Re: GlobalNamingResources outside of server.xml
Robert Koberg wrote: On Apr 21, 2009, at 7:02 PM, André Warnier wrote: André Warnier wrote: Mark Thomas wrote: André Warnier wrote: Mark Thomas wrote: Anthony J. Biacco wrote: I did end up trying it and it did work, I just didn't know if it was something that's frowned upon, or would for whatever reason was planned to be phased out/deprecated. Nope. That is absolutely fine. I know of a number of large corporations that use that feature extensively. We get it essentially for free with the xml parser so it is going to stay. My ears just kind of popped up on this thread. Would not the same kind of subterfuge be applicable for the case where you send an updated app as a war-file to a customer (thus including its web.xml), but this customer has his own different parameters to set in the web.xml ? Hmm. Never tried it. I'd try it and let us know how you get on. Hmm back. Unfortunately, I'm not really a productive Java/Tomcat programmer, and I don't do this kind of thing often (I mean prepare applications as wars, deploy them etc..). What I mean is that if someone else would a quick easy way to test this and be willing to do it, I am sure it would be much faster, and lots of people would probably be interested in the answer. I've seen this subject come up here a few times. I'll add that if it works, I think it's worth a Wiki article, and that, I am willing (and competent) to write. To each his own.. It is simply XML (the example in this thread uses entities). You could also use XInclude, which let's you define a fallback. And with either entities or XInclude you can use XML Catalogs for a great deal of flexibility. If you have no preference, tend to prefer XInclude over entities. Allright, but I'm afraid this is still somewhat flying over my head, what we me not being /either/ a Java expert, /nor/ a Tomcat expert, /nor/ an XML expert. (What am I then doing on this list, one might ask). So, since everyone but me seems to know pretty well how to do it, sometimes even in several ways, and since from previous threads I believe there is more interest for this, would it be possible for someone to give an effective simple example (or maybe two or three) based for example on this : ?xml version=1.0? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app display-nameMyApp/display-name description My simple webapp. /description servlet servlet-nameMyServlet/servlet-name servlet-classmy.servlet/servlet-class init-param param-namesomeParam/param-name param-valuesomeValue/param-value /init-param load-on-startup1/load-on-startup /servlet ... /web-app of how one could make it so that the param-value of the above param-name someParam is a reference to some value defined elsewhere, for example in a file in the Tomcat conf directory ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Headstart on Resolving OOM-PermGen errors on webapp reload
mark_desp...@mcafee.com wrote: ... Being named DeSpain, having a wife able to write about Java GC in Japanese and English, and being oneself able to write eloquently about an Insane Java library and its usage with Tomcat.. This world is full of wonders. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Steps to configure Tomcat 5.0 with PKCS#11 support
Hi, We are using tomcat 5.0.28 and JDK 1.5.10. Now, there is some requirement to use tomcat with PKCS#11 support. Initial study shows that a hardware token would be needed for this. 1) Is minimum tomcat version 5.5 is must for this? 2) Is this hardware requirement is mandatory? Or any other way is possible? 3) what additional changes would be required at server.xml level for PKCS#11 support. Regards, Raminder Singh CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS***
Re: GlobalNamingResources outside of server.xml
On Apr 22, 2009, at 4:25 AM, André Warnier wrote: Allright, but I'm afraid this is still somewhat flying over my head, what we me not being /either/ a Java expert, /nor/ a Tomcat expert, / nor/ an XML expert. (What am I then doing on this list, one might ask). So, since everyone but me seems to know pretty well how to do it, sometimes even in several ways, and since from previous threads I believe there is more interest for this, would it be possible for someone to give an effective simple example (or maybe two or three) based for example on this : ?xml version=1.0? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app display-nameMyApp/display-name description My simple webapp. /description servlet servlet-nameMyServlet/servlet-name servlet-classmy.servlet/servlet-class init-param param-namesomeParam/param-name param-valuesomeValue/param-value /init-param load-on-startup1/load-on-startup /servlet ... /web-app of how one could make it so that the param-value of the above param-name someParam is a reference to some value defined elsewhere, for example in a file in the Tomcat conf directory ? OK, here you cannot use entities in an external file because you have already defined a DTD (one of the problems with DTDs). As for XInclude, the problem is slightly different: The XInclude support has to be turned on for the parser. From Xerces: http://xerces.apache.org/xerces2-j/faq-xinclude.html Applications using JAXP 1.3 can enable XInclude processing by setting XInclude awareness on the parser factory. The following demonstrates how to accomplish this with SAX: import javax.xml.parsers.SAXParserFactory; SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setNamespaceAware(true); spf.setXIncludeAware(true); ... You can also enable XInclude processing by turning on the XInclude feature. BTW, here is an article that has some examples: http://www.xml.com/pub/a/2002/07/31/xinclude.html Your example might look like: ?xml version=1.0? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app xmlns:xi=http://www.w3.org/2001/XInclude; display-nameMyApp/display-name description My simple webapp. /description servlet servlet-nameMyServlet/servlet-name servlet-classmy.servlet/servlet-class init-param param-namesomeParam/param-name param-value !-- someParam.txt just contains the text 'someValue' -- xi:include href=someParam.txt parse=text xi:fallbackdefaultValue/xi:fallback /xi:include /param-value /init-param load-on-startup1/load-on-startup /servlet /web-app - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What Tomcat presentations / demos / discussions do you want to see at ApacheCon US 2009?
Rainer Jung wrote: On 16.04.2009 12:44, Mark Thomas wrote: Gregor Schneider wrote: - Concerning how often questions regarding mod_jk are showing up in the list: mod_jk - HowTo / Best practices Any takers for presenting this? Not sure, whether this is too specific for ApacheCon, but yes, if there is interest, I could give the talk. I'll submit a proposal and let the committee decide :) Concerning the proposal about a joined talk for httpd and mod_jk reverse proxy solutions: putting all this into one slot will be very dificult. Then we would need to keep it an overview thing and again people might not get the answers they are seeking (to many it depends without really explaining how you decide). So I prefer to do either a more specific talk (like one on mod_jk), or we would need two adjacent time slots. The latter gives maybe to much precious time ressources to this topic. May be we need a frond-end presentation with more than one speaker (I will be happy to make a mod_proxy one. Cheers Jean-Frederic Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: GlobalNamingResources outside of server.xml
I just finished my first cup of coffee and realized I didn't address having the external def in the conf directory. You probably do not want to rely on each user having the same directory structure, so you can't rely on a hard coded absolute or relative path :) First, let me say I usually put a .properties file in some system defined directory and configure at app start up. Sometime I need a hierarchy and use an XML file in some system defined dir and keep that stored in some DOMish structure (e.g. XOM, dom4j, etc) rather than converting it into some (brittle) object with something like JAXB. Anyway, back to XInclude, there are good use cases especially within an XML heavy app. Relating to getting the external def into the conf dir, you would want to use XML Catalogs. They let you assign a local file to some reference in the XML. This can be used for many different types referenced file resolution. For example below, your local catalog would define: system systemId=someParam.txt uri=/home/me/myapp/someParam.txt/ And of course, catalogs can reference other catalogs, which can reference other catalogs... best, -Rob On Apr 22, 2009, at 5:41 AM, Robert Koberg wrote: On Apr 22, 2009, at 4:25 AM, André Warnier wrote: Allright, but I'm afraid this is still somewhat flying over my head, what we me not being /either/ a Java expert, /nor/ a Tomcat expert, /nor/ an XML expert. (What am I then doing on this list, one might ask). So, since everyone but me seems to know pretty well how to do it, sometimes even in several ways, and since from previous threads I believe there is more interest for this, would it be possible for someone to give an effective simple example (or maybe two or three) based for example on this : ?xml version=1.0? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app display-nameMyApp/display-name description My simple webapp. /description servlet servlet-nameMyServlet/servlet-name servlet-classmy.servlet/servlet-class init-param param-namesomeParam/param-name param-valuesomeValue/param-value /init-param load-on-startup1/load-on-startup /servlet ... /web-app of how one could make it so that the param-value of the above param-name someParam is a reference to some value defined elsewhere, for example in a file in the Tomcat conf directory ? OK, here you cannot use entities in an external file because you have already defined a DTD (one of the problems with DTDs). As for XInclude, the problem is slightly different: The XInclude support has to be turned on for the parser. From Xerces: http://xerces.apache.org/xerces2-j/faq-xinclude.html Applications using JAXP 1.3 can enable XInclude processing by setting XInclude awareness on the parser factory. The following demonstrates how to accomplish this with SAX: import javax.xml.parsers.SAXParserFactory; SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setNamespaceAware(true); spf.setXIncludeAware(true); ... You can also enable XInclude processing by turning on the XInclude feature. BTW, here is an article that has some examples: http://www.xml.com/pub/a/2002/07/31/xinclude.html Your example might look like: ?xml version=1.0? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app xmlns:xi=http://www.w3.org/2001/XInclude; display-nameMyApp/display-name description My simple webapp. /description servlet servlet-nameMyServlet/servlet-name servlet-classmy.servlet/servlet-class init-param param-namesomeParam/param-name param-value !-- someParam.txt just contains the text 'someValue' -- xi:include href=someParam.txt parse=text xi:fallbackdefaultValue/xi:fallback /xi:include /param-value /init-param load-on-startup1/load-on-startup /servlet /web-app - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with maximum threads
I realize that my Server.xml is not being used by the Tomcat engine. I mean the Connector part. Should I make any modifications anywhere? And I regret for the last repeated mails. It was sent by mistake. -Anand connossieur wrote: Christopher, This is my Server.xml !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=8005 shutdown=SHUTDOWN !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -- Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / !-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -- GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container Note: A Service is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/service.html -- Service name=Catalina !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=70 minSpareThreads=20/ Connector executor=tomcatThreadPool port=80 protocol=HTTP/1.1 connectionTimeout=2000 redirectPort=8443 / !-- Connector port=8080 protocol=HTTP/1.1 maxThreads=150 connectionTimeout=2 redirectPort=8443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- !-- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / !-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html -- !-- You should set jvmRoute to support load-balancing via AJP ie : Engine name=Standalone defaultHost=localhost jvmRoute=jvm1 -- Engine name=Catalina defaultHost=localhost !--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) -- !-- Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster/ -- !-- The request dumper valve dumps useful debugging information about the request and response data received and sent by Tomcat. Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ -- !-- This Realm uses the UserDatabase configured in the global JNDI resources under the key UserDatabase. Any edits that are performed against this UserDatabase are immediately available for use by the Realm. -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ !-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. -- Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false
Re: GlobalNamingResources outside of server.xml
Robert Koberg wrote:
I just finished my first cup of coffee
You must be in a different timezone then. We've had to refill the coffee
machine a couple of times already.
In any case, thank you for your early interest and for your contribution.
and realized I didn't address
having the external def in the conf directory. You probably do not want
to rely on each user having the same directory structure, so you can't
rely on a hard coded absolute or relative path :)
True.
First, let me say I usually put a .properties file in some system
defined directory and configure at app start up.
...
Right. I guess this would be the sensible and Servlet Spec compatible
thing to do in the first place.
Basically, I jumped into this thread because I had a glimpse of a hope
that the scenario outlined by the OP for (I believe) server.xml, might
also be applicable for the following kind of practical case, which has
come up already several times on this list :
I distribute a webapp to customers, as a war file.
In this webapp, are some servlets that I get from third-parties, and
which need installation-specific settings in the web.xml deployment
descriptor, settings which are present as param-name and
param-value. For example, something like
param-nameHostToTalkTo/param-name
param-value123.123.45.67/param-value
Thus, when I send an updated app as a war-file to the customer, this
customer has to unpack the war-file, edit the web.xml according to their
specific values, repack the war-file and deploy it on their server.
This is rather messy and unpractical.
I have thus been wondering if there was some clever way by which,
without changing the way in which these third-party servlets read their
parameters, one could provide a mechanism that would avoid the
unpacking/modifying/repacking cycle.
From what I've read so far, in any case it does not seem simple.
From what I understand, it would be possible using Xinclude, but that
would entail
1) somehow to convince the customer's Tomcat's Xerces parser to be
Xinclude-aware, which to my naive understanding looks complicated to do,
(and may/may not have side-effects ?)
2) one would need one Xinclude-d text file per param-value, which looks
kind of clumsy
3) and the path to these Xinclude-d files would need to be fixed, which
somehow also conflicts with the hoped-for flexibility
So far thus, it looks still pretty much like a forlorn hope.
Any additional ideas anyone ?
A more general question would be whether someone could think of a way by
which such an added functionality could be added to Tomcat, without
breaking the Servlet Spec compatibility ?
For example, would it be legal/compatible to have something like
param-value${HostToTalkToIP}/param-value
and have this valuename defined as a variable somewhere else ?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with maximum threads
why not start by creating a backup copy of your server.xml, and then removing all of the commented out config. it'll be easier to see what's going on that way... p connossieur wrote: I realize that my Server.xml is not being used by the Tomcat engine. I mean the Connector part. Should I make any modifications anywhere? And I regret for the last repeated mails. It was sent by mistake. -Anand connossieur wrote: Christopher, This is my Server.xml !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=8005 shutdown=SHUTDOWN !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -- Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / !-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -- GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container Note: A Service is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/service.html -- Service name=Catalina !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=70 minSpareThreads=20/ Connector executor=tomcatThreadPool port=80 protocol=HTTP/1.1 connectionTimeout=2000 redirectPort=8443 / !-- Connector port=8080 protocol=HTTP/1.1 maxThreads=150 connectionTimeout=2 redirectPort=8443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- !-- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / !-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html -- !-- You should set jvmRoute to support load-balancing via AJP ie : Engine name=Standalone defaultHost=localhost jvmRoute=jvm1 -- Engine name=Catalina defaultHost=localhost !--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) -- !-- Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster/ -- !-- The request dumper valve dumps useful debugging information about the request and response data received and sent by Tomcat. Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ -- !-- This Realm uses the UserDatabase configured in the global JNDI resources under the key UserDatabase. Any edits that are performed against this UserDatabase are immediately available for use by the Realm. -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ !-- Define the default virtual host Note: XML Schema
Re: windows 2k3 / Tomcat 6 / IIS configuration - randomlylosing sessions
On 22.04.2009 06:44, Caldarale, Charles R wrote:
From: Menachem Husarsky [mailto:husar...@hotmail.com] Subject: Re:
Re: windows 2k3 / Tomcat 6 / IIS configuration - randomlylosing
sessions
Do you have any suggestions for me for how to debug this in a
finer more controlled fashion?
Have you implemented an HttpSessionListener to track the comings and
goings? This, coupled with request/response logging, might at least
give you a better idea of which is the more likely of the two failure
scenarios you've considered.
You can also log %{Cookie}i, %{Set-Cookie}o and the actual session id in
your Tomcat access log. You need to activate it and replace the default
pattern common by something like e.g.
%h %l %u %t quot;%rquot; %s %b
quot;%{Cookie}iquot; quot;%{Set-Cookie}oquot; %S %D
(all on one line)
Regards,
Rainer
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat 503 errors
On Tue, Apr 21, 2009 at 6:49 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- mod_proxy_ajp is included in httpd, and there have been /lots/ of improvements since 2.2.2. Since you can't upgrade, would you consider switching to using mod_jk, which is available independently? The configuration is a bit more involved, but you may get better results. Thanks Chris, I'll look into it. -- Daryl Stultz _ 6 Degrees Software and Consulting, Inc. http://www.6degrees.com mailto:da...@6degrees.com
RE: Problem with maximum threads
Anand- the suggestion of look elsewhere was a red herring the problem is your Executor takes thread assignments e.g. Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ then Connector is assigned the Executor threadpool Connector executor=tomcatThreadPool.. Martin __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Wed, 22 Apr 2009 12:15:22 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Problem with maximum threads why not start by creating a backup copy of your server.xml, and then removing all of the commented out config. it'll be easier to see what's going on that way... p connossieur wrote: I realize that my Server.xml is not being used by the Tomcat engine. I mean the Connector part. Should I make any modifications anywhere? And I regret for the last repeated mails. It was sent by mistake. -Anand connossieur wrote: Christopher, This is my Server.xml !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=8005 shutdown=SHUTDOWN !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -- Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / !-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -- GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container Note: A Service is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/service.html -- Service name=Catalina !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=70 minSpareThreads=20/ Connector executor=tomcatThreadPool port=80 protocol=HTTP/1.1 connectionTimeout=2000 redirectPort=8443 / !-- Connector port=8080 protocol=HTTP/1.1 maxThreads=150 connectionTimeout=2 redirectPort=8443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR,
RE: Problem with maximum threads
From: connossieur [mailto:anand.b...@aricent.com] Subject: Re: Problem with maximum threads I realize that my Server.xml is not being used by the Tomcat engine. I hope you also realize the file name must be server.xml, not Server.xml (case matters). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: GlobalNamingResources outside of server.xml
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: GlobalNamingResources outside of server.xml In this webapp, are some servlets that I get from third-parties, and which need installation-specific settings in the web.xml deployment descriptor, settings which are present as param-name and param-value. Rather than having those parameters in WEB-INF/web.xml, put them in a separately distributed Context element as nested Parameter elements. Have the customer place this Context element in conf/Catalina/[host]/[appName].xml at deployment time; this will avoid having to modify the .war file. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fun with the JVM crashing.
Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, Caldarale, Charles R wrote: From: Bill Davidson [mailto:bill...@gmail.com] Subject: Fun with the JVM crashing. I'm thinking that the JVM shouldn't be getting SIGSEGV's. You're right about that. However, it could also be an OS or hardware problem. You might want to run some serious memory tests on the box, just to eliminate the latter. +100! What is the architecture? Do you have physical access? If it's x86 and you do have physical access, 100% you should run memtest86+ against it. Let it run all night. If it's a production server, replace it with one you trust and then figure out what the problem is with the old box. We had 6 app servers at [bloated CA name removed to protect the guilty] in production and 2 of them were giving us SIG11's. The solution was to throw them out and replace them with 2 new ones. One of those sucked, too, so we had to play server-roulette again before we got all 6 good ones. Good luck, - -chris We had a similar problem. After running fine for a couple of years, Tomcat on one of our servers started to die every 2 or so hours with the dreaded SIGSEGV (0xb) errors. Since the identical versions of java as well as tomcat were running on our other machines and they had no problems, it would seem to point to a hardware problem on the crashing server. We had our hosting company swap the memory out of that machine and it looks good so far. -- View this message in context: http://www.nabble.com/Fun-with-the-JVM-crashing.-tp21865004p23175427.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: R: Apache / Tomcat Load Balanced mode
Hi Thx for the reply restrict based on roles so in /conf/tomcat-users.xml By using the AAA Realm, UserId / Passwd would be definitely an usage , But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Note:- The admin also has a set of Log-in credentials as similar to normal non admin case, So using realm would double up the process un-necessarily. Please appreciate this process for more ideas ! With regards Karthik -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Tuesday, April 21, 2009 8:10 PM To: Tomcat Users List Subject: RE: R: Apache / Tomcat Load Balanced mode you can restrict based on roles so in /conf/tomcat-users.xml you can define username fubar to role 'newrole' user username=fubar password=fubar roles=newrole/ then in WebAppName/WEB/INF/web.xml !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameHTMLManger and Manager command/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint !-- NOTE: This role is not present in the default users file -- role-namenewrole/role-name /auth-constraint security-role role-namenewrole/role-name /security-role /security-constraint any access to YourWebAppName/admin are enabled only to role='newrole' Martin __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: karthik.nanjang...@xius-bcgi.com To: users@tomcat.apache.org Date: Tue, 21 Apr 2009 18:19:42 +0530 Subject: RE: R: Apache / Tomcat Load Balanced mode Hi Thx for the same Web application would be installed on 3 nodes of Tomcat below the single load balancer of Apache http 2.x server www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET We would like to block the /admin from the INTERNET access If some body uses /admin the response should be blocked If the same /admin is to be used within the INTRANET local access We should be able to display the credentials How To achieve the same ? With regards karthik -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, April 21, 2009 12:51 PM To: Tomcat Users List Subject: Re: R: Apache / Tomcat Load Balanced mode On 21.04.2009 09:06, Leandro Dardini wrote: -Messaggio originale- Da: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Inviato: martedì 21 aprile 2009 7.34 A: Tomcat Users List Oggetto: Apache / Tomcat Load Balanced mode Hi Would the same work with Apache / Tomcat Load Balanced mode Configuration for single installation of the web application acme www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET Reason : The application uses a single DB to request of orders (from Subscribers) and same URL with *admin* would process the orders ( Internal Employees) and should not be exposed to outside world. Is there any Configuration with in Apache or Tomcat to achieve the same? With regards Karthik Maybe I don't understand your question, but to me there is no difference in configuring access in Load Balanced or not Load Balanced mode. As regarding the admin section, you can filter it using apache access control. I agree, load balancing seems to be not related to the question.
Tomcat Security and Struts
Tomcat 6Struts 1.3 OS: MacOS X - Leopard Hi, I am trying to make sure my app requires a login. So I configured the following in my deployment descriptor: security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern*.do/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-namemember/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/WEB-INF/JSP/login.jsp/form-login-page form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page /form-login-config /login-config However, when I follow the links in my app the login page doesn't come in. Any ideas as to what I am doing wrong? Thanks.
RE: R: Apache / Tomcat Load Balanced mode
From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
Mighty Tornado wrote: http-methodPOST/http-method Why do you want to restrict access only to requests with POST method? I usually do not use http-method element. form-login-page/WEB-INF/JSP/login.jsp/form-login-page I'm not sure if login page will work if it is located under WEB-INF directory. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
Caldarale, Charles R wrote: From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
Mighty Tornado wrote: Tomcat 6Struts 1.3 OS: MacOS X - Leopard Hi, I am trying to make sure my app requires a login. So I configured the url-pattern*.do/url-pattern url-pattern/*/url-pattern will protect everything. http-methodPOST/http-method This only protects the POST method. GETs will not be restricted. I'd remove this line. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Undeploy does not delete all .jar files
I took everything out of my conf/context.xml file except for WatchedResource. This includes Context path=/xxx docBase=xxx debug=1 reloadable=true / Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=localhost_log. suffix=.txt timestamp=true/ Resource name=jdbc/xxx” auth=Container type=javax.sql.DataSource driverClassName=”oracle.jdbc.driver.OracleDriver” url=”jdbc:oracle:thin:@ ./ I have the context.xml file in my webapps/xxx/WEB-INF/classes/META-INF I deleted the xxx directory under webapps, everything under the work directory, restarted tomcat, dropped the new xxx.war file in webapps. New xxx directory appears with the context.xml in the above location. I go to the manager website and select undeploy and still the same .jars under xxx/WEB-INF/lib. JT On Tue, Apr 21, 2009 at 5:29 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 JT, On 4/21/2009 4:35 PM, JT wrote: That didn't work either. This is what I did. I put back what I had in the conf/context.xml file. I still had the path and docBase Yeah, that's still a problem. Here's what your conf/context.xml should look like (minus standard comments). Context WatchedResourceWEB-INF/web.xml/WatchedResource /Context Adding the path and docBase attributes will break pretty much everything, either now or later. Please take them out whether you understand or not. Context antiJARLocking=true antiResourceLocking=true/ That's good. That's all that i have in that file. I deleted everything under work and there was not a file in conf/Catalina/localhost/test.xml. There was only host-manager.xml and manger.xml. Then I restarted Tomcat and added the new .war file to webapps and that created a new directory, but still it would not undeploy correctly. Make the above changes and try again. It still might not fix your issue, but putting docBase and path into your Context like this will lead to lots of troubles. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknuOtIACgkQ9CaO5/Lv0PBMiQCfbZwsVXgPtK3LPx6zRoRjGZBd YbUAn1KerwAaNg9zBH7AhFSH8dRdJPZJ =tivY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Security and Struts
From: Mighty Tornado [mailto:mighty.torn...@gmail.com] Subject: Tomcat Security and Struts I am trying to make sure my app requires a login. So I configured the following in my deployment descriptor: security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern*.do/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-namemember/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/WEB-INF/JSP/login.jsp/form-login-page form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page /form-login-config /login-config Where is your security-role section? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Undeploy does not delete all .jar files
From: JT [mailto:jltoo...@gmail.com] Subject: Re: Undeploy does not delete all .jar files I took everything out of my conf/context.xml file except for WatchedResource. This includes Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=localhost_log. suffix=.txt timestamp=true/ Your config is extremely suspect, since 5.5 does not have any Logger elements. Given that lots of config items have changed both syntax and semantics compared with older Tomcat levels, you may need to start from scratch with a clean 5.5 (or 6.0) installation, and update the newer Tomcat one step at a time. Do not blindly copy anything from an older version - read the doc and update the newer config appropriately. I have the context.xml file in my webapps/xxx/WEB-INF/classes/META-INF That's another major error; the location should be webapps/xxx/META-INF/context.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
You are right: I just fixed this mistake - added security-role role-namemember/role-name /security-role into my web.xml However, when I try to access my URL the browser gives me the following message: Data Transfer Interrupted On Wed, Apr 22, 2009 at 10:26 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mighty Tornado [mailto:mighty.torn...@gmail.com] Subject: Tomcat Security and Struts I am trying to make sure my app requires a login. So I configured the following in my deployment descriptor: security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern*.do/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-namemember/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/WEB-INF/JSP/login.jsp/form-login-page form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page /form-login-config /login-config Where is your security-role section? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
form based authentication
I tried to use form based authentication with JNDIRealm. What I want to accomplish is to have the two applications with the same realm be authenticated once. It seems the tomcat ignored the realm. I have to login twice. For example: when I login to http://localhost:8080/app1 successfully, then change the url to http://localhost:8080/app2, the login page will be prompted again. I hope I describe my issue clearly. Here is the snippet of web.xml for the app1 and app2 .. login-config auth-methodFORM/auth-method realm-nameFACRES/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.html/form-error-page /form-login-config /login-config security-role role-nameCN=FacultyStaff,OU=Groups,OU=EMP,DC=AC/role-name /security-role .. Here is the login.jsp html head meta http-equiv=Content-Type content=text/html; charset=UTF-8 titleLogin Page/title /head body form method=POST action=j_security_check input type=text name=j_username br input type=password name=j_password br input type=submit /form /body /html Your help will be appreciated very much as always. Jill
Re: Tomcat Security and Struts
Mark Thomas wrote: url-pattern/*/url-pattern will protect everything. If your login page uses any external assets (images, stylesheets, etc), it will become corrupted (assets won't load). -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat does not shut down
Hey guys. Just recently, I've started to have this problem with Tomcat not shutting down if the server has handled lots of traffic. Our test servers, which have very small amount of traffic, shut down fine. I have to manually kill the Tomcat process. If I run it in the foreground, ctr-c hangs forever. We're using Tomcat 6.0.18. The main components of our web application is Spring 2.5, Oracle 10, and Ice. Any tips that I can use to figure out what the server is doing or help it shut down quicker would be great. Thanks -Matt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
Mark Thomas wrote: Caldarale, Charles R wrote: From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Wait, does that not block *all* accesses to that host ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: R: Apache / Tomcat Load Balanced mode
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: R: Apache / Tomcat Load Balanced mode http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Wait, does that not block *all* accesses to that host ? Yes, which is why I suggested a filter, which could be configured for just /admin/*. I'm not aware of any means of configuring valves for specific URL patterns. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
André Warnier wrote: Mark Thomas wrote: Caldarale, Charles R wrote: From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Wait, does that not block *all* accesses to that host ? I'd assumed that admin was a separate context and therefore could have a valve applied. If not, just do it in httpd. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat does not shut down
From: Matthew Chambers [mailto:chamb...@imageworks.com] Subject: Tomcat does not shut down Any tips that I can use to figure out what the server is doing or help it shut down quicker would be great. And a thread dump shows ...? Use jstack to get one, if needed. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
Mark Thomas wrote: André Warnier wrote: Mark Thomas wrote: Caldarale, Charles R wrote: From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Wait, does that not block *all* accesses to that host ? I'd assumed that admin was a separate context and therefore could have a valve applied. If not, just do it in httpd. Do you mean that the Valve can be inserted at the context.xml level, rather than inside the Host ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with maximum threads
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anand, On 4/22/2009 1:35 AM, connossieur wrote: This is my Server.xml Note you have two connectors defined: Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=70 minSpareThreads=20/ Connector executor=tomcatThreadPool port=80 protocol=HTTP/1.1 connectionTimeout=2000 redirectPort=8443 / This connector uses the tomcatThreadPool executor which will use threads with names starting with catalina-exec-. !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / This Connector uses its own thread management, and defaults to 200 max threads (http://tomcat.apache.org/tomcat-6.0-doc/connectors.html). If you want the AJP connector to share the 70 threads configured above, you need to set the executor attribute on this Connector as well. Do you think this has a problem? I'll try to upload the thread Dump to my website and send a link. If you have 1000 threads running in your java process, than either Tomcat has a *huge* bug (unlikely) or your application is going crazy. A thread dump will help diagnose. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvPjkACgkQ9CaO5/Lv0PAJcgCgiIHZ8SA7u+XvAC+31WYUi3Yp 5igAn2jlq0AXnM7jeVBAF8lWMkTVskjY =CUNy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
André Warnier wrote: Mark Thomas wrote: André Warnier wrote: Mark Thomas wrote: I'd assumed that admin was a separate context and therefore could have a valve applied. If not, just do it in httpd. Do you mean that the Valve can be inserted at the context.xml level, rather than inside the Host ? Yes. Valves are valid at Engine, Host and Context level. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Headstart on Resolving OOM-PermGen errors on webapp reload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 4/21/2009 8:48 PM, Caldarale, Charles R wrote: It's really 64 MB, of which 32.5 MB is available for allocation. The 8 MB is the initial amount available for allocation. (If this sounds unnecessarily complicated, that's only because it is, with emphasis on the unnecessarily.) Gotcha. I thought the heap configuration was the current config, but it's the initial configuration. That information is ... not particularly useful. It's too bad they don't have a summary of the /current/ heap configuration anywhere. You have to read the details (which, I admit, isn't that bad). It's also a shame that the values for -Xmx aren't shown, so you'd know how big your heap could get. I'm not assigning any specific values, so I'm getting the default for my jvm/client/physical memory size, which I won't know unless I query the Runtime object. I'd love some help interpreting the heap info I see above. Anything in particular? Just what you already did. Thanks! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvP24ACgkQ9CaO5/Lv0PCMMwCgmOXyyB9idWxQfDUMyPEQMo2D dpMAoJQbj/YNaveHL67y2S7XZPYILTxR =FABQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: R: Apache / Tomcat Load Balanced mode
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: R: Apache / Tomcat Load Balanced mode Do you mean that the Valve can be inserted at the context.xml level, rather than inside the Host ? Yes. I had made the opposite assumption to Mark T, in that I thought admin was part of the ROOT context. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Headstart on Resolving OOM-PermGen errors on webapp reload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 4/21/2009 10:27 PM, mark_desp...@mcafee.com wrote: Ok, so my wife actually wrote a couple of month ago in Japanese about using strategy for leveraging the Insane library and a continuous integration server in order to prevent webapp classloader leakage issues from creeping in. I'll definitely take a look at this (in English -- tell her thanks!). With this in place, you can then setup your test environment to exercise a given webapp, shut it down, and then invoke your ScannerUtils code to see if that the webapp's classloader is still hanging around. This is super sexy! What a nice job. I'll have to read-up on the Insane library, but my suspicion is that you probably don't really need it... all the RTTI information is available from the objects themselves, and the code should be relatively simple just tons and tons of loops and recursive calls. A word of warning... this is a very heavy weight operation. Heh, you think? That's why this type of testing should be done in development and not in production ; - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvQCkACgkQ9CaO5/Lv0PC5OwCeONLPIu7BAaBiwGhEbuYm4caf d/4An2TpoymWDAi2/o4fi/sRwNpqxROy =sL8m -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mikolaj, On 4/22/2009 9:58 AM, Mikolaj Rydzewski wrote: Mighty Tornado wrote: I'm not sure if login page will work if it is located under WEB-INF directory. Of course it will. There's nothing special about the WEB-INF directory that would prevent it from working. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvQKEACgkQ9CaO5/Lv0PCZ+ACgibpOwt8pKTsKZ0uVIqcRA3O+ yVAAn0BoEp255y/eXE3owWSWNRhs/s52 =Er+e -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, On 4/22/2009 10:46 AM, Jill Han wrote: I tried to use form based authentication with JNDIRealm. What I want to accomplish is to have the two applications with the same realm be authenticated once. It seems the tomcat ignored the realm. I have to login twice. You're looking for SSI (Single Sign-On): http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvQXYACgkQ9CaO5/Lv0PCwYgCdE1SF1t1FR4NLwZ+VqcHWftQl XE0AoLwID8h7EN052aW0eS2ifmSfeOBN =Nkum -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Security and Struts
From: Mikolaj Rydzewski [mailto:m...@ceti.pl] Subject: Re: Tomcat Security and Struts Mark Thomas wrote: url-pattern/*/url-pattern will protect everything. If your login page uses any external assets (images, stylesheets, etc), it will become corrupted (assets won't load). Care to explain that? The above construct seems to work fine for our static resources. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Headstart on Resolving OOM-PermGen errors on webapp reload
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Headstart on Resolving OOM-PermGen errors on webapp reload It's also a shame that the values for -Xmx aren't shown It is - it's the MaxHeapSize under Heap Configuration. The odd thing in your report is MaxNewSize, which is clearly out of whack; not sure at this point where that comes from. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
mod_jk, not sure if an issue
Hi. As (maybe) part of another issue which I am still trying to track down with the concerned network people (client write errors, Sample 2 below), I find the following kind of messages regularly in the mod_jk logfile (Sample 1). I just want to know if this indicates a problem somewhere, or if these are normal occurrences. These [info] messages do not always come as often as shown below, but seem to come with some regularity nevertheless. Basically, my question is whether this indicates that there might be a discrepancy between front-end and back(-)end or something of the kind, or if there is some other parameter to adjust to make these go away. Apache 2.x prefork MPM mod_jk 1.2.27 Tomcat 5.5.x under RHEL, single host JkLogLevel info and worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 # new options since 1.2.27 : worker.ajp13.ping_mode=A (single worker, no load balancing) back-end Connector : Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 maxThreads=150 minSpareThreads=25 maxSpareThreads=100 backlog=100 / Sample 1 : [Tue Apr 21 13:34:59 2009] GET /myapp/normen/servlet.myapp 200 0.007701 4897 [Tue Apr 21 13:34:59 2009] GET /myapp/normen/servlet.myapp 200 0.004344 1457 [Tue Apr 21 13:34:59 2009] GET /myapp/normen/servlet.myapp 200 0.101926 1945 [Tue Apr 21 13:34:59 2009] GET /myapp/normen/servlet.myapp 200 0.322939 296975 [Tue Apr 21 13:35:14 2009] POST /myapp/normen/servlet.myapp 200 0.032625 1576 [Tue Apr 21 13:35:14 2009] GET /myapp/normen/servlet.myapp 200 0.003084 4176 [Tue Apr 21 13:35:14 2009] [18753:2537034048] [info] ajp_connection_tcp_send_message::jk_ajp_common.c (1064): sendfull for socket 16 returned -32 (errno=32) [Tue Apr 21 13:35:14 2009] [18753:2537034048] [info] ajp_handle_cping_cpong::jk_ajp_common.c (855): can't send cping query [Tue Apr 21 13:35:14 2009] [18753:2537034048] [info] ajp_maintain::jk_ajp_common.c (3046): (ajp13) failed sending request, socket -1 keepalive cping/cpong failure (errno=32) [Tue Apr 21 13:35:14 2009] GET /myapp/normen/servlet.myapp 200 0.010538 1366 [Tue Apr 21 13:35:14 2009] GET /myapp/normen/servlet.myapp 200 0.002768 2507 [Tue Apr 21 13:35:14 2009] GET /myapp/normen/servlet.myapp 200 0.002658 1999 [Tue Apr 21 13:35:17 2009] POST /myapp/normen/servlet.myapp 200 0.060688 21560 [Tue Apr 21 13:35:19 2009] POST /myapp/normen/servlet.myapp 200 0.017692 23635 [Tue Apr 21 13:35:22 2009] POST /myapp/normen/servlet.myapp 200 1.032645 21400 [Tue Apr 21 13:35:34 2009] [30410:2537034048] [info] ajp_connection_tcp_send_message::jk_ajp_common.c (1064): sendfull for socket 16 returned -32 (errno=32) [Tue Apr 21 13:35:34 2009] [30410:2537034048] [info] ajp_handle_cping_cpong::jk_ajp_common.c (855): can't send cping query [Tue Apr 21 13:35:34 2009] [30410:2537034048] [info] ajp_maintain::jk_ajp_common.c (3046): (ajp13) failed sending request, socket -1 keepalive cping/cpong failure (errno=32) [Tue Apr 21 13:35:34 2009] POST /myapp/normen/servlet.myapp 200 0.071825 20753 [Tue Apr 21 13:35:36 2009] POST /myapp/normen/servlet.myapp 200 0.115782 14137 [Tue Apr 21 13:35:56 2009] [30413:2537034048] [info] ajp_connection_tcp_send_message::jk_ajp_common.c (1064): sendfull for socket 1 returned -32 (errno=32) [Tue Apr 21 13:35:56 2009] [30413:2537034048] [info] ajp_handle_cping_cpong::jk_ajp_common.c (855): can't send cping query [Tue Apr 21 13:35:56 2009] [30413:2537034048] [info] ajp_maintain::jk_ajp_common.c (3046): (ajp13) failed sending request, socket -1 keepalive cping/cpong failure (errno=32) [Tue Apr 21 13:35:56 2009] POST /myapp/normen/servlet.myapp 200 0.040233 20753 [Tue Apr 21 13:35:57 2009] [29827:2537034048] [info] ajp_connection_tcp_send_message::jk_ajp_common.c (1064): sendfull for socket 16 returned -32 (errno=32) [Tue Apr 21 13:35:57 2009] [29827:2537034048] [info] ajp_handle_cping_cpong::jk_ajp_common.c (855): can't send cping query [Tue Apr 21 13:35:57 2009] [29827:2537034048] [info] ajp_maintain::jk_ajp_common.c (3046): (ajp13) failed sending request, socket -1 keepalive cping/cpong failure (errno=32) [Tue Apr 21 13:35:57 2009] POST /myapp/normen/servlet.myapp 200 0.036396 12264 [Tue Apr 21 13:36:36 2009] GET /myapp/normen/servlet.myapp 200 0.292587 1409 [Tue Apr 21 13:36:36 2009] GET /myapp/normen/servlet.myapp 200 0.010833 6729 [Tue Apr 21 13:36:36 2009] GET /myapp/normen/servlet.myapp 200 0.015750 3484 [Tue Apr 21 13:36:36 2009] GET /myapp/normen/servlet.myapp 200 0.032983 2915 Sample 2 : (for illustration of the other issue only) [Tue Apr 21 13:15:32 2009] GET /myapp/normen/servlet.myapp 200 0.016737 6729 [Tue Apr 21 13:15:32 2009] GET /myapp/normen/servlet.myapp 200 0.019133 3484 [Tue Apr 21 13:15:32 2009] GET /myapp/normen/servlet.myapp 200 0.010458 2915 [Tue Apr 21 13:15:32 2009] GET /myapp/normen/servlet.myapp 200 0.112756 18897 [Tue Apr 21 13:15:44 2009] [29831:2537034048] [info]
Re: Tomcat Security and Struts
Caldarale, Charles R wrote: From: Mikolaj Rydzewski [mailto:m...@ceti.pl] Subject: Re: Tomcat Security and Struts Mark Thomas wrote: url-pattern/*/url-pattern will protect everything. If your login page uses any external assets (images, stylesheets, etc), it will become corrupted (assets won't load). Care to explain that? The above construct seems to work fine for our static resources. Maybe this : if the login page itself contains a link to a gif located in the same area, trying to load that gif will also hit the authentication bit, and trigger another login page, before the first even finishes displaying ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: form based authentication
Thanks, I commented off SingleSignOn as instructed on the link. Host name=localhost ... ... Valve className=org.apache.catalina.authenticator.SingleSignOn debug=0/ ... /Host However, this makes authentication activated only once although the applications have different realms. For example, App1 and app2 have the same realm in web.xml, I just need to login once which is what I want to see. however app3 has different realm in web.xml. when I change the url from app1 to app3, it didn't trigger the login page and allowed me in. is there anything else missing? Jill -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 22, 2009 11:11 AM To: Tomcat Users List Subject: Re: form based authentication -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, On 4/22/2009 10:46 AM, Jill Han wrote: I tried to use form based authentication with JNDIRealm. What I want to accomplish is to have the two applications with the same realm be authenticated once. It seems the tomcat ignored the realm. I have to login twice. You're looking for SSI (Single Sign-On): http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvQXYACgkQ9CaO5/Lv0PCwYgCdE1SF1t1FR4NLwZ+VqcHWftQl XE0AoLwID8h7EN052aW0eS2ifmSfeOBN =Nkum -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Security and Struts
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Tomcat Security and Struts Maybe this : if the login page itself contains a link to a gif located in the same area, trying to load that gif will also hit the authentication bit, and trigger another login page, before the first even finishes displaying ? Of course; I was thinking basic authentication, not form. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: form based authentication
From: Jill Han [mailto:jill@alverno.edu] Subject: RE: form based authentication However, this makes authentication activated only once although the applications have different realms. To quote from the SSO doc: All web applications configured for this virtual host must share the same Realm. http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On Can you separate the various Realms by Host? Or are you stuck with a single Host? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Headstart on Resolving OOM-PermGen errors on webapp reload
Yeah, Insane just using reflection and a graph traversal algorithm to get the job done. It looks like this is implemented by org.netbeans.insane.impl.InsaneEngine. Oh, and I found my copy of the Insane source. The third argument to ScannerUtils.scan() should be true since that is what signals to InsaneEngine that static fields should be traversed during the heap walk. ~Mark -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 22, 2009 9:05 AM To: Tomcat Users List Subject: Re: Headstart on Resolving OOM-PermGen errors on webapp reload -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 4/21/2009 10:27 PM, mark_desp...@mcafee.com wrote: Ok, so my wife actually wrote a couple of month ago in Japanese about using strategy for leveraging the Insane library and a continuous integration server in order to prevent webapp classloader leakage issues from creeping in. I'll definitely take a look at this (in English -- tell her thanks!). With this in place, you can then setup your test environment to exercise a given webapp, shut it down, and then invoke your ScannerUtils code to see if that the webapp's classloader is still hanging around. This is super sexy! What a nice job. I'll have to read-up on the Insane library, but my suspicion is that you probably don't really need it... all the RTTI information is available from the objects themselves, and the code should be relatively simple just tons and tons of loops and recursive calls. A word of warning... this is a very heavy weight operation. Heh, you think? That's why this type of testing should be done in development and not in production ; - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvQCkACgkQ9CaO5/Lv0PC5OwCeONLPIu7BAaBiwGhEbuYm4caf d/4An2TpoymWDAi2/o4fi/sRwNpqxROy =sL8m -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Headstart on Resolving OOM-PermGen errors on webapp reload
From: mark_desp...@mcafee.com [mailto:mark_desp...@mcafee.com] Subject: RE: Headstart on Resolving OOM-PermGen errors on webapp reload Yeah, Insane just using reflection and a graph traversal algorithm to get the job done. It looks like this is implemented by org.netbeans.insane.impl.InsaneEngine. Other than being programmable for automated testing purposes, does this provide any more or different information than a jmap/jhat combo? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Headstart on Resolving OOM-PermGen errors on webapp reload
I don't doubt that jmap/jhat would be able to give you more detailed information. My exact goal was to come up with something for automated testing that would help prevent classloader leaks from making it into production. If someone can think of a programmatic way to do that with jmap/jhat, please share! Mark -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, April 22, 2009 10:30 AM To: Tomcat Users List Subject: RE: Headstart on Resolving OOM-PermGen errors on webapp reload From: mark_desp...@mcafee.com [mailto:mark_desp...@mcafee.com] Subject: RE: Headstart on Resolving OOM-PermGen errors on webapp reload Yeah, Insane just using reflection and a graph traversal algorithm to get the job done. It looks like this is implemented by org.netbeans.insane.impl.InsaneEngine. Other than being programmable for automated testing purposes, does this provide any more or different information than a jmap/jhat combo? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Tomcat Security and Struts
I think the following might be a problem. When I access the application I get this error in the browser:Firefox can't establish a connection to the server at localhost:8443 But Tomcat is supposed to listen on port 8080 - and it has been for my app, until I put in the security feature. any way around this? On Wed, Apr 22, 2009 at 1:05 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Tomcat Security and Struts Maybe this : if the login page itself contains a link to a gif located in the same area, trying to load that gif will also hit the authentication bit, and trigger another login page, before the first even finishes displaying ? Of course; I was thinking basic authentication, not form. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
A sample workers.properties file
The Tomcat-Connector docs say that the source dist contains a sample workers.properties file, but neither Tomcat 6 nor Httpd 2.2 src archives contain such a file. Could someone please post a sample workers.properties file for the aforementioned Tomcat and Httdp versions? Thanks
Re: Tomcat Security and Struts
On Wed, Apr 22, 2009 at 11:16 AM, Mighty Tornado mighty.torn...@gmail.com wrote: I think the following might be a problem. When I access the application I get this error in the browser:Firefox can't establish a connection to the server at localhost:8443 But Tomcat is supposed to listen on port 8080 - and it has been for my app, until I put in the security feature. any way around this? Er, way around? You're *telling* it to use an SSL connection: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint If you don't want it to, don't do that. Pretty simple, really. :-) -- Hassan Schroeder hassan.schroe...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
How can I make the request to port 8443 actually succeed? On Wed, Apr 22, 2009 at 2:40 PM, Hassan Schroeder hassan.schroe...@gmail.com wrote: On Wed, Apr 22, 2009 at 11:16 AM, Mighty Tornado mighty.torn...@gmail.com wrote: I think the following might be a problem. When I access the application I get this error in the browser:Firefox can't establish a connection to the server at localhost:8443 But Tomcat is supposed to listen on port 8080 - and it has been for my app, until I put in the security feature. any way around this? Er, way around? You're *telling* it to use an SSL connection: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint If you don't want it to, don't do that. Pretty simple, really. :-) -- Hassan Schroeder hassan.schroe...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Security and Struts
From: Mighty Tornado [mailto:mighty.torn...@gmail.com] Subject: Re: Tomcat Security and Struts Firefox can't establish a connection to the server at localhost:8443 You need to define a secure Connector for port 8443. But Tomcat is supposed to listen on port 8080 You can't run both HTTP and HTTPS on the same port. Since you specified a transport-guarantee of CONFIDENTIAL, you're requiring use of HTTPS. Your HTTP Connector is likely configured to forward secure requests to 8443. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
On Wed, Apr 22, 2009 at 11:43 AM, Mighty Tornado mighty.torn...@gmail.com wrote: How can I make the request to port 8443 actually succeed? Configure an https Connector. -- Hassan Schroeder hassan.schroe...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
Mighty Tornado wrote: I think the following might be a problem. When I access the application I get this error in the browser:Firefox can't establish a connection to the server at localhost:8443 But did you not ask for this ? transport-guaranteeCONFIDENTIAL/transport-guarantee - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A sample workers.properties file
Jonathan Mast wrote: The Tomcat-Connector docs say that the source dist contains a sample workers.properties file, but neither Tomcat 6 nor Httpd 2.2 src archives contain such a file. But the mod_jk connector download does, I am quite sure. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A sample workers.properties file
ok, i'll look, the docs don't explicitly say what source package the sample is in. thanks On Wed, Apr 22, 2009 at 2:48 PM, André Warnier a...@ice-sa.com wrote: Jonathan Mast wrote: The Tomcat-Connector docs say that the source dist contains a sample workers.properties file, but neither Tomcat 6 nor Httpd 2.2 src archives contain such a file. But the mod_jk connector download does, I am quite sure. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A sample workers.properties file
André Warnier wrote: Jonathan Mast wrote: The Tomcat-Connector docs say that the source dist contains a sample workers.properties file, but neither Tomcat 6 nor Httpd 2.2 src archives contain such a file. But the mod_jk connector download does, I am quite sure. You /have/ downloaded the connector also, I presume ? http://tomcat.apache.org/download-connectors.cgi and binary releases. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Headstart on Resolving OOM-PermGen errors on webapp reload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 4/22/2009 12:16 PM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Headstart on Resolving OOM-PermGen errors on webapp reload It's also a shame that the values for -Xmx aren't shown It is - it's the MaxHeapSize under Heap Configuration. The odd thing in your report is MaxNewSize, which is clearly out of whack; not sure at this point where that comes from. I'm using: java version 1.5.0_13 Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05) Java HotSpot(TM) Client VM (build 1.5.0_13-b05, mixed mode) and the heap configuration, again, for reference is: Heap Configuration: MinHeapFreeRatio = 40 MaxHeapFreeRatio = 70 MaxHeapSize = 67108864 (64.0MB) NewSize = 655360 (0.625MB) MaxNewSize = 4294901760 (4095.9375MB) OldSize = 1441792 (1.375MB) NewRatio = 12 SurvivorRatio= 8 PermSize = 8388608 (8.0MB) MaxPermSize = 67108864 (64.0MB) Does that mean that, technically speaking, PermGen is allowed to grow to take over the whole heap? Clearly, that isn't technically possible (because the other heap sections will be non-zero) but it seems weird that the max permgen is the same as the max heap. I wonder if MaxNewSize is set to be the process max memory (4GB... or just shy of that). That would be a *very* big NewSize. Odd that the NewSize can exceed the maximum heap. You *did* say it was unnecessarily complicated ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknva54ACgkQ9CaO5/Lv0PCwOwCglqyVZQVgBpbDMuKtTo77aQ7T mNYAn2yb4DO7tq1pQuJ+a/iB4myz66fL =hLg9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Undeploy does not delete all .jar files
I am confused again. I was using Tomcat 5.5, but I uninstalled 5.5 and installed 6 and tried to start from scratch by following the docs. Maybe I'm missing something, but I am using a database and I think it's telling me to add my database connections inside of the context.xml file. Resouce... JDeveloper automatically added a META-INF directory and when it creates my war file it puts this directory under WEB-INF/classes. I created another directory with the location that you mentioned webapps/xxx/META-INF/context.xml, but would that mess everything up if I have 2 META-INF directories? Nothing has changed with the new version of Tomcat. JT On Wed, Apr 22, 2009 at 10:33 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: JT [mailto:jltoo...@gmail.com] Subject: Re: Undeploy does not delete all .jar files I took everything out of my conf/context.xml file except for WatchedResource. This includes Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=localhost_log. suffix=.txt timestamp=true/ Your config is extremely suspect, since 5.5 does not have any Logger elements. Given that lots of config items have changed both syntax and semantics compared with older Tomcat levels, you may need to start from scratch with a clean 5.5 (or 6.0) installation, and update the newer Tomcat one step at a time. Do not blindly copy anything from an older version - read the doc and update the newer config appropriately. I have the context.xml file in my webapps/xxx/WEB-INF/classes/META-INF That's another major error; the location should be webapps/xxx/META-INF/context.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: form based authentication
There is single Host in server.xml
Engine name=Catalina defaultHost=localhost
...
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=
connectionPassword=
connectionURL=ldap://url:389;
alternateURL=ldap://url:389;
userBase=DC=AC
userSearch=(sAMAccountName={0})
userRoleName=memberof
roleBase=DC=AC
roleName=cn
roleSearch=(uniqueMember={0})
userSubtree=true
roleSubtree=false
/
...
Host name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
xmlValidation=false xmlNamespaceAware=false
Valve className=org.apache.catalina.authenticator.SingleSignOn
debug=0/
/Host
/Engine
What I want to do is all the applications have the same realm config in
server.xml. When it comes to the different
Applications, the authentication will be performed based on application very
own web.xml.
If the applications in the web.xml have the same realm-name, those
applications just need to be authenticated once.
If the applications in the web.xml have different realm-name, those
applications need to be authenticated separately.
Those tasks can be achieved if basic authentication as
login-config
auth-methodBASIC/auth-method
realm-nameTEST/realm-name
/login-config
is used.
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Wednesday, April 22, 2009 12:12 PM
To: Tomcat Users List
Subject: RE: form based authentication
From: Jill Han [mailto:jill@alverno.edu]
Subject: RE: form based authentication
However, this makes authentication activated only once although the
applications have different realms.
To quote from the SSO doc:
All web applications configured for this virtual host must share the same
Realm.
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
Can you separate the various Realms by Host? Or are you stuck with a
single Host?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
Re: Tomcat Security and Struts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 4/22/2009 12:37 PM, André Warnier wrote: Caldarale, Charles R wrote: From: Mikolaj Rydzewski [mailto:m...@ceti.pl] Subject: Re: Tomcat Security and Struts Mark Thomas wrote: url-pattern/*/url-pattern will protect everything. If your login page uses any external assets (images, stylesheets, etc), it will become corrupted (assets won't load). Care to explain that? The above construct seems to work fine for our static resources. Maybe this : if the login page itself contains a link to a gif located in the same area, trying to load that gif will also hit the authentication bit, and trigger another login page, before the first even finishes displaying ? Precisely. Unfortunately, this actually makes things worse than you might think, since (some versions of) Tomcat stores the most recent request as the one to re-play after successful authentication. I have seen Tomcat respond post-authentication by serving a CSS file or graphic rather than the expected original request (usually an HTML page). The solution, of course, is to leave your (appropriate) static content unprotected. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAknvbEkACgkQ9CaO5/Lv0PAavQCYj4ULwKXkFPd5K1wu1nJXpz+C fQCgoRTZnjyJaoEFQE1pkMgJ+bb7MjQ= =ewii -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hassan, On 4/22/2009 2:45 PM, Hassan Schroeder wrote: On Wed, Apr 22, 2009 at 11:43 AM, Mighty Tornado mighty.torn...@gmail.com wrote: How can I make the request to port 8443 actually succeed? Configure an https Connector. And correctly set your redirectPort in the non-secure Connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvbKAACgkQ9CaO5/Lv0PDclACgvKUqGHp2wqFbxMqw5xdcZenG 5ccAmwdPTj5V3EeJKccuJ3Kz6Gr9uCPh =w34K -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Headstart on Resolving OOM-PermGen errors on webapp reload
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Headstart on Resolving OOM-PermGen errors on webapp reload Does that mean that, technically speaking, PermGen is allowed to grow to take over the whole heap? No, PermGen is independent of the general heap, limited by MaxPermSize and -Xmx respectively. They are allocated contiguously to insure that the underlying reference marking of HotSpot GC works properly. Odd that the NewSize can exceed the maximum heap. It can't really; if I get time before going on vacation this Friday I'll look to see where that number comes from. You *did* say it was unnecessarily complicated ;) Probably seemed like a good idea at the time. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Undeploy does not delete all .jar files
From: JT [mailto:jltoo...@gmail.com] Subject: Re: Undeploy does not delete all .jar files I am using a database and I think it's telling me to add my database connections inside of the context.xml file. That is correct. If the database is to be used by just a single webapp, the Resource element should be nested inside the Context element for just that webapp. Placing the Resource element in the global conf/context.xml file will make the database accessible by all webapps, which is often undesirable. JDeveloper automatically added a META-INF directory and when it creates my war file it puts this directory under WEB-INF/classes. Either the IDE is seriously broken, or you have misconfigured it. If it's the former, I certainly wouldn't use it, since it can't be trusted. would that mess everything up if I have 2 META-INF directories? The improperly located META-INF would be ignored by Tomcat. Nothing has changed with the new version of Tomcat. How did you end up with a Logger element in the global conf/context.xml? That construct hasn't been supported for a long time. If your IDE created it, that's yet another reason not to use it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: windows 2k3 / Tomcat 6 / IIS configuration - randomly losing sessions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, On 4/22/2009 12:25 AM, Menachem Husarsky wrote: Christopher Schultz wrote: Are all your customers using Cookies? Yes. However, URL rewriting is disabled. Er.. how did you do this? Tomcat offers no way to disable URL rewriting. Or, did you implement one of those nasty jsessionid-stripping filters? When I turn off cookies in any of my browsers, our website's cart functionality will not work, so if customers are complaining about their cart's being purged in the middle of checkout it is not a cookie issue with their browsers. Okay. Do you ever switch hostnames during any of the website interactions? That would break your Cookie trail and you would observe the user's session disappearing. The same thing can happen if the session cookie was created using HTTPS and then you switch to HTTP. No we do not switch host names. customers start their sessions in HTTP and switch to HTTPS to complete checkout. Not the other way around. Good. The other way around is problematic. If you are instrumenting your application, you might consider logging the secure attribute of the session cookie being observed. If you find one marked as secure you could have a problem (and the solution is to only create session cookies in non-secure mode). Can you give us more information about the circumstances? Does it always happen during a particular page transition? What else do these failures have in common? It seems to happen during a transition from any one page to another, but losing sessions, primarily interests me when it occurs during the checkout process. we're recording the cart purge on various checkout pages. Is the session actively killed, or does the client just lose track of the session id (or cookie, or whatever)? I don't perceive any particular commonality. At first i thought it was a browser issue, because it was happening to people who use IE 7. However, recently I noticed it occurring to Mozilla Firefox users as well. I have ruled out a browser issue client side as the culprit, especially in light of the fact that this worked fine for years with resin. One thing I have noticed is sometimes, a particular customer would get their cart purged in the middle of a checkout session, and then it would happen to the same customer/IP a few minutes later. This is why i pursued the browser line of thinking, but it doesn't explain why things worked fine for years in resin. Just remember that you didn't just change-out Resin for Tomcat. Your OP said that you changed hosting environments, too, so other factors are likely at play. If you now went back to Resin (replaced TC with Resin, but stayed with your current environment), I would expect that Resin would fail in the same way. Right now I'm pursuing two lines of thinking: 1) somehow tomcat is in fact killing off the session, so on the next request the user get's a new session, thus purging their cart since our cart system uses sessions for storage. Tomcat will only kill the session if session.invalidate() is called, or if the session times out. I suspect you aren't explicitly setting your session timeouts, which means that they are getting the default timeout of 30 minutes. You can instrument your application by doing the following to see if the session is being killed by something during a request: 1. Write a Filter that... 2. wraps the HttpServletRequest with an object that... 3. intercepts calls to getSession and wraps the HttpSession object with... 4. an object that logs calls to the invalidate method Remember to log stack traces ;) 2) somehow amid page redirects, tomcat doesn't get the session ID from the browser and therefore issues to the browser a new session ID, so although the cart exists under the old session object, the user effectively loses their cart by receiving a new session. I would instrument the client using something like LiveHttpHeaders (when is Daniel going to support ff3.5?!) or IEHeaders (or whatever it is for MSIE) to see the chain of events that leads to session loss. Obviously, being able to reproduce this error is essential, so it's too bad that you haven't been able to do it yourself. If you have enough information in the web server logs, you can probably identify a problem case, then go back and look at their other requests to piece-together the chain of events. Note that Apache httpd can log cookie values if you ask it to do so, and I suspect that the AccessLogValve can do so, too. Do you have any suggestions for me for how to debug this in a finer more controlled fashion? Unfortunately, not being able to reproduce the problem is your biggest problem. Once you can do that, identifying and resolving the problem becomes *much* easier. Collecting more information when you identify these cases will certainly help with reproducibility. Good luck, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using
Re: Headstart on Resolving OOM-PermGen errors on webapp reload
Caldarale, Charles R wrote: ... It can't really; if I get time before going on vacation this Friday I'll look to see where that number comes from. We'll miss you. You'll probably want mountains, and chocolate. Switzerland ? You *did* say it was unnecessarily complicated ;) Probably seemed like a good idea at the time. I recently came across this article : http://en.wikipedia.org/wiki/Adaptive_Replacement_Cache and find some eery parallels. Which makes me wonder about the patent situation.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: form based authentication
Some corrections on the previous email.
I should say
When singleSignOn is commented, those tasks can be achieved if basic
authentication as
login-config
auth-methodBASIC/auth-method
realm-nameTEST/realm-name
/login-config
is used.
-Original Message-
From: Jill Han
Sent: Wednesday, April 22, 2009 2:12 PM
To: 'Tomcat Users List'
Subject: RE: form based authentication
There is single Host in server.xml
Engine name=Catalina defaultHost=localhost
...
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=
connectionPassword=
connectionURL=ldap://url:389;
alternateURL=ldap://url:389;
userBase=DC=AC
userSearch=(sAMAccountName={0})
userRoleName=memberof
roleBase=DC=AC
roleName=cn
roleSearch=(uniqueMember={0})
userSubtree=true
roleSubtree=false
/
...
Host name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
xmlValidation=false xmlNamespaceAware=false
Valve className=org.apache.catalina.authenticator.SingleSignOn
debug=0/
/Host
/Engine
What I want to do is all the applications have the same realm config in
server.xml. When it comes to the different
Applications, the authentication will be performed based on application very
own web.xml.
If the applications in the web.xml have the same realm-name, those
applications just need to be authenticated once.
If the applications in the web.xml have different realm-name, those
applications need to be authenticated separately.
Those tasks can be achieved if basic authentication as
login-config
auth-methodBASIC/auth-method
realm-nameTEST/realm-name
/login-config
is used.
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Wednesday, April 22, 2009 12:12 PM
To: Tomcat Users List
Subject: RE: form based authentication
From: Jill Han [mailto:jill@alverno.edu]
Subject: RE: form based authentication
However, this makes authentication activated only once although the
applications have different realms.
To quote from the SSO doc:
All web applications configured for this virtual host must share the same
Realm.
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
Can you separate the various Realms by Host? Or are you stuck with a
single Host?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
Re: windows 2k3 / Tomcat 6 / IIS configuration - randomly losing sessions
Christopher Schultz wrote: I would instrument the client using something like LiveHttpHeaders (when is Daniel going to support ff3.5?!) try HttpFox. or IEHeaders (or whatever it is for MSIE) Fiddler2 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A sample workers.properties file
yeah i downloaded the source and found the sample workers.properties files. The workers.properties.minimal has a bug in it, btw, the ajp13w worker is not in the worker.list and must be added manually. But it works otherwise. On Wed, Apr 22, 2009 at 2:52 PM, André Warnier a...@ice-sa.com wrote: André Warnier wrote: Jonathan Mast wrote: The Tomcat-Connector docs say that the source dist contains a sample workers.properties file, but neither Tomcat 6 nor Httpd 2.2 src archives contain such a file. But the mod_jk connector download does, I am quite sure. You /have/ downloaded the connector also, I presume ? http://tomcat.apache.org/download-connectors.cgi and binary releases. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, On 4/22/2009 3:11 PM, Jill Han wrote: What I want to do is all the applications have the same realm config in server.xml. That's not what you said earlier: you said you wanted /certain/ applications to have SSO behavior. SSO works by creating a single Realm for all applications within the same Host and authenticating only a single time. When it comes to the different Applications, the authentication will be performed based on application very own web.xml. This is not possible using SSO, since it always uses the same Realm configuration. The only things you can control with web.xml are the form where authentication is requested (the login-form) which could be different for each webapp and the recognized security roles and what they are allowed to access. If the applications in the web.xml have the same realm-name, those applications just need to be authenticated once. Tomcat does not provide this capability. You will have to roll your own authentication scheme to do this. If the applications in the web.xml have different realm-name, those applications need to be authenticated separately. Your best option is to use multiple Host entries in server.xml, but this requires that you have different host names or IP addresses in order to make it work, which may not be possible or reasonable for your requirements. Those tasks can be achieved if basic authentication as login-config auth-methodBASIC/auth-method realm-nameTEST/realm-name /login-config is used. This is because of a coincidence in how HTTP Auth works. Your browser sends a special HTTP header regardless of the webapp being used, and then the webapp does whatever it wants in order to authenticate and authorize the request. Form authentication is different, since once the authentication is performed, the session is tied to that user and only authorization checks are done after that. If you still can't get this to work, I can think of another solution (and you're not going to like it): 1. Use securityfilter (http://securityfilter.sourceforge.net) 2. Write a servlet that accepts an encrypted identifier from your other applications and crams the Principal into the session (where sf keeps its user info) 3. Encode all your URLs that take you from one application to the other to to provide this encrypted identifier to the login-forcing servlet and then redirect to where you /really/ want to go Of course, this doesn't work if users randomly jump between applications without actually clicking on your links. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvc9MACgkQ9CaO5/Lv0PDI0gCeMz5jpM1h8sqAxVGAqyatHOcP Di8Amwc5K5mhG8unhenRq6Cw2iprgzCk =rvrX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A sample workers.properties file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonathan, On 4/22/2009 3:43 PM, Jonathan Mast wrote: yeah i downloaded the source and found the sample workers.properties files. The workers.properties.minimal has a bug in it, btw, the ajp13w worker is not in the worker.list and must be added manually. That's because the worker.list already contains the wlb worker, which uses the ajp13 worker. I would argue that this isn't a minimal workers.properties, but everything seems to be in order. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvdS4ACgkQ9CaO5/Lv0PDWiQCghYK1jOeTeXZ2JsUwt4OaAudI kZ4AoKKHr9qNqMWOSff5p0vi0P6UnbZb =Y19P -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Undeploy does not delete all .jar files
Not sure why I have the Logger. I put that in over a year ago and I was looking at docs and examples online and since it seemed to work I didn't worry about it. now that I need to undeploy without stopping the service things aren't working. This was originally in the global conf/context.xml file Anyways, I did not add the Logger back into my application context.xml file. My application context.xml file looks like this. Context Context antiJARLocking=true antiResourceLocking=true/ Resource name=jdbc/xxx” auth=Container type=javax.sql.DataSource driverClassName=”oracle.jdbc.driver.OracleDriver” url=”jdbc:oracle:thin:@.../ /Context On Wed, Apr 22, 2009 at 3:25 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: JT [mailto:jltoo...@gmail.com] Subject: Re: Undeploy does not delete all .jar files I am using a database and I think it's telling me to add my database connections inside of the context.xml file. That is correct. If the database is to be used by just a single webapp, the Resource element should be nested inside the Context element for just that webapp. Placing the Resource element in the global conf/context.xml file will make the database accessible by all webapps, which is often undesirable. JDeveloper automatically added a META-INF directory and when it creates my war file it puts this directory under WEB-INF/classes. Either the IDE is seriously broken, or you have misconfigured it. If it's the former, I certainly wouldn't use it, since it can't be trusted. would that mess everything up if I have 2 META-INF directories? The improperly located META-INF would be ignored by Tomcat. Nothing has changed with the new version of Tomcat. How did you end up with a Logger element in the global conf/context.xml? That construct hasn't been supported for a long time. If your IDE created it, that's yet another reason not to use it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Access Deny of Tomcat
I'm using Tomcat 6.0.18, which was downloaded from tomcat.apache.org, with jvm 6.0.07 on Windows XP. I was just trying to see if Tomcat works. I created a new directory in the Tomcat home directory, and then tried to use IE in a client to see the file info within that directory, but failed. No firewall was using. I'm wondering if I have to change something settings in Tomcat Server first, e.g. provide access authority to specific clients? thanks very much in advance~~ Caldarale, Charles R wrote: From: FreddieWeng [mailto:freddiew...@gmail.com] Subject: Access Deny of Tomcat I'm a new comer to Tomcat and your help is very appreciated~~ What version of Tomcat are you a newcomer to? (That's the first piece of information that should appear whenever you start a new discussion thread.) Also, what JVM are you using, and what platform are you running on? Did you install a Tomcat download from tomcat.apache.org, or did you get it from some 3rd party? I tried to connect to directories in Tomcat server from some client. What does connect to directories mean? Tomcat is a server for webapps; what webapps have you deployed? What are you trying to connect to? What is the mechanism you're using to connect? Do the examples that come with a standard Tomcat work? Do you have a firewall blocking access? Do you have any idea of how to fix this problem? Not until you describe what you're actually trying to do. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Access-Deny-of-Tomcat-tp23168490p23175837.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Headstart on Resolving OOM-PermGen errors on webapp reload
we expect free technical support 24/7/365 so bring a blackberry w/ you are there any good primers on eden,PermGen and general heap? (HF) Martin __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Wed, 22 Apr 2009 14:19:16 -0500 Subject: RE: Headstart on Resolving OOM-PermGen errors on webapp reload From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Headstart on Resolving OOM-PermGen errors on webapp reload Does that mean that, technically speaking, PermGen is allowed to grow to take over the whole heap? No, PermGen is independent of the general heap, limited by MaxPermSize and -Xmx respectively. They are allocated contiguously to insure that the underlying reference marking of HotSpot GC works properly. Odd that the NewSize can exceed the maximum heap. It can't really; if I get time before going on vacation this Friday I'll look to see where that number comes from. You *did* say it was unnecessarily complicated ;) Probably seemed like a good idea at the time. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. _ Windows Live™ Hotmail®:…more than just e-mail. http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_more_042009
RE: [OT] Headstart on Resolving OOM-PermGen errors on webapp reload
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Headstart on Resolving OOM-PermGen errors on webapp reload You'll probably want mountains, and chocolate. Switzerland ? London. $ vs pound is pretty decent right now. It's been 45+ years since I've been on the Tube... I recently came across this article : http://en.wikipedia.org/wiki/Adaptive_Replacement_Cache I don't see the parallels; nothing in GC is LRU based that I can think of. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Access Deny of Tomcat
FreddieWeng wrote: I'm using Tomcat 6.0.18, which was downloaded from tomcat.apache.org, with jvm 6.0.07 on Windows XP. Which one did you download and install ? In Tomcat 5 .. Binary distributions .. Core.. there are 2 : a zip version, and a Windows Installer. Which one did you download and install ? I was just trying to see if Tomcat works. Check first if it is running. If you installed the Windows Installer version, then in the Windows Services part of your control panel, you should see a service Apache Tomcat, marked as running. True ? I created a new directory in the Tomcat home directory, That's not the right place. and then tried to use IE in a client to see the file info within that directory, but failed. What URL did you enter in IE, and what happened ? What message did you get in IE ? No firewall was using. I'm wondering if I have to change something settings in Tomcat Server first, e.g. provide access authority to specific clients? No. thanks very much in advance~~ Caldarale, Charles R wrote: From: FreddieWeng [mailto:freddiew...@gmail.com] Subject: Access Deny of Tomcat I'm a new comer to Tomcat and your help is very appreciated~~ What version of Tomcat are you a newcomer to? (That's the first piece of information that should appear whenever you start a new discussion thread.) Also, what JVM are you using, and what platform are you running on? Did you install a Tomcat download from tomcat.apache.org, or did you get it from some 3rd party? I tried to connect to directories in Tomcat server from some client. What does connect to directories mean? Tomcat is a server for webapps; what webapps have you deployed? What are you trying to connect to? What is the mechanism you're using to connect? Do the examples that come with a standard Tomcat work? Do you have a firewall blocking access? Do you have any idea of how to fix this problem? Not until you describe what you're actually trying to do. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Headstart on Resolving OOM-PermGen errors on webapp reload
From: Martin Gainty [mailto:mgai...@hotmail.com] Subject: RE: Headstart on Resolving OOM-PermGen errors on webapp reload we expect free technical support 24/7/365 so bring a blackberry w/ you No thanks; I'll keep my iPhone (and Skype, so I don't have to pay ATT's outrageous international charges). are there any good primers on eden,PermGen and general heap? Start here: http://java.sun.com/javase/technologies/hotspot/gc/index.jsp Look at the Memory Management white paper and Garbage Collection Tuning to start. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Undeploy does not delete all .jar files
On Wed, Apr 22, 2009 at 12:58 PM, JT jltoo...@gmail.com wrote: My application context.xml file looks like this. Context Context antiJARLocking=true antiResourceLocking=true/ Resource name=jdbc/xxx” auth=Container type=javax.sql.DataSource driverClassName=”oracle.jdbc.driver.OracleDriver” url=”jdbc:oracle:thin:@.../ /Context I'm surprised Tomcat even starts with that -- Context elements can't be nested. Try: Context antiJARLocking=true antiResourceLocking=true Resource name=jdbc/xxx” auth=Container type=javax.sql.DataSource driverClassName=”oracle.jdbc.driver.OracleDriver” url=”jdbc:oracle:thin:@.../ /Context -- Hassan Schroeder hassan.schroe...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Access Deny of Tomcat
From: FreddieWeng [mailto:freddiew...@gmail.com] Subject: RE: Access Deny of Tomcat I created a new directory in the Tomcat home directory That's not useful; webapps (even if they consist of nothing but static content) are normally placed under the Host appBase directory. The default for Tomcat is named, coincidentally, webapps. then tried to use IE in a client to see the file info within that directory, but failed. What URL did you try? Note that directory listings are disabled by default, although contents may be retrieved when explicitly named on the URL. To enable directory listings, you'll need to adjust the listings parameter for the DefaultServlet declared in conf/web.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Undeploy does not delete all .jar files
From: JT [mailto:jltoo...@gmail.com] Subject: Re: Undeploy does not delete all .jar files Not sure why I have the Logger. I put that in over a year ago and I was looking at docs and examples online and since it seemed to work I didn't worry about it. It didn't work - it didn't do anything. Anyways, I did not add the Logger back into my application context.xml file. My application context.xml file looks like this. Context Context antiJARLocking=true antiResourceLocking=true/ Resource name=jdbc/xxx auth=Container type=javax.sql.DataSource driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@.../ /Context Did you seriously nest one Context element inside another? That's obviously incorrect; it should look something like this: Context antiJARLocking=true antiResourceLocking=true Resource name=jdbc/xxx auth=Container type=javax.sql.DataSource driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@.../ /Context I have not attempted to validate your Resource settings. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Steps to configure Tomcat 5.0 with PKCS#11 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Raminder, On 4/22/2009 5:06 AM, Raminder Singh wrote: We are using tomcat 5.0.28 and JDK 1.5.10. Now, there is some requirement to use tomcat with PKCS#11 support. Initial study shows that a hardware token would be needed for this. 1) Is minimum tomcat version 5.5 is must for this? It appears so. 2) Is this hardware requirement is mandatory? Or any other way is possible? Well, PKCS#11 is traditionally used with hardware, but a software token is also acceptable. 3) what additional changes would be required at server.xml level for PKCS#11 support. RTFM: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html There are also references in the list archives: http://marc.info/?l=tomcat-userm=118066767827013w=2 Unfortunately, that doesn't seem to be the right answer: http://marc.info/?l=tomcat-userm=118073747704071w=2 ...although the OP might not be properly configuring their keystore. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvfisACgkQ9CaO5/Lv0PBwwACfYoeFfvGsOcUfMKb+fU4ZJG6R Mw8AoId5zZdQvqY+HZmkbC4dS8UPc4a2 =Cg6t -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Undeploy does not delete all .jar files
First time Context antiJARLocking=true antiResourceLocking=true/ Second time Context Context antiJARLocking=true antiResourceLocking=true/ Resource name=jdbc/xxx” auth=Container type=javax.sql.DataSource driverClassName=”oracle.jdbc.driver.OracleDriver” url=”jdbc:oracle:thin:@.../ /Context Third time Context antiJARLocking=true antiResourceLocking=true Resource name=jdbc/xxx” auth=Container type=javax.sql.DataSource driverClassName=”oracle.jdbc.driver.OracleDriver” url=”jdbc:oracle:thin:@.../ /Context All three times gives me the same result. My application runs fine...well, I didn't check the 3rd time. I just can't undeploy in the Tomcat Manager. I have been stopping the service and redeploying manually for awhile now and everything seemed ok. I just can't do it without stopping the service. JT On Wed, Apr 22, 2009 at 4:24 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: JT [mailto:jltoo...@gmail.com] Subject: Re: Undeploy does not delete all .jar files Not sure why I have the Logger. I put that in over a year ago and I was looking at docs and examples online and since it seemed to work I didn't worry about it. It didn't work - it didn't do anything. Anyways, I did not add the Logger back into my application context.xml file. My application context.xml file looks like this. Context Context antiJARLocking=true antiResourceLocking=true/ Resource name=jdbc/xxx auth=Container type=javax.sql.DataSource driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@.../ /Context Did you seriously nest one Context element inside another? That's obviously incorrect; it should look something like this: Context antiJARLocking=true antiResourceLocking=true Resource name=jdbc/xxx auth=Container type=javax.sql.DataSource driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@.../ /Context I have not attempted to validate your Resource settings. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Avoiding username/password being logged into localhost access logs
Hi, We are using Tomcat 5.0.27. Whenever the user logs using GET or POST request his/her username and password are being logged in clear text in the localhost access logs. It has become a security issue as anyone with an account to the system can browse through the logs and find out the username and password of the users. So I was going through the documentation to find if there is any attribute which controls this behavior and we can prevent it from being printed in the log file but I couldn't find one. And I am using org.apache.catalina.logger.FileLogger as the Logger class. Any replies greatly appreciated. -- View this message in context: http://www.nabble.com/Avoiding-username-password-being-logged-into-localhost-access-logs-tp23176286p23176286.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fwd: username/password being logged in clear text
-- Forwarded message -- From: jithu mada jithu.m...@gmail.com Date: Wed, Apr 22, 2009 at 5:38 PM Subject: username/password being logged in clear text To: users@tomcat.apache.org Hi, We are using Tomcat 5.0.27. Whenever the user logs using GET or POST request his/her username and password are being logged in clear text in the localhost access logs. It has become a security issue as anyone with an account to the system can browse through the logs and find out the username and password of the users. So I was going through the documentation to find if there is any attribute which controls this behavior and we can prevent it from being printed in the log file but I couldn't find one. And I am using org.apache.catalina.logger.FileLogger as the Logger class. I really appreciate if you can help me out here. thanks Jitender
RE: Avoiding username/password being logged into localhost access logs
From: Tom-cat [mailto:jithu.m...@gmail.com] Subject: Avoiding username/password being logged into localhost access logs We are using Tomcat 5.0.27. No longer supported. It has become a security issue as anyone with an account to the system can browse through the logs and find out the username and password of the users. Why are your log files publically accessible? You didn't tell us the platform you're running on, but pretty much everything has ways to make files/directories accessible only to select users. Is your Tomcat configuration accessible as well? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Avoiding username/password being logged into localhost access logs
Thanks for the prompt Reply. The tomcat is running on AIX 5.3 and the files are not publicly accessible. Its only accessible to few users. But the user wants the username and password to be obscured. On Wed, Apr 22, 2009 at 5:43 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Tom-cat [mailto:jithu.m...@gmail.com] Subject: Avoiding username/password being logged into localhost access logs We are using Tomcat 5.0.27. No longer supported. It has become a security issue as anyone with an account to the system can browse through the logs and find out the username and password of the users. Why are your log files publically accessible? You didn't tell us the platform you're running on, but pretty much everything has ways to make files/directories accessible only to select users. Is your Tomcat configuration accessible as well? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Avoiding username/password being logged into localhost access logs
jithu mada wrote: [...] The only way I can see for the userid and password to be visible in an access log, is if they are part of the URL (actually, of the query string) and unencoded. Which would mean that this is a form-based authentication, with either no method attribute in the form tag, or method=GET. If it was really a POST, it would be in the body of the request, and not appear in the access log. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Avoiding username/password being logged into localhost access logs
From: jithu mada [mailto:jithu.m...@gmail.com] Subject: Re: Avoiding username/password being logged into localhost access logs Its only accessible to few users. But the user wants the username and password to be obscured. Then you'll need to extend the existing logger class, have your replacement scan for username and password, and apply appropriate obfuscation. It would be easier just to completely restrict access to the log files, and filter them after the fact. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCI and Realm Problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrea, On 4/16/2009 10:45 AM, Andrea De Gaetano wrote: Everything works with the Thin Driver, instead with OCI driver, after the login procedure the java virtual machine crash with some memory dump messages... Care to post those messages? export ORACLE_HOME=/usr/lib/oracle/10.2.0/client export JAVA_HOME=/usr/java/jdk1.5.0_17/ export CATALINA_BASE=/opt/tomcat/apache-tomcat-5.5.27 export TOMCAT_HOME=/opt/tomcat/apache-tomcat-5.5.27 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib Can you get a standalone program to successfully connect to Oracle using the OCI driver using the same JVM on the same machine? It's unlikely that this is a Tomcat problem (Tomcat doesn't do a whole lot with the JDBC driver except register it with the JVM and try to use it). The server is a 64 bit machine but I don't think there is problem about it. Are you running a 64-bit JVM? How about the native portion of the Oracle library? Is that 32-bit or 64-bit? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvoqoACgkQ9CaO5/Lv0PCeNACgh2QLzs++UQXZ95yI60vKx1QB r8sAn13StGp+EL8r3Z1Th7veenr4Y7uY =4wfA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
