would be an out-of-box solution): - I was wondering if I could change the log level by programming against Log4j memory beans...have you already tried that? I have already done this kind of configurations with Java code to initialize the appenders and levels, but I'm not sure if there are performance or thread safe issues related to modified them on fly... Do you mean log4j management bean (MBeans)? If so, there are issues with these and use per-web-app logging repositories. I wrote my own MBeans for log4j to get around this and many other issues I encountered with the bundled MBeans. [My MBeans allow me to create a separate branch of MBeans for each log4j LoggerRepository, e.g. one per web app and one for the default LoggerRepository as well if one configures Tomcat itself to use log4j as well.] - Try to put my log4j.properties out of the war (something like each war's log4j file into subdirectories of Tomcat's log directory). This would also require app code to reload log4j configuration - I don't know if it's possible... This is doable. You could have JNDI environment entries in your deployment descriptor (your Context XML) calling out the location of your log4j properties (or XML) file. You can then have a thread watch this for changes and reapply the config file on the fly when changes are noticed. log4j has functionality for this, but it is problematic in that you can't cleanly close down the threads on web app shutdown, etc, so you're better off writing your own (or using log4j 1.3, which supposedly fixes this but is in alpha...) - Manage log4j configurations as JMX beans...I'm not using JMX in depth but it seems that I'd be able to modify the configuration this way. Oh, so you meant something else above. -- Jess Holle - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: can JNDIRealm connectionPassword be encrypted?
From: Klotz Jr, Dennis [mailto:[EMAIL PROTECTED] Subject: RE: can JNDIRealm connectionPassword be encrypted? To me and my co-workers that login still represents a large security risk if someone can gain access to the file server.xml. If someone can gain access to server.xml, you essentially have a complete breakdown of security for that system. If you don't trust your file system to protect against unauthorized intrusion, any other security considerations are moot. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: can JNDIRealm connectionPassword be encrypted?
From: Klotz Jr, Dennis [mailto:[EMAIL PROTECTED] Subject: RE: can JNDIRealm connectionPassword be encrypted? Right now we have the tomcat instance running as a tomcat:tomcat user and group. And, I hope, you have permissions for everything in Tomcat's directories set to 750, and very, very limited membership in the group. in case someone found an exploit within tomcat itself and gained shell access with tomcat privileges. Double failure. Not only would there have to be a serious security flaw within Tomcat itself (and I'm not aware of any at the moment), but this flaw would also have to permit execution of arbitrary code - which is pretty tricky in Java, if you've set up the JVM security policy appropriately. Again perhaps that is a being a bit paranoid. But that is what security is all about. :) Not really, although a lot of consultants push that approach so they can take your money and tell you things you already know. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JDBCRealm logout and welcome page
After logout with JDBCRealm FORM and if the welcome page stays within the webapp, is it possible? I wonder when the welcome page is within the webapp, JDBCRealm will ask the username and password, but after logout, welcome page within the webapp should not be asked for username and password. Should the welcome page place outside the webapp logged out? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
