Re: SSL connect to APR fails - "bad version"
Kobe, nothing is wrong. It was just my lack of familiarity with the SSL client that was the cause of my puzzlement. Konstantin's answer already cleared that up for me. I was just wondering what you were trying to do, connecting to Tomcat with a command-line client, and you did not provide a lot of contextual information along with your question, to explain that. Had you for example added a phrase like "To check that the SSL connection is working, I am trying to connect to Tomcat's SSL Connector using the OpenSSL command-line client, and the answer I am getting is this : ..", things would have been clearer, even for me. You see, on the list we get all kinds of questions, from all kinds of people. Sometimes posters here try to have Tomcat serve the morning coffee, and wonder why it doesn't work. Sometimes they seem to think that this is the Apache httpd or Weblogic support list. André Kobe wrote: Actually, whether it be webaccess or webservice access, i not follow your confusion. pleas explain why this is wrong. /Kobe Kobe wrote: Tomcat is also a servlet container and may be used to host web services. That is the case here. the web service client is hosted in a BEA weblogic server and attempts to connect to the web service over SSL. /Kobe awarnier wrote: Kobe wrote: I build tcnative and apr from src with exist ver of openssl (means openssl not build my me). I load apr connector in tomcat as below. when my client connect, I cannot connect: i get "bad version". please explain what I do wrong? server# ./apr-1-config --version 1.4.5 server# server# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 server# /// APR Connector Configuration in Tomcat6 $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 CONNECTED(0003) write to 0x100119470 [0x100815e00] (95 bytes => 95 (0x5F)) - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d Z...V..N..>- 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W..<...Uvu!|..7o 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,...9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5...3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 .. 005f - read from 0x100119470 [0x100811400] (5 bytes => 5 (0x5)) - 48 54 54 50 2fHTTP/ write to 0x100119470 [0x10081b800] (7 bytes => 7 (0x7)) - 15 03 00 00 02 02 28 ..( 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: $ Hi. I don't know if other members of this list will be as puzzled as I am, but it is not clear to me what you are trying to achieve. I mean that Tomcat is in principle a web server, normally answering web browser requests (via HTTP or HTTPS). What are you trying to do when you access it with the above type of client, and what are you sending to Tomcat, and why ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to connect to datasource
No. I am using tomcat 6.0, java 6.0, linux system. Pid * wrote: > > On 09/11/2011 07:00, spike@12 wrote: >> >> Hi, >> >> I have setup my application using with tomcat and it is working fine. But >> when I have restarted my DB machine, my application is not working. If I >> have restart my tomcat server then it is working fine. >> may I know, how to connect to datasource automatically if my DB machine >> is >> restarted?? Is it having any specific parameter to connect datasource >> automatically?? >> >> Please let me know. Thanks in advance. > > It's better to tell us precise details about your Tomcat, Java and OS > version when asking a question. I'll assume 7.0. > > A validation query may help. Note: restarting a DB while the > application server is up is often prone to problems. > > Read: > > http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html > > Pay attention to the paragraph which refers to the 'validationQuery' > attribute. > > > p > > > > -- > > [key:62590808] > > > > -- View this message in context: http://old.nabble.com/how-to-connect-to-datasource-tp32809000p32809339.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session time out never takes place with ajax
Hi, This is my first post here so wish me luck J My question is as follow: I have a web based application running on tomcat 6.0.29 On my main page there is a polling ajax call every 5 seconds. Clearly this revalidates the session and by that renders the session timeout feature unusable I read about two main solutions for this issue 1. Coding on the server side (filter) a simple snippet that identifies an ajax call based on a parameter passed and based on that knows if this is a valid post or a polling hit that should not affect the session expiration date 2. Create a stub webapp and redirect the calls of the polling to that app So my question is, is there another way for this to be achieved? Note. I think it might be a cool feature (with the vast ajax use these days) to have a configuration in the web.xml the excludes various paths/urls from the session validation checkups Something like 30 path1,path2. Thanks, Sharon
Re: how to connect to datasource
>> may I know, how to connect to datasource automatically if my DB machine > >> is > >> restarted?? Is it having any specific parameter to connect datasource > >> automatically?? > How does the existing app connect to the database? Can you show the code please - remove any sensitive passwords Thanks Chris
Re: making security constraints configureable
Hello Terence, the System property would be indeed the easiest way, unfortunately I wouldn't know that the descriptive security in web.xml supports scripting with environment variables. If it does, it would solve all the problems ;-) regards Leon 2011/11/8 Terence M. Bandoian : > On 1:59 PM, André Warnier wrote: >> >> Terence M. Bandoian wrote: >>> >>> On 1:59 PM, Konstantin Kolinko wrote: 2011/11/3 Leon Rosenberg: > > I have a situation where an application is accessable from outside in > staging and production environment, but shouldn't be open for public > in staging environment. Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle authentication& authorization instead of Tomcat. I'd advise against using BASIC auth in public internet, unless the channel is protected with HTTPS. > What we did so far was, that we excluded everyone via web.xml: > You can automate the above. If you pack your war file using Ant, you can use task. Best regards, Konstantin Kolinko >>> >>> I'm not sure what "open for public" means above. >>> >>> What about using a system property (e.g. myorg.myapp.isStagingEnv=true) >>> in a filter or valve to accept or reject requests? >>> >> If I (belatedly) understand the requirements properly, Leon does not not >> want to reject /all/ requests (that, he could do by undeploying the >> application). It is more something like this : >> >> - requests originating from a range of IP addresses (e.g. the internal >> LAN) should be accepted, without authentication >> - requests originating from anywhere else should be submitted to >> authentication. >> >> Practical case : the application is in a testing state, and should not be >> available to the public at large, only to inside testers. The inside testers >> should not have to login for that. >> However, occasionally, someone may be sitting in an Internet Cafe and want >> to do a demo for a customer from there. He should be able to access the >> application, but only after logging in. >> >> Leon, if the above is not the right description, please correct it. In >> such matters, the devil is in the details. >> > > The system property that indicates whether or not the application is in a > staging or test environment would be used in conjunction with a test > against, for example, request.getRemoteUser() or request.isUserInRole() or > request.getRemoteAddr(). > > -Terence Bandoian > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7, Servlet 3.0, and Non-Blocking
Matthew Tyson wrote: >I guess what I'm asking is if I just start using the Servlet 3.0 >support >for suspending requests out of the box, will it be a thread blocking >implementation I'm using? That depends what you mean by "thread blocking". Once startAsync has been called the thread that was processing the request/response is released to handle other requests regardless of connector. >HTTP APR/native is blocking as well, correct? Wrong. You should read the docs, particularly the summary at the bottom of the HTTP connector configuration page >So if I want to use Servlet 3.0 async (eg, a call to >request.startAsync), >and have it be handled without blocking IO, I need to use the NIO >connector? Wrong again. All Servlet IO is blocking IO. If you look at the API you'll see that all read and write calls are blocking. You seem to be mixing up blocking and non-blocking IO with whether or not a thread is dedicated to processing a request/reponse pair for the life of the request/response. They are very different beasts. All connectors release the thread to handle other requests once startAsync has been called. As an aside, the non-blocking connectors will use non-blocking IO where they can but once you get to the Servlet API, that is always blocking IO. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: making security constraints configureable
Hello Andre, sorry for the late response. Putting a httpd or lightttpd or nginx in front of our staging tomcat came to our mind too. The problem with this approach is however, that it reduces the idea of having a staging environment to absurdity, at least in technical sense, because its not similar to the production environment anymore. In this setup we couldn't make any reliable loadtesting against preproduction/staging, because its simple not the same as production ;-) But thanx nevertheless ;-) regards Leon On Mon, Nov 7, 2011 at 4:19 PM, André Warnier wrote: > > @Leon (trying to do better this time) : I presume that you have a separate > Tomcat server (or instance) for staging. If so, the easiest solution would > be to leave the production one as it is, and your app as it is, and put an > apache httpd front-end before only the staging Tomcat, and only for external > accesses. The filtering/authentication would happen on the front-end, and it > would only pass the external requests to the back-end staging Tomcat if the > access conditions are met. > Internal accesses can still go to the staging Tomcat directly, and access > the app without authentication. > That should be easy to set up, easy being a function of how easily you can > set up this Apache front-end with a separate hostname on the Internet, and > allow it to proxy-pass requests to your internal Tomcat staging server. > As you probably do not have a plethora of external staging user-ids, the > type of authentication setup could be very simple (basic auth, file-based). > If basic auth is too insecure, you can run the browser/front-end part over > HTTPS, still without changing anything on Tomcat. > > > > Daniel Mikusa wrote: >> >> Leon, >> >> One possible way to work around this would be to use an SSH tunnel or a >> VPN (like OpenVPN) to access your network from the remote locations. >> >> Dan >> >> >> On Sat, 2011-11-05 at 08:53 -0700, Leon Rosenberg wrote: >>> >>> Hello Daniel, >>> >>> I can't use IP-Adresses, because it is possible that we show the >>> preproduction system in a starbucks to some customers for user testing >>> purposes. >>> I have no means to know which adresses are allowed and which not. >>> >>> regards >>> Leon >>> >>> On Thu, Nov 3, 2011 at 7:09 PM, Daniel Mikusa wrote: Leon, Is it a requirement for you to use BASIC auth? or could you use something like the Remote Address Filter to restrict by IP address? https://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter If you configure this valve in the restricted environment you can then control who can access to just that environment. Dan On Thu, 2011-11-03 at 10:10 -0700, Leon Rosenberg wrote: > > Hello, > > I have a situation where an application is accessable from outside in > staging and production environment, but shouldn't be open for public > in staging environment. > What we did so far was, that we excluded everyone via web.xml: > > > > > BASIC > > > my-access > > > blub > > myres > *.html > > > my-access > > > > > Is there any possibility to make this conditional, depending on an > environment property? Is there any other opportunity to achieve the > same? > Currently we have to kill the above lines from web.xml after each > deployment and this sucks ;-( > > regards > Leon > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL for modjk and tomcat
Hi I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL in my setup. i Am able to successfully on httpd.but there is lot of confusion how to enable between httpd to AJP & AJP to tomcat. There is not specific documentation also. 1) what are step for modjk configurations? 2)Is AJP support SSL? 3)Changes in server.xml for AJP port to support SSL requests via modjk? regards HArsimran
Re: making security constraints configureable
Leon Rosenberg wrote: Hello Andre, sorry for the late response. Putting a httpd or lightttpd or nginx in front of our staging tomcat came to our mind too. The problem with this approach is however, that it reduces the idea of having a staging environment to absurdity, at least in technical sense, because its not similar to the production environment anymore. In this setup we couldn't make any reliable loadtesting against preproduction/staging, because its simple not the same as production ;-) Response 1 : Well then, put the front-end server also in front of the production system. That'll make them comparable again. :-) Not only a jest : the impact, performance-wise, is likely to be minimal expect in the most extreme cases. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL for modjk and tomcat
Harsimranjit singh Kler wrote: Hi I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL in my setup. i Am able to successfully on httpd.but there is lot of confusion how to enable between httpd to AJP & AJP to tomcat. There is no confusion. You can't do that. There is no SSL variant of the AJP protocol. There is not specific documentation also. For the same reason. 1) what are step for modjk configurations? 2)Is AJP support SSL? No. That should have been the first question. 3)Changes in server.xml for AJP port to support SSL requests via modjk? None, see above. Note : what you /can/ do, is to use mod_jk to pass all relevant SSL information about the original client<->Apache connection, to Tomcat, via HTTP headers. Additional note : of course, if you would really must do this, you could still run the mod_jk-to-Tomcat connection over an SSL tunnel. But that would be something set up totally outside of Apache, Tomcat and their configuration. E.g. browser <-- HTTPS --> apache + mod_jk -> localhost:localport1 localport1 <-- SSL tunnel --> remoteport1 --> remote AJP port 8009 --> Tomcat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: making security constraints configureable
Leon Rosenberg wrote: Hello Andre, sorry for the late response. Putting a httpd or lightttpd or nginx in front of our staging tomcat came to our mind too. The problem with this approach is however, that it reduces the idea of having a staging environment to absurdity, at least in technical sense, because its not similar to the production environment anymore. In this setup we couldn't make any reliable loadtesting against preproduction/staging, because its simple not the same as production ;-) Response 2 : Taking into account your various requirements, and if you do not want a front-end, then I think that the only practical solution would be to switch from container-driven AAA (in web.xml), to servlet-filter based AAA, and create your own servlet filter for ditto. This servlet filter would then be present inside both your production and staging app, thus be part of your normal deployment. Only, some run-time parameter would either enable or disable its AAA function according to where it's used. One problem is that you'd have to write your own servlet filter for that, because I can't think off-hand of an existing one which does all that you need. The closest may be the SecurityFilter (http://securityfilter.sourceforge.net/), code of which you could modify to add client IP discrimination e.g. (and an on-off switch). Or maybe combine that one with the UrlRewriteFilter (www.tuckey.org). Both together may come close to what you need. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL for modjk and tomcat
hi Thanks for reply. There are some parameters whate they are for i saw like: : JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT and JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkExtractSSL etc etc these are not helpful? and some one post like this: http://ask.metafilter.com/53101/How-do-I-force-HTTPS-in-Tomcat-through-Apache-and-modjk is also wrong? On Wed, Nov 9, 2011 at 3:47 PM, André Warnier wrote: > Harsimranjit singh Kler wrote: > >> Hi >> I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL in my >> setup. >> >> i Am able to successfully on httpd.but there is lot of confusion how to >> enable between httpd to AJP & AJP to tomcat. >> >> There is no confusion. You can't do that. There is no SSL variant of the > AJP protocol. > > > There is not specific documentation also. >> > > For the same reason. > > > >> 1) what are step for modjk configurations? >> 2)Is AJP support SSL? >> > > No. That should have been the first question. > > > 3)Changes in server.xml for AJP port to support SSL requests via modjk? >> >> None, see above. > > Note : what you /can/ do, is to use mod_jk to pass all relevant SSL > information about the original client<->Apache connection, to Tomcat, via > HTTP headers. > > Additional note : of course, if you would really must do this, you could > still run the mod_jk-to-Tomcat connection over an SSL tunnel. But that > would be something set up totally outside of Apache, Tomcat and their > configuration. > E.g. > > browser <-- HTTPS --> apache + mod_jk -> localhost:localport1 > > localport1 <-- SSL tunnel --> remoteport1 --> remote AJP port 8009 --> > Tomcat > > --**--**- > To unsubscribe, e-mail: > users-unsubscribe@tomcat.**apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: how to connect to datasource
On 09/11/2011 08:34, spike@12 wrote: Please don't top-post. >> Read: >> >> http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html >> >> Pay attention to the paragraph which refers to the 'validationQuery' >> attribute. > > No. I am using tomcat 6.0, java 6.0, linux system. Crikey. That changes everything. http://tomcat.apache.org/tomcat-6.0-doc/jndi-resources-howto.html p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: SSL for modjk and tomcat
On 09/11/2011 11:20, Harsimranjit singh Kler wrote: Please don't top-post. > hi > > Thanks for reply. > > There are some parameters whate they are for i saw like: > : > > > > JkExtractSSL On > > JkHTTPSIndicator HTTPS > > JkSESSIONIndicator SSL_SESSION_ID > > JkCIPHERIndicator SSL_CIPHER > > JkCERTSIndicator SSL_CLIENT_CERT > and > > > JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories > > JkExtractSSL > > etc etc > > these are not helpful? They are helpful and do serve a purpose. Whether that has any bearing on your problem is a different matter altogether. You might consider explaining more clearly what you are trying to achieve. > and some one post like this: > > http://ask.metafilter.com/53101/How-do-I-force-HTTPS-in-Tomcat-through-Apache-and-modjk > > is also wrong? Have you read any of the Tomcat documentation, or are you just googling? p > On Wed, Nov 9, 2011 at 3:47 PM, André Warnier wrote: > >> Harsimranjit singh Kler wrote: >> >>> Hi >>> I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL in my >>> setup. >>> >>> i Am able to successfully on httpd.but there is lot of confusion how to >>> enable between httpd to AJP & AJP to tomcat. >>> >>> There is no confusion. You can't do that. There is no SSL variant of the >> AJP protocol. >> >> >> There is not specific documentation also. >>> >> >> For the same reason. >> >> >> >>> 1) what are step for modjk configurations? >>> 2)Is AJP support SSL? >>> >> >> No. That should have been the first question. >> >> >> 3)Changes in server.xml for AJP port to support SSL requests via modjk? >>> >>> None, see above. >> >> Note : what you /can/ do, is to use mod_jk to pass all relevant SSL >> information about the original client<->Apache connection, to Tomcat, via >> HTTP headers. >> >> Additional note : of course, if you would really must do this, you could >> still run the mod_jk-to-Tomcat connection over an SSL tunnel. But that >> would be something set up totally outside of Apache, Tomcat and their >> configuration. >> E.g. >> >> browser <-- HTTPS --> apache + mod_jk -> localhost:localport1 >> >> localport1 <-- SSL tunnel --> remoteport1 --> remote AJP port 8009 --> >> Tomcat >> >> --**--**- >> To unsubscribe, e-mail: >> users-unsubscribe@tomcat.**apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -- [key:62590808] signature.asc Description: OpenPGP digital signature
WAR unzipping not catched
Hi everyone, I have a question concerning Tomcats WAR deployment behavior: I have a web application which allows me to upload WAR files to the server via a web form. I get feedback from Tomcat once the upload is finished. I then put the file in Tomcats "webapps" folder. Tomcat now starts unzipping the package. How can I manage to get a notification from Tomcat indicating me that the application is ready to be switched to? Thanks in advance for your help. Stefan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WAR unzipping not catched
Stefan Siegel wrote: Hi everyone, I have a question concerning Tomcats WAR deployment behavior: I have a web application which allows me to upload WAR files to the server via a web form. I get feedback from Tomcat once the upload is finished. I then put the file in Tomcats "webapps" folder. Tomcat now starts unzipping the package. How can I manage to get a notification from Tomcat indicating me that the application is ready to be switched to? If I had the same problem, and I did not want to start wading through the Tomcat Manager application code (*), then what I would do would be to have my application issue a simple HTTP request to this application, and check what comes back. And if it was not the first page of the application (**), then I'd wait and retry. But there are probably other ways to do this. (*) which is available and, some say, surprisingly easy to understand (**) which, considering I wrote it, could contain some unique string easy to detect - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: WAR unzipping not catched
Perhaps consider using the tomcat event listeners that trigger when a context is up Sharon -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, November 09, 2011 3:01 PM To: Tomcat Users List Subject: Re: WAR unzipping not catched Stefan Siegel wrote: > Hi everyone, > > I have a question concerning Tomcats WAR deployment behavior: > > I have a web application which allows me to upload WAR files to the server > via a web form. > > I get feedback from Tomcat once the upload is finished. I then put the > file in Tomcats "webapps" folder. Tomcat now starts unzipping the package. > How can I manage to get a notification from Tomcat indicating me that the > application is ready to be switched to? > If I had the same problem, and I did not want to start wading through the Tomcat Manager application code (*), then what I would do would be to have my application issue a simple HTTP request to this application, and check what comes back. And if it was not the first page of the application (**), then I'd wait and retry. But there are probably other ways to do this. (*) which is available and, some say, surprisingly easy to understand (**) which, considering I wrote it, could contain some unique string easy to detect - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Catalina.policy file for security option
I have move during the starting of catalina in security nd now I am in the stage that in catalina.out log files I have: access: access allowed (java.io.FilePermission /usr/share/tomcat5/common/classes/log4j.properties read) access: access denied (java.io.FilePermission /usr/share/tomcat5/common/classes/log4j.properties read) access: access denied (javax.management.MBeanPermission org.apache.commons.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,j2eeType=WebModule,name=//localhost/PM] registerMBean) access: access allowed (java.lang.RuntimePermission setContextClassLoader) access: access denied (javax.management.MBeanPermission org.apache.commons.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,j2eeType=WebModule,name=//localhost/PM] registerMBean) access: access allowed (java.io.FilePermission /usr/share/tomcat5/server/lib/catalina.jar read) access: access denied (java.io.FilePermission /usr/share/tomcat5/server/lib/catalina.jar read) access: access denied (javax.management.MBeanPermission org.apache.commons.modeler.BaseModelMBean#-[null:port=8080,type=ProtocolHandler] registerMBean) access: access allowed (java.net.SocketPermission localhost:8080 listen,resolve) access: access allowed (java.lang.RuntimePermission shutdownHooks) access: access allowed (java.net.SocketPermission localhost:8005 listen,resolve) access: access allowed (java.lang.RuntimePermission exitVM.1) access: access allowed (java.lang.RuntimePermission shutdownHooks) access: access allowed (java.util.logging.LoggingPermission control) But in output lsof -i | grep java is not mentioned and tomcat. Dne 8. listopadu 2011 14:15 Petr Hracek napsal(a): > When I have set CATALINA_OPTS to: > linux:/var/log/tomcat5/base # echo $CATALINA_OPTS > -Djava.security.debug=all > linux:/var/log/tomcat5/base # > > in log I see: > domain 1 ProtectionDomain > CodeSource=CodeSource, url=file:/usr/share/tomcat5/bin/bootstrap.jar, > > ClassLoader=sun.misc.Launcher$AppClassLoader@8e208e2 > > Permissions: > static: java.security.Permissions@8930893 ( > (java.io.FilePermission /usr/share/tomcat5/bin/bootstrap.jar read) > (java.lang.RuntimePermission exitVM) > ) > > > Dne 8. listopadu 2011 13:51 Petr Hracek napsal(a): >> Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21. >> I have add to the catalina.policy following permission: >> permission javax.management.MBeanServerPermission "createMBeanServer"; >> permission javax.management.MBeamPermission >> "com.javamonitor.mbeans.*","*"; >> permission javax.management.MBeanTrustPermission "register"; >> permission javax.management.MBeanServerPermission "findMBeanServer"; >> permission java.net.SocketPermission "java-monitor.com:80", "connect"; >> permission java.net.SocketPermission "java-monitor.com:80", "resolve"; >> >> In the log of catalina.out I see: >> log4j:WARN No appenders could be found for logger >> (org.apache.catalina.startup.Embedded). >> log4j:WARN Please initialize the log4j system properly. >> >> But as in ps -ef | grep java and lsof -i | grep java I did not see any >> 8009 and 8005 port or even that tomcat5 is not starting. >> >> Where could be a problem? >> >> Dne 7. listopadu 2011 12:29 André Warnier napsal(a): >>> Petr Hracek wrote: Dear tomcat users, I have try to configure my really old tomcat5 configuration (for using -security). but tomcat is not running. >>> >>> Petr, >>> can you be a bit more specific ? what is not running ? does it start ? does >>> it crash after starting ? is it just not answering requests ? are there >>> error messages anywhere ? >>> >>> On my system tomcat5 is run only as servlet engine and not as web server. >>> Do you mean for example that it runs as a back-end server (through AJP >>> e.g.), with a front-end webserver serving all static content ? >>> >>> >>> Do you have any example catalina.policy file? My catalina.policy file is: // == SYSTEM CODE PERMISSIONS = // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // == CATALINA CODE PERMISSIONS ===
Re: making security constraints configureable
This thread is quite long, but to sum up what I have understood 1) you have an application running on staging and production 2) you want to enable access to staging for public demos from anywhere on the internet - for this you want to add access controls 3) everyone else will access the application on an intranet with no access controls, e.g. no security constraints Also you weren't happy with the suggestion of placing apache httpd infront as this would make staging different from production. Assuming the above is a fair summation of 15 emails, then - Why don't you expose tomcat via say port 80 and have no security enabled. This is what people use to access the production environment, and probably how you have things configured currently - For the "staging" server, configure exactly the same way for intranet access - For internet access have your firewall route through to a different port, which apache http listens on. Then add security to apache, and if they make it past the security forward the requests to the tomcat instance via say ajp. This won't give a 100% affinity in the cyber cafe for exactly what people will experience in production due to the extra steps. However it will be pretty close and this satisfies your security requirements. Also satisfies your load testing requirements - you load test on staging against the internal port - FWIW to me staging is where you test the roll out scripts - you shouldn't let anybody on it, and certainly not be doing any performance testing on it. I think I would call the environment you describe UAT - As already mentioned, if this doesn't work for you then the only other viable alternative that springs to mind is to add a filter that allows you to configure the security constraint on and off per installation. Anyway hope that helps Chris
Re: Tomcat 7, Servlet 3.0, and Non-Blocking
That's very illuminating, thanks. I was looking at the table at the bottom of http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#NIO_specific_configuration, and got the impression APR was blocking also, but now I see 'waiting for next request' is non-blocking in the TC7 table. Would you give us a sense of how using a non-blocking connector would be important when doing comet? Once startAsync is called, will the standard (blocking) connector continue to hold resources (where the NIO connectors won't)? Thanks, Matt On Wed, Nov 9, 2011 at 1:24 AM, wrote: > Matthew Tyson wrote: > > >I guess what I'm asking is if I just start using the Servlet 3.0 > >support > >for suspending requests out of the box, will it be a thread blocking > >implementation I'm using? > > That depends what you mean by "thread blocking". Once startAsync has been > called the thread that was processing the request/response is released to > handle other requests regardless of connector. > > >HTTP APR/native is blocking as well, correct? > > Wrong. You should read the docs, particularly the summary at the bottom of > the HTTP connector configuration page > > >So if I want to use Servlet 3.0 async (eg, a call to > >request.startAsync), > >and have it be handled without blocking IO, I need to use the NIO > >connector? > > Wrong again. All Servlet IO is blocking IO. If you look at the API you'll > see that all read and write calls are blocking. > > You seem to be mixing up blocking and non-blocking IO with whether or not > a thread is dedicated to processing a request/reponse pair for the life of > the request/response. They are very different beasts. > > All connectors release the thread to handle other requests once startAsync > has been called. > > As an aside, the non-blocking connectors will use non-blocking IO where > they can but once you get to the Servlet API, that is always blocking IO. > > Mark > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Trouble running TC8 trunk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I can't see this message having been posted -- re-posting just in case. Apologies if my client is the problem and this is a double-post. Thanks, - -chris On 11/8/11 5:37 PM, Christopher Schultz wrote: > All, > > With current trunk HEAD and a fresh: > > $ ant clean clean-depend download-compile deploy > > When I attempt to start Tomcat, I get this error (this is 100% of > my catalina.out): > > java.lang.NoClassDefFoundError: > org/apache/catalina/startup/SetParentClassLoaderRule at > java.lang.Class.getDeclaredConstructors0(Native Method) at > java.lang.Class.privateGetDeclaredConstructors(Class.java:2389) at > java.lang.Class.getConstructor0(Class.java:2699) at > java.lang.Class.newInstance0(Class.java:326) at > java.lang.Class.newInstance(Class.java:308) at > org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:239) at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) > Caused by: java.lang.ClassNotFoundException: > org.apache.catalina.startup.SetParentClassLoaderRule at > java.net.URLClassLoader$1.run(URLClassLoader.java:202) at > java.security.AccessController.doPrivileged(Native Method) at > java.net.URLClassLoader.findClass(URLClassLoader.java:190) at > java.lang.ClassLoader.loadClass(ClassLoader.java:306) at > java.lang.ClassLoader.loadClass(ClassLoader.java:247) ... 7 more > > That line in Bootstrap.java is creating a new startup.Catalina > object which needs it's own inner class SetParentClassLoaderRule. > It looks like the JVM is attempting to load the wrong class: it > should be loading startup.Catalina$SetParentClassLoaderRule but > instead it's trying to load startup.SetParentClassLoaderRule. > > I'm at a loss, here. > > JVM info: > > $ java -version java version "1.6.0_26" Java(TM) SE Runtime > Environment (build 1.6.0_26-b03) Java HotSpot(TM) Server VM (build > 20.1-b02, mixed mode) > > Any ideas? > > Thanks, -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk66sggACgkQ9CaO5/Lv0PA5wQCeMmhn950Z5m51vSqFHlePb2Vj pU8AoMAd6FP1Od5d0Raijqwx5GTg4pPH =5jis -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble running TC8 trunk
2011/11/9 Christopher Schultz : > I can't see this message having been posted -- re-posting just in > case. Apologies if my client is the problem and this is a double-post. > Already replied 15hr ago. http://tomcat.markmail.org/thread/qkaukjmf2pnuzt62 Do you still have the problem? CC'ing you to be sure of delivery. There are public searchable archives on the web if you are wondering whether the mail reached the list. Maybe there was some trouble at apache.org with delivering users@ emails to your subscription address? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble running TC8 trunk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Konstantin, On 11/8/11 6:32 PM, Konstantin Kolinko wrote: > How do you start it? I use a custom ant target to launch catalina.sh. Here is the command line that actually gets run: /usr/bin/java -Dnop -Xmx64M - -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager - -Djava.endorsed.dirs=/home/cschultz/.../apache-tomcat/trunk/output/build/endorsed - -classpath /home/cschultz/.../apache-tomcat/trunk/output/build/bin/bootstrap.jar:/home/cschultz/.../apache-tomcat/trunk/output/build/bin/tomcat-juli.jar - -Dcatalina.base=/home/cschultz/.../multipart/8275 - -Dcatalina.home=/home/cschultz/.../apache-tomcat/trunk/output/build - -Djava.io.tmpdir=/home/cschultz/.../multipart/8275/temp org.apache.catalina.startup.Bootstrap start > Are you in output/build/bin when you are trying to start it? No, I'm on the dev root of my project. > Are CATALINA_HOME and CATALINA_BASE have none or valid values when > you are running the startup scripts? See above. CATALINA_HOME env var is not set at all -- I was expecting catalina.sh to auto-set that value, which it looks like it is doing correctly. I can confirm that both catalina.base and catalina.home system properties are being properly set. > (catalina.sh should print their values when starting). > > Maybe try good old "rm -rf output" instead of Ant clean? $ rm -rf output $ ant clean clean-depend download-compile deploy > Last time I cleanly recompiled it was yesterday (to confirm > brokenness in the manager webapp - see elsethread), and all was > fine. I'll add some debug to the scripts, etc. to see if I can figure it out. Thanks - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk66tPsACgkQ9CaO5/Lv0PCvdgCgjlntSz8DS5Zqfo3ixA4dUwzU XoQAnA8qEALuAVkP9ZCDGMiA4Qd57PA7 =lngr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble running TC8 trunk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, On 11/9/11 9:14 AM, Christopher Schultz wrote: > $ rm -rf output $ ant clean clean-depend download-compile deploy Looks like this has cleared the log-jam. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk66tcAACgkQ9CaO5/Lv0PBY6gCeOummsjpMu559DHqHKlkuwWlR jhgAni1HeR/S3pf0VG95BI7Fk67bo6I1 =YMdH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL for modjk and tomcat
Doing this configuratiosn first time. As per reply AJP not support SSL but still apache can pass some information to tomcat. i found above parameter in documentation : http://tomcat.apache.org/connectors-doc/reference/apache.html but no example how to configure these and how helpful. i dont know what is ideal configurations for above setup to support SSL Thank you very much On Wed, Nov 9, 2011 at 5:52 PM, Pid wrote: > On 09/11/2011 11:20, Harsimranjit singh Kler wrote: > > Please don't top-post. > > > hi > > > > Thanks for reply. > > > > There are some parameters whate they are for i saw like: > > : > > > > > > > > JkExtractSSL On > > > > JkHTTPSIndicator HTTPS > > > > JkSESSIONIndicator SSL_SESSION_ID > > > > JkCIPHERIndicator SSL_CIPHER > > > > JkCERTSIndicator SSL_CLIENT_CERT > > and > > > > > > JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories > > > > JkExtractSSL > > > > etc etc > > > > these are not helpful? > > They are helpful and do serve a purpose. > > Whether that has any bearing on your problem is a different matter > altogether. You might consider explaining more clearly what you are > trying to achieve. > > > > and some one post like this: > > > > > http://ask.metafilter.com/53101/How-do-I-force-HTTPS-in-Tomcat-through-Apache-and-modjk > > > > is also wrong? > > Have you read any of the Tomcat documentation, or are you just googling? > > > p > > > > On Wed, Nov 9, 2011 at 3:47 PM, André Warnier wrote: > > > >> Harsimranjit singh Kler wrote: > >> > >>> Hi > >>> I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL > in my > >>> setup. > >>> > >>> i Am able to successfully on httpd.but there is lot of confusion how to > >>> enable between httpd to AJP & AJP to tomcat. > >>> > >>> There is no confusion. You can't do that. There is no SSL variant of > the > >> AJP protocol. > >> > >> > >> There is not specific documentation also. > >>> > >> > >> For the same reason. > >> > >> > >> > >>> 1) what are step for modjk configurations? > >>> 2)Is AJP support SSL? > >>> > >> > >> No. That should have been the first question. > >> > >> > >> 3)Changes in server.xml for AJP port to support SSL requests via modjk? > >>> > >>> None, see above. > >> > >> Note : what you /can/ do, is to use mod_jk to pass all relevant SSL > >> information about the original client<->Apache connection, to Tomcat, > via > >> HTTP headers. > >> > >> Additional note : of course, if you would really must do this, you could > >> still run the mod_jk-to-Tomcat connection over an SSL tunnel. But that > >> would be something set up totally outside of Apache, Tomcat and their > >> configuration. > >> E.g. > >> > >> browser <-- HTTPS --> apache + mod_jk -> localhost:localport1 > >> > >> localport1 <-- SSL tunnel --> remoteport1 --> remote AJP port 8009 --> > >> Tomcat > >> > >> > --**--**- > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org< > users-unsubscr...@tomcat.apache.org> > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > -- > > [key:62590808] > >
Re: how to connect to datasource
now it is working fine, after adding validationQuery,testOnBorrow parameters. Thanks to all. billybob79 wrote: > > >> may I know, how to connect to datasource automatically if my DB > machine > >> >> is >> >> restarted?? Is it having any specific parameter to connect datasource >> >> automatically?? >> > > How does the existing app connect to the database? Can you show the code > please - remove any sensitive passwords > > Thanks > > Chris > > -- View this message in context: http://old.nabble.com/how-to-connect-to-datasource-tp32809000p32816289.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL for modjk and tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harsimranjit, On 11/9/11 10:35 AM, Harsimranjit singh Kler wrote: > Doing this configuration first time. > > As per reply AJP not support SSL but still apache can pass some > information to tomcat. Correct: mod_ssl will forward the important SSL information from httpd to Tomcat. Note that connection between httpd and Tomcat is not encrypted (which is why Pid and Andre have said "no SSL"). The SSL information comes from the incoming HTTPS connection and is provided via AJP to Tomcat. > i found above parameter in documentation : > > http://tomcat.apache.org/connectors-doc/reference/apache.html > > but no example how to configure these and how helpful. Did you mean that you found all of those parameters (not just one) in the documentation? The documentation, while fairly short, contains everything you need. Each directive is documented as to its function, its value parameter values, and the default. > i dont know what is ideal configurations for above setup to support > SSL mod_jk supports SSL with no additional configuration. If you find that the default configuration is not meeting your needs, please tell us what you need and we can help you configure it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk67ZsUACgkQ9CaO5/Lv0PCrWwCfSg0ul/7JUIoZDie/B2dm39Hz IXcAn3GpRRlRz7bntRBM0Gkh/yUxNGSo =oU31 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session time out never takes place with ajax
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sharon, On 11/9/11 12:56 AM, Sharon Prober (sprober) wrote: > This is my first post here so wish me luck J Welcome. > My question is as follow: > > I have a web based application running on tomcat 6.0.29 > > On my main page there is a polling ajax call every 5 seconds. > > Clearly this revalidates the session and by that renders the > session timeout feature unusable Yes. > I read about two main solutions for this issue > > 1. Coding on the server side (filter) a simple snippet that > identifies an ajax call based on a parameter passed and based on > that knows if this is a valid post or a polling hit that should not > affect the session expiration date This is problematic for a few reasons: 1. You usually want a polling request to return something of use, which often involves the session. You can't access the session without updating its last-accessed-time. 2. Under certain configuration, Tomcat will update the last-accessed-time of the session even if you don't call request.getSession(). This may be only the case in Tomcat 7 with the following configuration settings: See the org.apache.catalina.core. StandardHostValve.ACCESS_SESSION and org.apache.catalina.STRICT_SERVLET_COMPLIANCE system properties here: http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Sessions > 2. Create a stub webapp and redirect the calls of the polling > to that app I'm not sure this buys you anything: if you pass-through calls to the "real" webapp, then you'll still be touching the session. > So my question is, is there another way for this to be achieved? It would be best to describe what your "ping" actually does. If it doesn't require session access, you may have some options. > Note. I think it might be a cool feature (with the vast ajax use > these days) to have a configuration in the web.xml the excludes > various paths/urls from the session validation checkups This would, by definition, be a violation of the specification. Instead, something like a Valve placed early in the pipeline could avoid a session update but still perform some trivial action. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk67aUkACgkQ9CaO5/Lv0PBl2ACdHDKUqQ/zkT0dfc63MFELStLK +a4An3kuFz39fXKymLVFBqYRMQ9xWUbX =naid -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WAR unzipping not catched
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sharon, On 11/9/11 5:46 AM, Sharon Prober (sprober) wrote: > Perhaps consider using the tomcat event listeners that trigger when > a context is up +1 This is what ServletContextListener was made for. If you need one webapp to get a notification from another webapp, you have lots of options. Without knowing your requirements, it's hard to recommend a technique. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk67adUACgkQ9CaO5/Lv0PDwgwCeLP6UoEc4EzSETRa/bj9wKSOx ywsAoJAYEtop2PgvFNJIZnpiaGlJlx36 =CZs8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to connect to datasource
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 spike@12, On 11/9/11 8:59 PM, spike@12 wrote: > now it is working fine, after adding validationQuery,testOnBorrow > parameters. Note that testOnBorrow=true is the default, so you don't really need to set it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk67axUACgkQ9CaO5/Lv0PBycQCdFGhOUFUdkBiKgz7owBmU7Rb1 BnkAniREhIcZ+4nNKlT9RKCvFPxnvHng =vMWk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: AW: mod_jk - Browser displays HTML Sourcecode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander, On 11/8/11 7:29 AM, Alexander Diedler wrote: > Ok, But would be the better way (of life) for this? HTTPD > vhost.conf: ServerAdmin xxx@yyy > DocumentRoot "D:/www/apps/app1/ROOT" D:/www/apps/app1/ROOT "> Options Indexes FollowSymLinks > AllowOverride None Order allow,deny Allow from all > ... So, if you forward /* to Tomcat, why do you need a DocumentRoot at all? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk67bTgACgkQ9CaO5/Lv0PAqJQCffc1+ulFjB1JMasoYGrfBp0/s 3boAnRfWoRrIzU88hLMUMekYMdshO+Hz =R7zn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fwd: SSL for modjk and tomcat
Hi Simple i have setup httpd,modjk,tomcat .i want to enable SSL(i.e i can handle everything on https). > If (instead) you want to encrypt the AJP connection between HTTPD and Tomcat, you'll have to use an SSH tunnel because the AJP protocol is not encrypted. Now AJP not support SSL fine. i.e AJP protocol is not encrypted. i dont want SSH tunnel. What other approach i can follow now.i mean other way ? i am not sure where to configure those mod jk directive and what configurations at tomcat side? On Thu, Nov 10, 2011 at 11:23 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Harsimranjit, > > On 11/9/11 10:35 AM, Harsimranjit singh Kler wrote: > > Doing this configuration first time. > > > > As per reply AJP not support SSL but still apache can pass some > > information to tomcat. > > Correct: mod_ssl will forward the important SSL information from httpd > to Tomcat. Note that connection between httpd and Tomcat is not > encrypted (which is why Pid and Andre have said "no SSL"). The SSL > information comes from the incoming HTTPS connection and is provided > via AJP to Tomcat. > > > i found above parameter in documentation : > > > > http://tomcat.apache.org/connectors-doc/reference/apache.html > > > > but no example how to configure these and how helpful. > > Did you mean that you found all of those parameters (not just one) in > the documentation? > > The documentation, while fairly short, contains everything you need. > Each directive is documented as to its function, its value parameter > values, and the default. > > > i dont know what is ideal configurations for above setup to support > > SSL > > mod_jk supports SSL with no additional configuration. If you find that > the default configuration is not meeting your needs, please tell us > what you need and we can help you configure it. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk67ZsUACgkQ9CaO5/Lv0PCrWwCfSg0ul/7JUIoZDie/B2dm39Hz > IXcAn3GpRRlRz7bntRBM0Gkh/yUxNGSo > =oU31 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Parallel deployment - can we use JMX to monitor old and new versions of a webapp?
Hi, We're looking into the parallel deployment feature of Tomcat 7 and want to see if there is a way to monitor performance stats of an old deployment of a webapp. Our webapp has a few pages that display application-specific information - performance indicators, recent exceptions, cache information - and when the new version of a webapp is deployed, we still want to be able to monitor this info for the old webapp (eg, be able to view the monitoring info for both foo##001.war [old] and foo##002.war [new]) >From the testing we've done, it looks like the only way to be able to view a page in the older app after the new app is deployed is if we already have a session open on the old one. The admin interface is actually a set of iframes, with each iframe viewing a specified page on each of the machines in the cluster. The problem is if the browser crashes or is accidentally closed. Would using JMX allow us to view this information for the two webapp versions without being dependent on user sessions? How would we distinguish between status info coming from the old and new webapp versions? We haven't had experience using this before, so we're not too clear on what it allows us to do and what it entails. Yes, it sorta begs the question as to why we need to monitor an app that is being replaced anyway, and no longer accessible once existing sessions are closed. Anyway, we'd still like to know. =) In any case if it ends up being too much work then we'll just go with the first option. thanks, Ellecer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org