Re: Clustering / High Availability edge cases?
On 13/09/2011 10:51, John Bass wrote: Hi all, I'm relatively new to clustering with Tomcat and I'm trying to understand the edge cases. If I'd like to guarantee continuous availability, what are the caveats? As I understand it, Tomcat clustering will ensure that session information is persisted in the event of a failure. That's fine, however, what about long running I/O operations? What if my node dies in the middle of serving an HTTP response? In the event of a node failure, I'm assuming that there's no way to recover from that and the failure will be visible to a client application. Wrong. Recovery options depend on the exact failure mode and the load-balancer configuration. The typical sequence of events is: - load-balancer sends request to Tomcat - request fails - load-balancer detects failure (either by return code or lack of response) - load-balancer replays request to a different Tomcat node - Tomcat generates response - load-balancer returns response to the client - client is unaware of failure although the request may appear slow particularly if the failure was detected via a timeout The load-balacer configuration will control the exact circumstances under which a request will be replayed. Similarly, if a node fails during a long running calculation, I'm assuming that there's no way to persist that execution state. Out of the box, no. You'd need to code that within the app. Are those assumptions correct? If anyone has any other comments on further scenarios where clustering and session persistence will not be useful in an HA context, i'd love to hear them. Another failure mode to consider is node failure after the request has been processed but before the updated session data has been replicated to other nodes in the cluster. If you use synchronous replication (the replication happens before the response is completed) then this can't happen but your responses are delayed until the replication completes. If you use asynchronous replication then there is the possibility of node failure before the data is replicated. Also, you must use sticky sessions in this case since you don't want the next request being directed to a different node before the updated session data has been replicated. Finally, if using the back-up manager multiple node failures in quick succession will cause the loss of session data. With this manager, each node distributes the backup copies of the session data (each primary session has a single backup) around the other nodes in the cluster. So, for example, in a four node cluster if node A has 30 primary sessions 10 of those will be backed up on node B, 10 on node C and 10 on node D. If node A fails, the remaining nodes will detect this, make themselves the primary node for the sessions they are backing up and start the process of creating new backups on one of the remaining nodes. If a second node fails before this is complete there is the possibility of session loss. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Clustering / High Availability edge cases?
On 14/09/2011 23:03, Christopher Schultz wrote: John, On 9/13/2011 5:51 AM, John Bass wrote: In the event of a node failure, I'm assuming that there's no way to recover from that and the failure will be visible to a client application. Correct: no other node in the cluster can serve the response being generated by a dying Tomcat instance. As Pid points out, this isn't unique to Tomcat. Wrong. See my longer response. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Wed, Sep 14, 2011 at 20:49, Mark Eggers its_toas...@yahoo.com wrote: [...] I've not tried this in Tomcat, but here's a thought. According to: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter Tomcat uses java.util.regex for pattern matching. This means that if you want a string regular expression to include a ., you'll end up entering it as \\. Try using 127\\.0\\.0\\.1|::1 and see if that fixes your problem. I have no idea why it would work in previous versions (have not checked the change log). . . . . just my two cents. Yep, fair enough. But in this case \. would have expanded to a dot and it would have matched anyway. @André: I do connect from localhost using wget, mainly: wget -O - -nv --http-user= --http-password= http://localhost:8080//manager/text/list But even so, using 127\\.0\\.0\\.1, I get 403... There definitely is something broken :( -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Availability of Apache Tomcat 6.0.34?
Hi, Does anyone know when the fix for the specific vulnerability: CVE-2011-3190 will be available for the 6.0.33 version of Apache Tomcat? Best Regards, Shanti
Re: SSLSession invalidate
You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers. https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala I think it is a bug that they don't react properly to the defined exceptions being thrown. What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout: function logout(elem) { if (document.all == null) { if (window.crypto) { try{ window.crypto.logout(); return false; //firefox ok -- no need to follow the link } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking } } else { //also try with session breaking } } else { // MSIE 6+ document.execCommand('ClearAuthenticationCache'); return false; }; return true } function login(elem) { logout(elem) } - Then you can just put the following html in your page a href={/user/joe/control-panel}Joe/a|a href=/logout onclick=return logout();logout/a I have added this to the foaf+ssl (WebID protocol) wiki http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout Henry On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote: Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN). Is your session ID the same when you go back in? If you are using IE and you want to clear the browser cache to select another certificate, go to Tools-Internet Options, select Content tab, and click Clear SSL state. -Original Message- From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch Sent: Tuesday, September 06, 2011 3:12 PM To: Tomcat Users List Subject: Re: SSLSession invalidate thanks mark, if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute(javax.servlet.request.ssl_session) (it works with this key in 6.0.32) wkr turnguard - Original Message - From: Mark Thomas ma...@apache.org To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, September 7, 2011 12:08:29 AM Subject: Re: SSLSession invalidate On 06/09/2011 22:42, Jürgen Jakobitsch wrote: apparently there is one, i can get it's id with request.getAttribute(javax.servlet.request.ssl_session) That is a Tomcat bug it should be javax.servlet.request.ssl_session_id in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well. Your wild guess is wrong. That feature is in Tomcat 7 onwards. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- | Jürgen Jakobitsch, | Software Developer | Semantic Web Company GmbH | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 COMPANY INFORMATION | http://www.semantic-web.at/ PERSONAL INFORMATION | web : http://www.turnguard.com | foaf : http://www.turnguard.com/turnguard | skype : jakobitsch-punkt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Social Web Architect http://bblfish.net/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Thu, Sep 15, 2011 at 10:06, Francis GALIEGUE f...@one2team.com wrote: On Wed, Sep 14, 2011 at 20:49, Mark Eggers its_toas...@yahoo.com wrote: [...] I've not tried this in Tomcat, but here's a thought. According to: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter Tomcat uses java.util.regex for pattern matching. This means that if you want a string regular expression to include a ., you'll end up entering it as \\. Try using 127\\.0\\.0\\.1|::1 and see if that fixes your problem. I have no idea why it would work in previous versions (have not checked the change log). . . . . just my two cents. Yep, fair enough. But in this case \. would have expanded to a dot and it would have matched anyway. @André: I do connect from localhost using wget, mainly: wget -O - -nv --http-user= --http-password= http://localhost:8080//manager/text/list But even so, using 127\\.0\\.0\\.1, I get 403... There definitely is something broken :( OK, I've found the bug... I have added an access log valve and here is what I see in it: [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403 GET //manager/text/list HTTP/1.0 That explains it. So, I do have IPv6, but the valve doesn't recognize ::1 as being equivalent to the fully expanded IPv6 address... If it only tries and matches the regex, the behaviour is therefore normal. I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it does work... So, PEBKAC mostly, but I think Tomcat should be able to treat reduced IPv6 address formats. -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Thu, Sep 15, 2011 at 10:26, Francis GALIEGUE f...@one2team.com wrote: [...] I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it does work... Which makes me think: the documentation SHOULD specify that regexes in the allow and deny parameters of the valve are ANCHORED. That's a pity, since it means you cannot really use the full power of regexes... -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
On 15/09/2011 02:08, Dean Hoover wrote: We're using Lightning (add-on from Thunderbird email client). The error we get is MODIFICATION_FAILED, which from some review points to permissions to the .ics file. On Wed, Sep 14, 2011 at 4:34 PM, Pid p...@pidster.com wrote: On 14/09/2011 18:14, Dean Hoover wrote: The problem I am having is that we are unable to modify (add/remove calendar entries) after the move. How are you trying to update them? So you are trying to execute a write operation on the file over HTTP? It is not possible to simply write to files published on web servers over HTTP, as if they are on an accessible file system. Is there an access log configured, and if so, what are the log lines that show access attempts to those files? p signature.asc Description: OpenPGP digital signature
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Francis GALIEGUE wrote: On Thu, Sep 15, 2011 at 10:06, Francis GALIEGUE f...@one2team.com wrote: On Wed, Sep 14, 2011 at 20:49, Mark Eggers its_toas...@yahoo.com wrote: [...] I've not tried this in Tomcat, but here's a thought. According to: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter Tomcat uses java.util.regex for pattern matching. This means that if you want a string regular expression to include a ., you'll end up entering it as \\. Try using 127\\.0\\.0\\.1|::1 and see if that fixes your problem. I have no idea why it would work in previous versions (have not checked the change log). . . . . just my two cents. Yep, fair enough. But in this case \. would have expanded to a dot and it would have matched anyway. @André: I do connect from localhost using wget, mainly: wget -O - -nv --http-user= --http-password= http://localhost:8080//manager/text/list But even so, using 127\\.0\\.0\\.1, I get 403... There definitely is something broken :( OK, I've found the bug... I have added an access log valve and here is what I see in it: [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403 GET //manager/text/list HTTP/1.0 That explains it. So, I do have IPv6, but the valve doesn't recognize ::1 as being equivalent to the fully expanded IPv6 address... If it only tries and matches the regex, the behaviour is therefore normal. Aha. So I do get a Debugger Bonus Point after all. I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it does work... So, PEBKAC mostly, but I think Tomcat should be able to treat reduced IPv6 address formats. That would mean that both the address configured in the Valve, and the client address, would need to be canonicalised and then compared. You'll probably see the traditional patches are welcome soon. On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges of addresses. You could use something like : (127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
Pid wrote: On 15/09/2011 02:08, Dean Hoover wrote: We're using Lightning (add-on from Thunderbird email client). The error we get is MODIFICATION_FAILED, which from some review points to permissions to the .ics file. On Wed, Sep 14, 2011 at 4:34 PM, Pid p...@pidster.com wrote: On 14/09/2011 18:14, Dean Hoover wrote: The problem I am having is that we are unable to modify (add/remove calendar entries) after the move. How are you trying to update them? So you are trying to execute a write operation on the file over HTTP? It is not possible to simply write to files published on web servers over HTTP, as if they are on an accessible file system. Unless that thing uses DAV, and the server is configured to support it of course. I have a vague recollection that this is what this plugin expects. Is there an access log configured, and if so, what are the log lines that show access attempts to those files? p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Thu, Sep 15, 2011 at 14:25, André Warnier a...@ice-sa.com wrote: [...] OK, I've found the bug... I have added an access log valve and here is what I see in it: [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403 GET //manager/text/list HTTP/1.0 That explains it. So, I do have IPv6, but the valve doesn't recognize ::1 as being equivalent to the fully expanded IPv6 address... If it only tries and matches the regex, the behaviour is therefore normal. Aha. So I do get a Debugger Bonus Point after all. Yes, indeed. Even though I have NETWORKING_IPV6=no in /etc/sysconfig/network. Bah. I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it does work... So, PEBKAC mostly, but I think Tomcat should be able to treat reduced IPv6 address formats. That would mean that both the address configured in the Valve, and the client address, would need to be canonicalised and then compared. You'll probably see the traditional patches are welcome soon. On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges of addresses. You could use something like : (127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1) Well, checking address ranges would be _much_ easier if regexes were not anchored... But anyway, the allow and deny as they exist currently just don't cut the mustard, and are far from being as potent as, say Apache's Allow from and Deny from. This should be the goal. RemoteAddrValveEvolved? -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
2011/9/15 André Warnier a...@ice-sa.com: On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges of addresses. You could use something like : (127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1) Just 127\.0\.0\.1 It is XML - no need to double the slashes. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Bad documentation error on Tomcat 6.0 howto site
There is a bad error on the Tomcat 6.0 documentation website: http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access They give the 7.0 syntax for manager role names. 6.0 requires manager, not manager-gui or manager-script and it led astray for several hours. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Bad documentation error on Tomcat 6.0 howto site
2011/9/15 Steve Cohen sco...@javactivity.org: There is a bad error on the Tomcat 6.0 documentation website: http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access They give the 7.0 syntax for manager role names. 6.0 requires manager, not manager-gui or manager-script and it led astray for several hours. The documentation is correct. You are probably using an old version of Tomcat 6 (and you are not telling us which one). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Francis GALIEGUE wrote: On Thu, Sep 15, 2011 at 14:25, André Warnier a...@ice-sa.com wrote: [...] OK, I've found the bug... I have added an access log valve and here is what I see in it: [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403 GET //manager/text/list HTTP/1.0 That explains it. So, I do have IPv6, but the valve doesn't recognize ::1 as being equivalent to the fully expanded IPv6 address... If it only tries and matches the regex, the behaviour is therefore normal. Aha. So I do get a Debugger Bonus Point after all. Yes, indeed. Even though I have NETWORKING_IPV6=no in /etc/sysconfig/network. Bah. I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it does work... So, PEBKAC mostly, but I think Tomcat should be able to treat reduced IPv6 address formats. That would mean that both the address configured in the Valve, and the client address, would need to be canonicalised and then compared. You'll probably see the traditional patches are welcome soon. On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges of addresses. You could use something like : (127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1) Well, checking address ranges would be _much_ easier if regexes were not anchored... But anyway, the allow and deny as they exist currently just don't cut the mustard, and are far from being as potent as, say Apache's Allow from and Deny from. This should be the goal. RemoteAddrValveEvolved? One difficulty with implementing an Apache httpd-like scheme is that, in httpd, the order of the allow/deny plays a big role, and preserving the order is generally more difficult in XML. But maybe just this : the localhost case is so frequent, that maybe it could just be a separate attribute in the Valve, like : localhostAllow=true/false or even localhost=allow/deny and internally match any form of localhost. That may allow for some optimisation. I'm sure the impact would be tiny, but since this is code that gets invoked at just every request and generally quite early, it may be significant. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
2011/9/15 André Warnier a...@ice-sa.com: Konstantin Kolinko wrote: 2011/9/15 André Warnier a...@ice-sa.com: On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges of addresses. You could use something like : (127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1) Just 127\.0\.0\.1 It is XML - no need to double the slashes. For XML parsing not. But then it becomes a String, and this String is passed to the regexp engine.. And the regexp engine will interpret . as any character, while it interprets \. as a dot character. So, are you sure ? String needs double \ when it is written in Java sources or in properties files. Double slash becomes single slash when the class is compiled or when the properties file is read. When it is in memory it does not need the double slashes. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Bad documentation error on Tomcat 6.0 howto site
On 09/15/2011 07:39 AM, Konstantin Kolinko wrote: 2011/9/15 Steve Cohensco...@javactivity.org: There is a bad error on the Tomcat 6.0 documentation website: http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access They give the 7.0 syntax for manager role names. 6.0 requires manager, not manager-gui or manager-script and it led astray for several hours. The documentation is correct. You are probably using an old version of Tomcat 6 (and you are not telling us which one). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 6.0.20. Someone told me that the manager-gui, manager-script stuff was 7.0, I switched it to manager and it worked. So evidently, this was changed in a later 6.0.x version. To me, that seems like sort of a major change to make in a minor upgrade version and it should at least be documented. Or is the tomcat 6.0 documentation ONLY supposed to cover the latest release? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
On 15/09/2011 13:28, André Warnier wrote: Pid wrote: On 15/09/2011 02:08, Dean Hoover wrote: We're using Lightning (add-on from Thunderbird email client). The error we get is MODIFICATION_FAILED, which from some review points to permissions to the .ics file. On Wed, Sep 14, 2011 at 4:34 PM, Pid p...@pidster.com wrote: On 14/09/2011 18:14, Dean Hoover wrote: The problem I am having is that we are unable to modify (add/remove calendar entries) after the move. How are you trying to update them? So you are trying to execute a write operation on the file over HTTP? It is not possible to simply write to files published on web servers over HTTP, as if they are on an accessible file system. Unless that thing uses DAV, and the server is configured to support it of course. I have a vague recollection that this is what this plugin expects. Correct, but then that is not a 'simple' write to the file... The OP hasn't mentioned DAV yet. p signature.asc Description: OpenPGP digital signature
Re: Bad documentation error on Tomcat 6.0 howto site
2011/9/15 Steve Cohen sco...@javactivity.org: 6.0.20. Yes, it is old... Someone told me that the manager-gui, manager-script stuff was 7.0, I switched it to manager and it worked. So evidently, this was changed in a later 6.0.x version. To me, that seems like sort of a major change to make in a minor upgrade version and it should at least be documented. See changelog, as well as release announcements. Or is the tomcat 6.0 documentation ONLY supposed to cover the latest release? It covers only the latest release. The documentation for the version that you are using is included in the download itself (see webapps/docs). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP errors Logging
On 14/09/2011 16:26, Michael Gesundheit wrote: Hi, I could not find anything in the archive so here is my question:Is there any way to get DEBUG or any log regarding HTTP error messages? I currently get a 403 but, so far, can't find the root cause. Thanks,-Michael Please start an entirely new email in future. Replying to an existing thread, just editing subject body, is called thread-hijacking and makes your message appear in the middle of another conversation in threaded mail readers. p signature.asc Description: OpenPGP digital signature
Re: Request params randomly null in servlet(s)
On 14/09/2011 16:38, Darius D. wrote: p Well the problem is that we already looked for that mode of failure, our servlet class has 0 instance variables... Basically it is a method like i pasted before, doing HttpSession session = request.getSession(); and if session is valid (it is!) immediately reading those params with String action = request.getParameter(type); Request object is perfectly valid when those params are missing ( session, query etc are preserved, its just those params we are missing ). Error happens in bursts in a rate of ~25 / million requests. What is your server.xml config? (please remove comments, passwords etc post it inline, in the response) p signature.asc Description: OpenPGP digital signature
Re: Bad documentation error on Tomcat 6.0 howto site
On 09/15/2011 08:09 AM, Konstantin Kolinko wrote: 2011/9/15 Steve Cohensco...@javactivity.org: 6.0.20. Yes, it is old... Someone told me that the manager-gui, manager-script stuff was 7.0, I switched it to manager and it worked. So evidently, this was changed in a later 6.0.x version. To me, that seems like sort of a major change to make in a minor upgrade version and it should at least be documented. See changelog, as well as release announcements. Or is the tomcat 6.0 documentation ONLY supposed to cover the latest release? It covers only the latest release. The documentation for the version that you are using is included in the download itself (see webapps/docs). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ok, thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request params randomly null in servlet(s)
Pid * wrote: What is your server.xml config? (please remove comments, passwords etc post it inline, in the response) Here it is, nothing special ( except usage of RemoteIpValve ). Thanks for looking into this problem. ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=2 enableLookups=false acceptCount=1000 maxThreads=500 maxPostSize=10485760 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=org.apache.catalina.valves.RemoteIpValve protocolHeader=X-Forwarded-Proto / Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b resolveHosts=false/ /Host /Engine /Service /Server -- View this message in context: http://old.nabble.com/Request-params-randomly-null-in-servlet%28s%29-tp32461421p32471737.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JK Status: Load Balancer Value has offset , negative number of backend connections
Hi we have pretty often an offset on our Load Balancer Values and negative number of backend connections (see jk-status screenshot). We just updated mod_jk but the problems just come more frequent IMHO. Might this (little bit older) statistics for worker catalog5 be helpful for solving / determining our issues? tail -n 1 mod_jk.log | grep Tue Sep 13.*catalog5.*Tomcat is down or refused -m 1 [Tue Sep 13 00:12:38 2011] [25200:140196360267520] [error] ajp_get_reply::jk_ajp_common.c (2118): (catalog5) Tomcat is down or refused connection. No response has been sent to the client (yet) tail -n 1 mod_jk.log | grep Tue Sep 13.*catalog5.*Tomcat is down or refused | wc -l 39 tail -n 1 mod_jk.log | grep Tue Sep 13.*\[error\].*catalog5 | wc -l 43 By the way I often saw a huge negative number (400-700) of backend connections during Err contained this number (plus some more), too. Do you have any ideas how to fix these problems? Server version: Apache Tomcat/6.0.20 Server built: May 14 2009 01:13:50 Server number: 6.0.20.0 OS Name:Linux OS Version: 2.6.30 Architecture: i386 JVM Version:1.6.0_26-b03 JVM Vendor: Sun Microsystems Inc. Thanx SPH http://old.nabble.com/file/p32471854/jk-status-faulty-value.png jk-status-faulty-value.png -- View this message in context: http://old.nabble.com/JK-Status%3A-Load-Balancer-Value-has-offset-%2C-negative-number-of-backend-connections-tp32471854p32471854.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP errors Logging
What?? --- On Thu, 9/15/11, Pid p...@pidster.com wrote: From: Pid p...@pidster.com Subject: Re: HTTP errors Logging To: Tomcat Users List users@tomcat.apache.org Date: Thursday, September 15, 2011, 6:13 AM On 14/09/2011 16:26, Michael Gesundheit wrote: Hi, I could not find anything in the archive so here is my question:Is there any way to get DEBUG or any log regarding HTTP error messages? I currently get a 403 but, so far, can't find the root cause. Thanks,-Michael Please start an entirely new email in future. Replying to an existing thread, just editing subject body, is called thread-hijacking and makes your message appear in the middle of another conversation in threaded mail readers. p
Re: Using calendar .ics files over Tomcat 5.5
We are not using DAV, just simple iCalendar (.ics) files. It was running on an old Win2k server using an even older Apache web service before. Was just hoping to be able to move the files over and allow write permissions in Tomcat. If that's not possible, I will pursue another option to make it work. Thanks everyone for your comments. Dean On Thu, Sep 15, 2011 at 8:05 AM, Pid p...@pidster.com wrote: On 15/09/2011 13:28, André Warnier wrote: Pid wrote: On 15/09/2011 02:08, Dean Hoover wrote: We're using Lightning (add-on from Thunderbird email client). The error we get is MODIFICATION_FAILED, which from some review points to permissions to the .ics file. On Wed, Sep 14, 2011 at 4:34 PM, Pid p...@pidster.com wrote: On 14/09/2011 18:14, Dean Hoover wrote: The problem I am having is that we are unable to modify (add/remove calendar entries) after the move. How are you trying to update them? So you are trying to execute a write operation on the file over HTTP? It is not possible to simply write to files published on web servers over HTTP, as if they are on an accessible file system. Unless that thing uses DAV, and the server is configured to support it of course. I have a vague recollection that this is what this plugin expects. Correct, but then that is not a 'simple' write to the file... The OP hasn't mentioned DAV yet. p
RE: Using calendar .ics files over Tomcat 5.5
From: Dean Hoover [mailto:kb7...@gmail.com] Subject: Re: Using calendar .ics files over Tomcat 5.5 We are not using DAV, just simple iCalendar (.ics) files. But what _writes_ the files? Unless you have your own servlet to do this, or use DAV or a similar file upload mechanism, nothing cause an update of data on the server. It was running on an old Win2k server using an even older Apache web service before. Perhaps if you explained more fully how the prior mechanism worked, we could suggest an alternative for use with Tomcat. So far, we've really got nothing to go on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Issue with outofMemory in Tomcat 6.0.32
Hi, We have tomat 6.0.32 running with three different applications and oracle 11g as database with hibernate as the persistence layer. We are facing with the following error very frequently. Any idea what could be reasons for this error. Sep 13, 2011 10:28:31 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Allocate exception for servlet AxisServlet java.lang.OutOfMemoryError: PermGen space at java.lang.Throwable.getStackTraceElement(Native Method) at java.lang.Throwable.getOurStackTrace(Throwable.java:591) at java.lang.Throwable.printStackTrace(Throwable.java:510) at java.util.logging.SimpleFormatter.format(Unknown Source) at org.apache.juli.FileHandler.publish(FileHandler.java:158) at java.util.logging.Logger.log(Unknown Source) at java.util.logging.Logger.doLog(Unknown Source) at java.util.logging.Logger.logp(Unknown Source) at org.apache.juli.logging.DirectJDKLog.log(D Regards Dayakar Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Re: Issue with outofMemory in Tomcat 6.0.32
We just fixed that very same error by adding -XX:MaxPermSize=128m to our java arguments. -kari On Sep 15, 2011, at 10:07 AM, dasari@wipro.com wrote: Hi, We have tomat 6.0.32 running with three different applications and oracle 11g as database with hibernate as the persistence layer. We are facing with the following error very frequently. Any idea what could be reasons for this error. Sep 13, 2011 10:28:31 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Allocate exception for servlet AxisServlet java.lang.OutOfMemoryError: PermGen space at java.lang.Throwable.getStackTraceElement(Native Method) at java.lang.Throwable.getOurStackTrace(Throwable.java:591) at java.lang.Throwable.printStackTrace(Throwable.java:510) at java.util.logging.SimpleFormatter.format(Unknown Source) at org.apache.juli.FileHandler.publish(FileHandler.java:158) at java.util.logging.Logger.log(Unknown Source) at java.util.logging.Logger.doLog(Unknown Source) at java.util.logging.Logger.logp(Unknown Source) at org.apache.juli.logging.DirectJDKLog.log(D Regards Dayakar Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com _ Kari Scott Senior Programmer kari.sc...@cdw.com CDW 5520 Research Park Drive Madison, WI 53711 Office: 608 298 1223 Fax: 608 288 3007 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_proxy_balancer anomaly Question
All, I am trying to understand some anomaly with mod_proxy and mod_proxy_balancer. mod_proxy works fine if the (reverse)Proxying is done to the local Tomcat Engine rather than going through the balancer. If it goes through the balancer, then an extra / is added on 302 Redirects after the hostname in URLs. Adding ProxyPreserveHost On gets the proper 302 Redirects without the extra /. Short of reading source code, I was hoping someone can explain the: (1) purpose of ProxyPreserveHost On - It is to pass the Host header from the incoming request onto Tomcat (2) Does ProxyPreserveHost have any implication on the Location: Header going out in 302 responses? (3) I thought the ProxyPassReverse directive was used for setting (rewriting) the Location: header in the 302 responses. (4) How does Tomcat work without ProxyPreserveHost On when requests don't go through the balancer? Thanks! -Shanti -- Shanti Suresh sha...@umich.edu http://lsa.umich.edu/cms
Re: HTTP errors Logging
Michael Gesundheit wrote: What?? Ok, I will take the candle. Michael, to send your original message, what you did was : - you edited an older message, which had a subject Tomcat Redirect Issue - Extra / after hostname - Help Please - then you changed the subject line - then you typed your message - then you sent that message to the list What Pid is telling you, is that this is not a correct way to start a new subject of discussion on this list (and not only on this one). The reason is that when you do it like above, the message that you send still has references in it to the old message that you copied (even if you do not see this). And for people who display list messages in their reader using the threaded view, this is very annoying, because your message appears in the middle of the discussion of the other message, while it has nothing to do with that old subject. Like this : Tomcat Redirect Issue - Extra / after hostname... - answer #1 : Re: Tomcat Redirect Issue - Extra / after hostname... - answer #2 : Re: Tomcat Redirect Issue - Extra / after hostname... - answer to answer #2 : Re: Tomcat Redirect Issue - Extra / after hostname... - answer #3 : HTTP errors logging - answer #4 : Re: Tomcat Redirect Issue - Extra / after hostname... Got it ? To start a new subject, start a new message, do not copy an old one. --- On Thu, 9/15/11, Pid p...@pidster.com wrote: From: Pid p...@pidster.com Subject: Re: HTTP errors Logging To: Tomcat Users List users@tomcat.apache.org Date: Thursday, September 15, 2011, 6:13 AM On 14/09/2011 16:26, Michael Gesundheit wrote: Hi, I could not find anything in the archive so here is my question:Is there any way to get DEBUG or any log regarding HTTP error messages? I currently get a 403 but, so far, can't find the root cause. Thanks,-Michael Please start an entirely new email in future. Replying to an existing thread, just editing subject body, is called thread-hijacking and makes your message appear in the middle of another conversation in threaded mail readers. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
Fair enough, Chuck. I don't know exactly what writes the file, but since we are using the Lightning add-on from Thunderbird, I would assume that Lightning is doing the work. As far as how it used to work, everyone would read from the .ics calendar on the old server from Lightning via a web link. Those with the proper access were able to write to it for adding/updating/deleting calendar entries. Don't get me wrong, I appreciate the feedback. It seems that this is a little more involved than I thought, which is fine. I see there are open-source alternatives, so I will pursue those. It's all good. Thanks again. Dean On Thu, Sep 15, 2011 at 9:47 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Dean Hoover [mailto:kb7...@gmail.com] Subject: Re: Using calendar .ics files over Tomcat 5.5 We are not using DAV, just simple iCalendar (.ics) files. But what _writes_ the files? Unless you have your own servlet to do this, or use DAV or a similar file upload mechanism, nothing cause an update of data on the server. It was running on an old Win2k server using an even older Apache web service before. Perhaps if you explained more fully how the prior mechanism worked, we could suggest an alternative for use with Tomcat. So far, we've really got nothing to go on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.21: BufferOverflowException in AjpAprProcessor.output()
Hi Christopher, thanks for your reply. I would like to add that the Exceptions seems to have occured when the client aborted the connection, because at the same time of the exception, in the ISAPI log was the following: [Wed Sep 14 13:55:20.645 2011] [736:7288] [error] iis_write::jk_isapi_plugin.c (1337): Vector write of chunk encoded response failed with 995 (0x03e3) However it's still a bit strange, and I didn't see this Exception in previous versions of Tomcat, when a 995 error appeared in the ISAPI log. -Original-Nachricht- Von: Christopher Schultz ch...@christopherschultz.net An: Tomcat Users List users@tomcat.apache.org Betreff: Re: Tomcat 7.0.21: BufferOverflowException in AjpAprProcessor.output() Datum: Wed, 14 Sep 2011 23:57:45 +0200 Are you using unusually large requests, possibly including chains of client certs? If you mean SSL certificates: I don't have any SSL certificate / HTTPS connection on Tomcat. I just use a normal AJP-APR connector and clients connect to IIS through HTTP. Sometimes I send large requests, but I wouldn't expect such an Exception to occur. If you have a lot of info that needs to be forwarded from the proxy to Tomcat, you can exceed the max packet size of the connector, and it's possible you could get this exception (instead of a nicer error message). The default is 8k, so if you have large amounts of requests data, you could be overflowing this packet size. Have you set packetSize on your Connector? Have you set max_packet_size on any of your workers? If so, the worker.max_packet_size and Connector packetSize=... must agree. I don't have set any of these attributes; I just use the default settings (besides the port). My Connector element is this: Connector port=8019 protocol=AJP/1.3 redirectPort=8743 URIEncoding=UTF-8 / My workers.properties from the ISAPI redirector contains this: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8019 Thanks, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request params randomly null in servlet(s)
On 15/09/2011 14:46, Darius D. wrote: Pid * wrote: What is your server.xml config? (please remove comments, passwords etc post it inline, in the response) Here it is, nothing special ( except usage of RemoteIpValve ). Thanks for looking into this problem. ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=2 enableLookups=false acceptCount=1000 maxThreads=500 maxPostSize=10485760 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=org.apache.catalina.valves.RemoteIpValve protocolHeader=X-Forwarded-Proto / Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b resolveHosts=false/ /Host /Engine /Service /Server Exactly which version of Tomcat are you running? p signature.asc Description: OpenPGP digital signature
Re: mod_proxy_balancer anomaly Question
On 15/09/2011 16:18, Shanti Suresh wrote: All, I am trying to understand some anomaly with mod_proxy and mod_proxy_balancer. mod_proxy works fine if the (reverse)Proxying is done to the local Tomcat Engine rather than going through the balancer. If it goes through the balancer, then an extra / is added on 302 Redirects after the hostname in URLs. Adding ProxyPreserveHost On gets the proper 302 Redirects without the extra /. Short of reading source code, I was hoping someone can explain the: (1) purpose of ProxyPreserveHost On - It is to pass the Host header from the incoming request onto Tomcat (2) Does ProxyPreserveHost have any implication on the Location: Header going out in 302 responses? (3) I thought the ProxyPassReverse directive was used for setting (rewriting) the Location: header in the 302 responses. (4) How does Tomcat work without ProxyPreserveHost On when requests don't go through the balancer? Please start an entirely new email thread. Replying to an existing thread, just editing subject body, is called thread-hijacking and makes your message appear in the middle of another conversation in threaded mail readers. p signature.asc Description: OpenPGP digital signature
RE: Tomcat started and localhost:8080 is loading
I had some issues regarding Eclipse and Tomcat. Try setting the IP address for your tomcat to 127.0.0.1 Access it from your browser by the same ip and your port and you should be able to load the tomcat welcome page. --b -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, August 29, 2011 5:17 PM To: Tomcat Users List Subject: Re: Tomcat started and localhost:8080 is loading Hi. At the beginning, you said : When I start startup.sh, I can load the localhost:8080 page. But when I start Tomcat from Eclipse, it is able to start but I'm unable to load the localhost page. Explorer says, could not connect to localhost:8080. That seems to indicate that Tomcat is not listening on port 8080, when you start it from Eclipse. I am not an Eclipse user, but from similar previous posts on this list, that seems to indicate that Eclipse is using another set of configuration files for Tomcat, than the ones that are used when you start Tomcat from startup.sh. You did not say on which platform you are running this, but try the following to confirm : A) 1) start Tomcat with startup.sh 2) in a command window, enter netstat -pan (Linux) or netstat -aopn (Windows), and look for lines containing the word LISTEN. You should see a line containing the port :8080. That is Tomcat, and its PID is at the end of the same line. 3) stop Tomcat B) 1) start Tomcat with Eclipse 2) in a command window, enter netstat -pan (Linux) or netstat -aopn (Windows), and look for lines containing the word LISTEN. Do you see a line containing the port :8080 ? If not, and you see for instance a line with port :80 instead, then it means that Tomcat is started differently. (And try http://localhost:80;) If so, search the archives of this list as to how to correct that issue. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request params randomly null in servlet(s)
Pid * wrote: Exactly which version of Tomcat are you running? Latest, 7.0.21. -- View this message in context: http://old.nabble.com/Request-params-randomly-null-in-servlet%28s%29-tp32461421p32474158.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
Right. There should be some setting/parameter corresponding to the Thunderbird plugin, which indicates /how/ it is trying to write files to the server. In Options..Advanced..Config Editor ? I find some traces there in my Thunderbird setup, of parameters starting with SyncKolab.. (That may be something else though) The point which several people were trying to make here is : Any sane webserver setup will never allow a user to /upload/ files to the server, just by specifying their URL. That is because it is potentially a very big security hole. (One generally does not want the first miscreant around to deface one's server by loading his own pages or applications) It is /possible/ to allow this (and there are even special HTTP commands to do that), but you need to add something to the server, in terms of additional modules to handle such uploads, and a special (and careful) configuration to go with it. It is not sufficient to just put the files somewhere where they can be seen and retrieved by a browser, and make them writeable. Thankfully. (Note that all this is not specific to Tomcat. Any reasonable webserver is like that.) One such fairly standard server add-on, in the case of Tomcat, is the DAV application. It is available on the Tomcat website, but not as part of the standard download (I think), and it is certainly not installed by default. It is not the only way, and maybe this particular plugin expects the webserver to run an application which comes along with the plugin. But again, you'd need to install it on the server, it will not be there by default. In any case, one would expect, either in the plugin documentation or in the parameters somwhere on the client, to find a hint as to how the file upload to the server is supposed to happen. Dean Hoover wrote: Fair enough, Chuck. I don't know exactly what writes the file, but since we are using the Lightning add-on from Thunderbird, I would assume that Lightning is doing the work. As far as how it used to work, everyone would read from the .ics calendar on the old server from Lightning via a web link. Those with the proper access were able to write to it for adding/updating/deleting calendar entries. Don't get me wrong, I appreciate the feedback. It seems that this is a little more involved than I thought, which is fine. I see there are open-source alternatives, so I will pursue those. It's all good. Thanks again. Dean On Thu, Sep 15, 2011 at 9:47 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Dean Hoover [mailto:kb7...@gmail.com] Subject: Re: Using calendar .ics files over Tomcat 5.5 We are not using DAV, just simple iCalendar (.ics) files. But what _writes_ the files? Unless you have your own servlet to do this, or use DAV or a similar file upload mechanism, nothing cause an update of data on the server. It was running on an old Win2k server using an even older Apache web service before. Perhaps if you explained more fully how the prior mechanism worked, we could suggest an alternative for use with Tomcat. So far, we've really got nothing to go on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
I forgot to add : Since previously the application was running on a Win2K server, it may be that this Win2K server just shared (windows-like) the directory where the .ics files were located, and this being in a local LAN, that the client were just writing the files there via a Windows network file mechanism (and nothing to do with HTTP thus). That sounds quite unsafe and limited, but in a small intranet may be acceptable. If such was the case (and again the client setup should contain a hint), then maybe all that's missing is to share the new directory under Tomcat where you put the files. Tomcat won't be involved in the writing part, so it should not stand in the way, at least as long as when a client writes there, the permissions don't prevent Tomcat from reading the files (for the download part). Don't take this as a recommendation of how to do it. André Warnier wrote: Right. There should be some setting/parameter corresponding to the Thunderbird plugin, which indicates /how/ it is trying to write files to the server. In Options..Advanced..Config Editor ? I find some traces there in my Thunderbird setup, of parameters starting with SyncKolab.. (That may be something else though) The point which several people were trying to make here is : Any sane webserver setup will never allow a user to /upload/ files to the server, just by specifying their URL. That is because it is potentially a very big security hole. (One generally does not want the first miscreant around to deface one's server by loading his own pages or applications) It is /possible/ to allow this (and there are even special HTTP commands to do that), but you need to add something to the server, in terms of additional modules to handle such uploads, and a special (and careful) configuration to go with it. It is not sufficient to just put the files somewhere where they can be seen and retrieved by a browser, and make them writeable. Thankfully. (Note that all this is not specific to Tomcat. Any reasonable webserver is like that.) One such fairly standard server add-on, in the case of Tomcat, is the DAV application. It is available on the Tomcat website, but not as part of the standard download (I think), and it is certainly not installed by default. It is not the only way, and maybe this particular plugin expects the webserver to run an application which comes along with the plugin. But again, you'd need to install it on the server, it will not be there by default. In any case, one would expect, either in the plugin documentation or in the parameters somwhere on the client, to find a hint as to how the file upload to the server is supposed to happen. Dean Hoover wrote: Fair enough, Chuck. I don't know exactly what writes the file, but since we are using the Lightning add-on from Thunderbird, I would assume that Lightning is doing the work. As far as how it used to work, everyone would read from the .ics calendar on the old server from Lightning via a web link. Those with the proper access were able to write to it for adding/updating/deleting calendar entries. Don't get me wrong, I appreciate the feedback. It seems that this is a little more involved than I thought, which is fine. I see there are open-source alternatives, so I will pursue those. It's all good. Thanks again. Dean On Thu, Sep 15, 2011 at 9:47 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Dean Hoover [mailto:kb7...@gmail.com] Subject: Re: Using calendar .ics files over Tomcat 5.5 We are not using DAV, just simple iCalendar (.ics) files. But what _writes_ the files? Unless you have your own servlet to do this, or use DAV or a similar file upload mechanism, nothing cause an update of data on the server. It was running on an old Win2k server using an even older Apache web service before. Perhaps if you explained more fully how the prior mechanism worked, we could suggest an alternative for use with Tomcat. So far, we've really got nothing to go on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_proxy_balancer anomaly Question
Shanti Suresh wrote: All, I am trying to understand some anomaly with mod_proxy and mod_proxy_balancer. mod_proxy works fine if the (reverse)Proxying is done to the local Tomcat Engine rather than going through the balancer. If it goes through the balancer, then an extra / is added on 302 Redirects after the hostname in URLs. Adding ProxyPreserveHost On gets the proper 302 Redirects without the extra /. Short of reading source code, I was hoping someone can explain the: Short answers : (1) purpose of ProxyPreserveHost On - It is to pass the Host header from the incoming request onto Tomcat Yes. Because the default is that the front-end uses the hostname named in the ProxyPass statements, to replace the Host header received from the client. (2) Does ProxyPreserveHost have any implication on the Location: Header going out in 302 responses? It could have, indirectly, if the Tomcats have virtual hosts themselves. E.g. : without the ProxyPreserveHost, the Host: header sent to Tomcat will always be the one from the ProxyPass directive. So this will always be processed by the same virtual host under Tomcat. With the ProxyPreserveHost, the Host header sent by the client will be left unchanged. So it could potentially select another virtual host within Tomcat, and this virtual host within Tomcat may return its 302 Location header differently than the virtual host mentioned above. (I cannot think of a good reason why this could happen, but I suppose it could) (3) I thought the ProxyPassReverse directive was used for setting (rewriting) the Location: header in the 302 responses. It is. And it should only rewrite the hostname part of the value. (4) How does Tomcat work without ProxyPreserveHost On when requests don't go through the balancer? It will work fine, thank you. ;-) Seriously, at the simplest level, Tomcat doesn't know that it is being proxied to, or balanced, and does not know if in Apache httpd there is a ProxyPreserveHost or not. It gets a HTTP request which contains a Host header. It tries to match that name with one of its own Host tags. If it finds a match, it dispatches the request to that Host within Tomcat. If it does not find a match, it dispatches the request to its default host, which is the Host whose name is mentioned in the Engine tag. What would help figuring this out, is - a copy of the Tomcat's server.xml (edited, remove comments and sensitive info), pasted into your next message (this list strips most attachments) - to know what really creates the 302 Redirect response within Tomcat (and its Location header) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dean, On 9/14/2011 1:14 PM, Dean Hoover wrote: I am running Tomcat 5.5 in support of a internal-use only JSPWiki site. Time to upgrade. It's 7.0.21 time. To consolidate, I decided to move our internal calendars (using the iCal .ics extension) from our very old Win2k server to the root directory of Tomcat as well. The problem I am having is that we are unable to modify (add/remove calendar entries) after the move. We can read them just fine. You should look at your old configuration to see what was enabling the writes to those files. I suspect that WebDAV is involved. Tomcat does support WebDAV: http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/servlets/WebdavServlet.html I figure there is an issue of permissions, and have Googled many sites that tell me to change the catalina.policy file and add the ability for that directory to have read and write access. I've even used the AllPermissions setting, but with no success. catalina.policy is only for use with a SecurityManager. You may still have a file and/or directory permissions problem. Something I would also caution you about: if you undeploy your webapp, Tomcat will delete all the files in the deployment directory, probably including your calendar files. So maybe you want to put those somewhere else when you configure WebDAV. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5yZ6QACgkQ9CaO5/Lv0PB9PgCgr6BUM3WJSM/9tVydfVjMGKFL iAMAnRv9t7yYbSvGb2z4LX9m2CnSRHtT =W+0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 501 error not going to location
Thank you for your reply, The error-page is configured in a web.xml inside my webapp. As for the tomcat version it is Tomcat 7.0.21. Before adding the error-page inside my webapp i was seeing - bodyh1HTTP Status 501 - Method METHOD is not is not implemented by this servlet for this URI /h1HR size=1 noshade=noshadeptype Status report/ppmessage uMethod METHOD is not is not implemented by this servlet for this URI /u/ppdescription uThe server does not support the functionality needed to fulfill this request (Method METHOD is not is not implemented by this servlet for this URI )./u/pHR size=1 noshade=noshadeh3Apache Tomcat/7.0.21/h3/body After adding the error-page inside my webapp i am see nothing. n828cl wrote: From: kkrikor [mailto:krikor.kruml...@gmail.com] Subject: 501 error not going to location I have set up an error page for the 501 error code. Where did you configure the error-page? (Be precise.) Testing with Tomcat 7. Tomcat 7.what.what? (Be precise.) Since error pages are specific to individual webapps, Tomcat cannot honor such configuration if the request is so malformed that it's impossible to select a webapp to which to give the request. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/501-error-not-going-to-location-tp32466722p32475425.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLSession invalidate
On 15 Sep 2011, at 23:30, Peter wrote: A connection is streaming a video, when you logout of it's session. What happens? I have not tried it. I'll put up some code in Java so you can try it out soon. The browser caches img files retrived from on the same server path as the application to which then one sends an ssl logout signal. A browser plugin references the https uri of the image. Does the cache release the image, collected over a session that is now closed? Sent from my iPhone On Sep 15, 2011, at 1:23 AM, Henry Story henry.st...@bblfish.net wrote: You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers. https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala I think it is a bug that they don't react properly to the defined exceptions being thrown. What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout: function logout(elem) { if (document.all == null) { if (window.crypto) { try{ window.crypto.logout(); return false; //firefox ok -- no need to follow the link } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking } } else { //also try with session breaking } } else { // MSIE 6+ document.execCommand('ClearAuthenticationCache'); return false; }; return true } function login(elem) { logout(elem) } - Then you can just put the following html in your page a href={/user/joe/control-panel}Joe/a|a href=/logout onclick=return logout();logout/a I have added this to the foaf+ssl (WebID protocol) wiki http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout Henry On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote: Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN). Is your session ID the same when you go back in? If you are using IE and you want to clear the browser cache to select another certificate, go to Tools-Internet Options, select Content tab, and click Clear SSL state. -Original Message- From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch Sent: Tuesday, September 06, 2011 3:12 PM To: Tomcat Users List Subject: Re: SSLSession invalidate thanks mark, if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute(javax.servlet.request.ssl_session) (it works with this key in 6.0.32) wkr turnguard - Original Message - From: Mark Thomas ma...@apache.org To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, September 7, 2011 12:08:29 AM Subject: Re: SSLSession invalidate On 06/09/2011 22:42, Jürgen Jakobitsch wrote: apparently there is one, i can get it's id with request.getAttribute(javax.servlet.request.ssl_session) That is a Tomcat bug it should be javax.servlet.request.ssl_session_id in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well. Your wild guess is wrong. That feature is in Tomcat 7 onwards. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- | Jürgen Jakobitsch, | Software Developer | Semantic Web Company GmbH | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 COMPANY INFORMATION | http://www.semantic-web.at/ PERSONAL INFORMATION | web : http://www.turnguard.com | foaf : http://www.turnguard.com/turnguard | skype : jakobitsch-punkt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org