Re: Tomcat 5.5 and Windows 7
On 27/08/2010 04:22, Marcos Molina wrote: Hi there, I only wanna know if i can run Tomcat 5.5 on windows 7 ??? And if i have to take any considerations to do it. Thanks for yours answers. Only if you install Java first. p Regards Marcos. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Is there a better way to disable JSESSIONID in the URLs?
On 26.08.2010 23:29, Wesley Acheson wrote: On Sat, Aug 21, 2010 at 12:12 PM, Pidp...@pidster.com wrote: On 20/08/2010 22:40, Wesley Acheson wrote: I'm a bit lost with this thread. Are people suggesting I should submit a patch. I really wouldn't know where to begin looking. That's where the discussion was heading. Tomcat is Open Source. The first place to look would be SVN. http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/ p Hi everyone, I've done this and was naturally quite nervous about it having never contributed to anything in this way. That's quite normal :) It gets better once you do it more regularly ;) Would It be too much to ask to get some feedback if you have time? I'd really appreciate it. Feedback about anything from the code changes to if you feel the bugzilla report was adaquate. It was a good initiative and I'm sure we will have a look at the patch. Please be patient though. If you don't see any progress (comments in the Bugzilla issue), then it is fine to nag after about one or two weeks. I do honestly appreciate that you are all busy but It could go a long way to encouraging new users to help chip in if they felt there was adaquate feedback. Much better to be honest though than to pamper to them. If anythings wrong with what I did I'd love to know but If it was okay I'd like to know also. If it gets committed to the Tomcat source, you will see, whether there was a need to change anything. All changes applied to the code are public. If this is a subject for the dev mail list then I'd appreciate being told that too. I didn't want to interrupt the dev mail list as it seems pretty busy with svn commits and bugzilla reports. It is in the middle of the two lists, since most of the discussion was here (users) I understand you reply here. If there is need to discuss technical details of the patch, the discussion will switch over to Bugzilla, or if the discussion switches topic, like starting to discuss a more general implementation thing it might switch to the dev list. In case your not in a threaded email client the link was https://issues.apache.org/bugzilla/show_bug.cgi?id=49811 again. Thanks for starting to contribute! Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Engine Cluster definition and FarmWarDeployer
Hi, Tomcat: 6.0.29, binary distribution downloaded from apache.org JVM: 1.6.0_21 (Sun, 64-bit). OS: Linux RHEL 5.5, fully patched. I understand that FarmWarDeployer can only be used cluster context defined in a Host, this is fine. I have a cluster fully defined in the Engine context. My question is: 1. Can I can use an empty cluster definition in the host to include the FarmWarDeployer? 2. Should the FarmWarDeployer be included in Host without the surrounding Cluster context in this case? 3. Will the config below create two clusters (one in the Engine context, one in the Host context)? ?xml version='1.0' encoding='utf-8'? Server port=${fmp.tomcat.shutdown.port} shutdown=SHUTDOWN ... standard setup ... Service name=Catalina ... standard setup ... Engine name=Catalina defaultHost=localhost jvmRoute=jvm${tomcat.clusterid} Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=6 Manager className=org.apache.catalina.ha.session.BackupManager expireSessionsOnShutdown=false notifyListenersOnReplication=true mapSendOptions=6 / Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.4 port=45564 frequency=500 dropTime=3000 / Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=5000 selectorTimeout=100 maxThreads=6 / Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender / /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector / Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor / Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor / /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; statistics=true / Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve / ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener / ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener / /Cluster Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase / Host name=localhost appBase=webapps unpackWARs=false autoDeploy=false xmlValidation=false xmlNamespaceAware=false Cluster Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=${catalina.base}/temp/war-tmp/ deployDir=${catalina.base}/farm/deploy/ watchDir=${catalina.base}/farm/listen/ watchEnabled=true/ /Cluster /Host /Engine /Service /Server Thanks, Best Regards, Brett Delle Grazie __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: Engine Cluster definition and FarmWarDeployer
On 27/08/2010 09:41, Brett Delle Grazie wrote: Hi, Tomcat: 6.0.29, binary distribution downloaded from apache.org JVM: 1.6.0_21 (Sun, 64-bit). OS: Linux RHEL 5.5, fully patched. I understand that FarmWarDeployer can only be used cluster context defined in a Host, this is fine. I have a cluster fully defined in the Engine context. If you only have one Host, this is a non-issue, right? Just move the cluster definition from the Engine to the Host. p Brett Delle Grazie __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Best practices for deployment on cluster environment
Hi, Our current system has two servers in a clustered environment with shared disk, but we ended up splitting the webapps areas into seperate. This gave us more control in the end and our promote procedure for a new version of an app is now scripted. So one server gets removed from the pool of active servers, upgraded and then replaced and the script moves to the next. We still need a full outage for things that require a schema change in the backend for example. But we do a sorry server page while the brief outage is underway. For a bigger site, you could go 2 clusters and have shared disk in each cluster. Pull one cluster at a time out of your load balancer and use the shared disk to trigger an upgrade. You'd have to pick a lull time in your load though so half the system could cope. It helps that half our system can carry the full load as we run a stretched cluster 150m apart for DR purposes. 150m isn't enough, but it's better than the same room. I've never played with the farm deployer module, not sure if thats an alternative. I'd be interested if anyone has? Or solved the problem another way. Hope that helps, Dave -- David Nillesen Systems Administrator http://njorsk.com On Thu, Aug 26, 2010 at 11:57 PM, Luca Gervasi tom...@ashetic.net wrote: On Wed, 2010-08-25 at 10:50 -0300, Fernando Morgenstern wrote: Hi, I have a Tomcat cluster environment with 4 servers. I was wondering that is the best way to deploy an application on 4 servers at the same time. At a first moment, i thought about having a script that would copy war files to all servers using rsync. Basically i upload the war file to the first server and them use this script to copy to other tomcat servers. Could you share your experience with this kind of environment? Is this the best way to deal with deployment? Thank you, Fernando M. Morgenstern - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org In such enviroment i think that you should deploy once in the NAS/SAN (i mean, unpack the war) and use the shared filesystem in ro in each istance. Btw i'm pretty interested in more answers :) See Ya - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- A. Vijayaraghavan Senior Software Engineer Mob : +91 98861 70810 Informatica Business Solutions PVT LTD The Data Integration Company (TM)
Re: clear text keystore password in server.xml
On 27/08/2010 11:26, Vijay wrote: For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. And how do you propose to provide the password Tomcat uses to access this secure database? Mark On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Engine Cluster definition and FarmWarDeployer
On Fri, 2010-08-27 at 10:18 +0100, Pid wrote: On 27/08/2010 09:41, Brett Delle Grazie wrote: Hi, Tomcat: 6.0.29, binary distribution downloaded from apache.org JVM: 1.6.0_21 (Sun, 64-bit). OS: Linux RHEL 5.5, fully patched. I understand that FarmWarDeployer can only be used cluster context defined in a Host, this is fine. I have a cluster fully defined in the Engine context. If you only have one Host, this is a non-issue, right? Just move the cluster definition from the Engine to the Host. Alas I have two hosts (I realise my example didn't show that). What is the best solution when you have two hosts? Thanks, p Brett Delle Grazie __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- Best Regards, Brett Delle Grazie __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Best practices for deployment on cluster environment
I've read many response to this thread, but when you redeploy in an enterprise environment (many httpd+mod_jk - 4 tomcat server - a db) independently if use shared or not appBase, manual or scripted deployer, with or without tomcat manager, you return to your client at 404 or worst a 503 when a request reach the tomcat. And for my application it's not permitted This is what I think I can do: Environment (24 Apache+mod_jk - 4 tomcat server) mod_jk with ping_mode=A and prepost_timeout=1000 to redeploy a wabapp: For each tomcat server: Connect to JMX MBean and stop AJP connector. Wait the end of all APJ RequestProcessor. Redeploy webapp with tomcat manager. Restart tomcat. Wait for 60 sec (The default maintenance of mod_jk). end. How about this? Regards, Domenico - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access StandardContext in WebappClassLoader
Hi Chris, thanks for the interest - of course I'll give you an example. Surprisingly it is not java.lang.Object that I'm trying to hide but the stax api in java 6. I need to do so because of the notorious fault in the XMLOutputFactory#newInstance(String, ClassLoader). Therefore I'm using using stax-api 1.0.1 that is available through the equinox my catalina lives in (mentioned in my first post). I also have a woodstox implementation as a bundle. The situation is the following - a web application tries to obtain a factory instance through the api. The XMLOutputFactory class is loaded through the webapp class loader from the system class loader. The woodstox implementation is found (as osgi bundle) and it is instantiated. When the com.ctc.wstx.stax.WstxInputFactory / WstxOutputFactory class is loaded from the osgi bundle class loader it has been identified correctly as implementing the XMLInput/OutputFactory loaded from the stax-api bundle again in the osgi. Thus I end up with the following exception in my web application: java.lang.ClassCastException: com.ctc.wstx.stax.WstxInputFactory cannot be cast to javax.xml.stream.XMLInputFactory The thing is that osgi runtime in which the catalina lives complicates the class loading a bit. Note that this black voodoo magic for configuring restricted system packages is not something I've invented - I just saw there is such thing in jetty and was extremely happy to see it could be implemented with little effort in tomcat as well. Best regards, Stefan On Thu, Aug 26, 2010 at 8:28 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chefo, On 8/26/2010 11:24 AM, Chefo wrote: What bothers me in the WebappClassLoader is the fact that before it checks its repositories (lib folder and classes) and asks its parent class loader, it will first attempt to load a class from the system class loader - from the jvm. That's supposed to be how it's done: webapps aren't supposed to be able to subvert the JVM by loading their own definitions for, say, java.lang.Object. I want to prevent that for certain packages and I want it to be configurable for each web application. Can you give me an example of when this would be a good idea? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx2pEMACgkQ9CaO5/Lv0PCQiQCgrrlP1MmzO7zfg+db81i+h82D 4eAAn3I5g/Vb1JPpaC24jzfGLNhqMwT7 =uIHX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Thanks! Vijay On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 11:26, Vijay wrote: For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. And how do you propose to provide the password Tomcat uses to access this secure database? Mark On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat load balancing question x problem
Hello list! :) Here at work I was asked to give a try on load balancing two tomcat servers running tomcat 6.0.29. The problem is that I was given only two servers to do this, what gave me only one option: run the apache in one of these servers. So I decided to put the apache httpd server which is going to balance the load among the two tomcat server in the Server A (suppousing I have server A and B running linux). My application which needs to be balanced has /agent context. Everytime I access the URL http://servera/agent my request is redirect either to http://servera:8080/agent or http://serverb:8080/agent. To my understanding, with load balancing, my url would remain http://servera/agent and the redirect would take place behing the scene and I would never see any redirect to tomcat connector port (8080). By the way, i am running the load balancing with mod_proxy in the apache server and my configuration is as follow: = ProxyPass /balancer-manager ! ProxyPass /status ! ProxyStatus On ProxyRequests Off Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from localhost /Location Location /status SetHandler server-status Order Deny,Allow Deny from all Allow from all /Location Proxy * Order deny,allow Allow from all /Proxy Proxy balancer://cluster BalancerMember http://servera:8080/agent/ route=worker0 keepalive=On loadfactor=1 BalancerMember http://serverb:8080/agent/ route=worker1 keepalive=On loadfactor=1 ProxySet lbmethod=byrequests maxattempts=3 stickysession=JSESSIONID|jsessionid /Proxy Location /agent ProxyPass balancer://cluster/ stickysession=JSESSIONID ProxyPassReverse balancer://cluster/ /Location = Not happy with this scenario, i decided to install the apache httpd server in my laptop and made it as my load balancer instead of using servera to load balance. For my surprise, it worked out of the box with no extra configuration other than the one set up in my servera. I see no redirects to 8080 tomcat's port, due to my overall tests i could see only my desired url: http//localhost/agent (since i was running my tests with apache installed locally). So my question is: does it make sense to have the load balancer in the same server as one of the balanced server/application? Does mod_proxy support this? Many thanks for all the attention Thiago - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Mike Wilde is out of the office
I will be out of the office starting 27/08/2010 and will not return until 31/08/2010. If you have any urgent production Healthcare issues please contact Pauline Drummond or George Rae. If urgent please raise an incident in the TST DBAMR USD queue.
Re: clear text keystore password in server.xml
On 27/08/2010 13:19, Vijay wrote: Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. Bingo! This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Can't be done. As a minimum some secret has to be visible to the process running Tomcat. Which also means it is visible to any user with root privileges. By far the simplest solution is to have the tomcat user own server.xml and make that file owner readable only. You can, if you want to make server.xml more widely visible, use property replacement or XML entities to move the password to a separate file and then lock down that file. You also need to lock down any code run by Tomcat to stop a back-door being inserted. This includes web applications. Alternatively (for web applications) you could run under a security manager. Frankly this rapidly gets to the point where it is easier to: a) limit access to the machine to people you trust b) accept that if an attacker compromises the machine through Tomcat then the password is going to be compromised I have seen a lot of other 'solutions' proposed for this problem and I have yet to see one that isn't anything more than smoke mirrors designed to fool people (many of who should know better) into thinking the password is far more secure than it really is. Mark Thanks! Vijay On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 11:26, Vijay wrote: For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. And how do you propose to provide the password Tomcat uses to access this secure database? Mark On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On Fri, Aug 27, 2010 at 2:36 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 13:19, Vijay wrote: Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. Bingo! This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Can't be done. As a minimum some secret has to be visible to the process running Tomcat. Which also means it is visible to any user with root privileges. By far the simplest solution is to have the tomcat user own server.xml and make that file owner readable only. You can, if you want to make server.xml more widely visible, use property replacement or XML entities to move the password to a separate file and then lock down that file. You also need to lock down any code run by Tomcat to stop a back-door being inserted. This includes web applications. Alternatively (for web applications) you could run under a security manager. Frankly this rapidly gets to the point where it is easier to: a) limit access to the machine to people you trust b) accept that if an attacker compromises the machine through Tomcat then the password is going to be compromised I have seen a lot of other 'solutions' proposed for this problem and I have yet to see one that isn't anything more than smoke mirrors designed to fool people (many of who should know better) into thinking the password is far more secure than it really is. Mark Thanks! Vijay On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 11:26, Vijay wrote: For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. And how do you propose to provide the password Tomcat uses to access this secure database? Mark On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org I've been giving this whole issue a lot of thought. And not just now for months now. I was wondering if the following was possible in theory, When tomcat is started up it prompts for the password? Wouldn't that help with the whole smoke and mirrors situation? Regards, Wes - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 and Windows 7
hi, you are talking about JVM or something more? thxs Mensaje original De: p...@pidster.com Fecha: 27/08/2010 04:37 Para: Tomcat Users Listusers@tomcat.apache.org Asunto: Re: Tomcat 5.5 and Windows 7 On 27/08/2010 04:22, Marcos Molina wrote: Hi there, I only wanna know if i can run Tomcat 5.5 on windows 7 ??? And if i have to take any considerations to do it. Thanks for yours answers. Only if you install Java first. p Regards Marcos. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 8/27/2010 9:02 AM, Wesley Acheson wrote: ... I've been giving this whole issue a lot of thought. And not just now for months now. I was wondering if the following was possible in theory, When tomcat is started up it prompts for the password? Wouldn't that help with the whole smoke and mirrors situation? If you can always be sure somebody is available when tomcat is restarted, I would think that would work to prevent having any clear-text passwords on disk anywhere. It would be really easy to have a single web page where the administrator could go to enter the password after a restart, and there are some checks you could do to help make that fairly secure (i.e. if the password has already been entered, don't allow anybody to enter it again, etc). Essentially you'd be trading possible downtime for a little more security, but only you can make the decision as to whether that's an appropriate tradeoff for your app. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 and Windows 7
On 27/08/2010 14:02, Marcos Molina wrote: hi, you are talking about JVM or something more? Which documents have you read so far? Have you read the RELEASE NOTES? http://www.apache.org/dist/tomcat/tomcat-5/v5.5.30/RELEASE-NOTES p Mensaje original De: p...@pidster.com Fecha: 27/08/2010 04:37 Para: Tomcat Users Listusers@tomcat.apache.org Asunto: Re: Tomcat 5.5 and Windows 7 On 27/08/2010 04:22, Marcos Molina wrote: Hi there, I only wanna know if i can run Tomcat 5.5 on windows 7 ??? And if i have to take any considerations to do it. Thanks for yours answers. Only if you install Java first. p Regards Marcos. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Tomcat 5.5 and Windows 7
Yes, it is possible. I've done it. However, you might run into some problems with Windows 7's enhanced user access stuff. -Original Message- From: Marcos Molina [mailto:mmfo...@adinet.com.uy] Sent: Thursday, August 26, 2010 10:23 PM To: users@tomcat.apache.org Subject: Tomcat 5.5 and Windows 7 Hi there, I only wanna know if i can run Tomcat 5.5 on windows 7 ??? And if i have to take any considerations to do it. Thanks for yours answers. Regards Marcos. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat load balancing question x problem
On 27.08.2010 14:17, Thiago Locatelli da Silva wrote: Hello list! :) Here at work I was asked to give a try on load balancing two tomcat servers running tomcat 6.0.29. The problem is that I was given only two servers to do this, what gave me only one option: run the apache in one of these servers. So I decided to put the apache httpd server which is going to balance the load among the two tomcat server in the Server A (suppousing I have server A and B running linux). My application which needs to be balanced has /agent context. Everytime I access the URL http://servera/agent my request is redirect either to http://servera:8080/agent or http://serverb:8080/agent. To my understanding, with load balancing, my url would remain http://servera/agent and the redirect would take place behing the scene and I would never see any redirect to tomcat connector port (8080). By the way, i am running the load balancing with mod_proxy in the apache server and my configuration is as follow: = ProxyPass /balancer-manager ! ProxyPass /status ! ProxyStatus On ProxyRequests Off Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from localhost /Location Location /status SetHandler server-status Order Deny,Allow Deny from all Allow from all /Location Proxy * Order deny,allow Allow from all /Proxy Proxy balancer://cluster BalancerMember http://servera:8080/agent/ route=worker0 keepalive=On loadfactor=1 BalancerMember http://serverb:8080/agent/ route=worker1 keepalive=On loadfactor=1 ProxySet lbmethod=byrequests maxattempts=3 stickysession=JSESSIONID|jsessionid /Proxy Location /agent ProxyPass balancer://cluster/ stickysession=JSESSIONID ProxyPassReverse balancer://cluster/ /Location = Not happy with this scenario, i decided to install the apache httpd server in my laptop and made it as my load balancer instead of using servera to load balance. For my surprise, it worked out of the box with no extra configuration other than the one set up in my servera. I see no redirects to 8080 tomcat's port, due to my overall tests i could see only my desired url: http//localhost/agent (since i was running my tests with apache installed locally). So my question is: does it make sense to have the load balancer in the same server as one of the balanced server/application? Does mod_proxy support this? Many thanks for all the attention The wrong redirect URLs should have been rewritten by ProxyPassReverse. Note that using the balancer URL in ProxyPassReverse only works starting with Apache 2.2.12. Before you had to give one ProxyPassReverse statement for each backend URL configured as part of the balancer, e.g. ProxyPassReverse /agent http://servera:8080/agent ProxyPassReverse /agent http://serverb:8080/agent It is simply a rule to rewrite the Location header contained in any 30x response, i.e. replacing the string to the right with the string to the left (if it prefixes the Location URL). I suggest you - make sure you have a recent Apache (2.2.16 is the latest 2.2.x) - inspect the exact redirect response using a browser plugin or network sniffing, especially check the contents of the Location header - try using the split ProxyPassReverse pr backend configuration Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat load balancing question x problem
My apache version is 2.2.3 as follow. [r...@servera ~]$ httpd -version Server version: Apache/2.2.3 Server built: Nov 10 2007 12:44:08 I will take a look at your suggestions and give a try. I will be further posting my finding on this thread. Thanks a lot Rainer T Rainer Jung escreveu: On 27.08.2010 14:17, Thiago Locatelli da Silva wrote: Hello list! :) Here at work I was asked to give a try on load balancing two tomcat servers running tomcat 6.0.29. The problem is that I was given only two servers to do this, what gave me only one option: run the apache in one of these servers. So I decided to put the apache httpd server which is going to balance the load among the two tomcat server in the Server A (suppousing I have server A and B running linux). My application which needs to be balanced has /agent context. Everytime I access the URL http://servera/agent my request is redirect either to http://servera:8080/agent or http://serverb:8080/agent. To my understanding, with load balancing, my url would remain http://servera/agent and the redirect would take place behing the scene and I would never see any redirect to tomcat connector port (8080). By the way, i am running the load balancing with mod_proxy in the apache server and my configuration is as follow: = ProxyPass /balancer-manager ! ProxyPass /status ! ProxyStatus On ProxyRequests Off Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from localhost /Location Location /status SetHandler server-status Order Deny,Allow Deny from all Allow from all /Location Proxy * Order deny,allow Allow from all /Proxy Proxy balancer://cluster BalancerMember http://servera:8080/agent/ route=worker0 keepalive=On loadfactor=1 BalancerMember http://serverb:8080/agent/ route=worker1 keepalive=On loadfactor=1 ProxySet lbmethod=byrequests maxattempts=3 stickysession=JSESSIONID|jsessionid /Proxy Location /agent ProxyPass balancer://cluster/ stickysession=JSESSIONID ProxyPassReverse balancer://cluster/ /Location = Not happy with this scenario, i decided to install the apache httpd server in my laptop and made it as my load balancer instead of using servera to load balance. For my surprise, it worked out of the box with no extra configuration other than the one set up in my servera. I see no redirects to 8080 tomcat's port, due to my overall tests i could see only my desired url: http//localhost/agent (since i was running my tests with apache installed locally). So my question is: does it make sense to have the load balancer in the same server as one of the balanced server/application? Does mod_proxy support this? Many thanks for all the attention The wrong redirect URLs should have been rewritten by ProxyPassReverse. Note that using the balancer URL in ProxyPassReverse only works starting with Apache 2.2.12. Before you had to give one ProxyPassReverse statement for each backend URL configured as part of the balancer, e.g. ProxyPassReverse /agent http://servera:8080/agent ProxyPassReverse /agent http://serverb:8080/agent It is simply a rule to rewrite the Location header contained in any 30x response, i.e. replacing the string to the right with the string to the left (if it prefixes the Location URL). I suggest you - make sure you have a recent Apache (2.2.16 is the latest 2.2.x) - inspect the exact redirect response using a browser plugin or network sniffing, especially check the contents of the Location header - try using the split ProxyPassReverse pr backend configuration Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 27/08/2010 14:02, Wesley Acheson wrote: I've been giving this whole issue a lot of thought. And not just now for months now. I was wondering if the following was possible in theory, When tomcat is started up it prompts for the password? Wouldn't that help with the whole smoke and mirrors situation? Not really. Nothing stops an attacker replacing a standard Tomcat jar with a modified one that just spits the password straight back out on the next restart. And if the attacker can trigger a heap dump or read the process memory some other way they don't even need that. You still end up relying on operating system security which in the end is no different to just setting the permissions on the server.xml Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. On Aug 27, 2010, at 9:22 AM, David kerber wrote: On 8/27/2010 9:02 AM, Wesley Acheson wrote: ... I've been giving this whole issue a lot of thought. And not just now for months now. I was wondering if the following was possible in theory, When tomcat is started up it prompts for the password? Wouldn't that help with the whole smoke and mirrors situation? If you can always be sure somebody is available when tomcat is restarted, I would think that would work to prevent having any clear- text passwords on disk anywhere. It would be really easy to have a single web page where the administrator could go to enter the password after a restart, and there are some checks you could do to help make that fairly secure (i.e. if the password has already been entered, don't allow anybody to enter it again, etc). Essentially you'd be trading possible downtime for a little more security, but only you can make the decision as to whether that's an appropriate tradeoff for your app. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 and Windows 7
On 27/08/2010 14:35, Jeffrey Janner wrote: Yes, it is possible. I've done it. However, you might run into some problems with Windows 7's enhanced user access stuff. Which isn't a Tomcat specific problem, it happens to all sorts of apps on Windows 7. p -Original Message- From: Marcos Molina [mailto:mmfo...@adinet.com.uy] Sent: Thursday, August 26, 2010 10:23 PM To: users@tomcat.apache.org Subject: Tomcat 5.5 and Windows 7 Hi there, I only wanna know if i can run Tomcat 5.5 on windows 7 ??? And if i have to take any considerations to do it. Thanks for yours answers. Regards Marcos. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Engine Cluster definition and FarmWarDeployer
On 27/08/2010 11:40, Brett Delle Grazie wrote: On Fri, 2010-08-27 at 10:18 +0100, Pid wrote: On 27/08/2010 09:41, Brett Delle Grazie wrote: Hi, Tomcat: 6.0.29, binary distribution downloaded from apache.org JVM: 1.6.0_21 (Sun, 64-bit). OS: Linux RHEL 5.5, fully patched. I understand that FarmWarDeployer can only be used cluster context defined in a Host, this is fine. I have a cluster fully defined in the Engine context. If you only have one Host, this is a non-issue, right? Just move the cluster definition from the Engine to the Host. Alas I have two hosts (I realise my example didn't show that). What is the best solution when you have two hosts? If you want to use the FarmWarDeployer, you need two Clusters AFAICT. p Thanks, p Brett Delle Grazie __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
CLIENT-AUTH x509 attribute mapping to user name
Can anyone tell me what class/method i would need to override to make a client x509 cert subject/dn attribute to a valid tomcat username (in memory realm or otherwise) I assume the authenticator method or perhaps the login method...
RE: Tomcat 5.5 and Windows 7
Yes, sorry I didn't make that clear. I forgot specifically what the problem(s) was/were, but they were trivial. General install using the setup.exe went just fine, but Windows insisted on getting in the way of admin-type tasks. Our webapp ran just fine. Jeff -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Friday, August 27, 2010 9:12 AM To: Tomcat Users List Subject: Re: Tomcat 5.5 and Windows 7 On 27/08/2010 14:35, Jeffrey Janner wrote: Yes, it is possible. I've done it. However, you might run into some problems with Windows 7's enhanced user access stuff. Which isn't a Tomcat specific problem, it happens to all sorts of apps on Windows 7. p -Original Message- From: Marcos Molina [mailto:mmfo...@adinet.com.uy] Sent: Thursday, August 26, 2010 10:23 PM To: users@tomcat.apache.org Subject: Tomcat 5.5 and Windows 7 Hi there, I only wanna know if i can run Tomcat 5.5 on windows 7 ??? And if i have to take any considerations to do it. Thanks for yours answers. Regards Marcos. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clear text keystore password in server.xml
I was told by my company we're not supposed to have passwords stored in clear text. I explained to them the architecture of Tomcat, and didn't get a clear answer on whether or not it's ok, though I think it is. I don't know what kind of DB you're using, Vijay, but the Oracle DBA told me he could open the wallet, I could reference in my server.xml file the OCI driver reference instead of thin driver, and omit using the password, as it would be encrypted in the DB column, then decrypted when called. I have not yet tried this out, but am thinking about going down that road. What DB are you using, and is this an option for you? -Original Message- From: Vijay [mailto:amirisetty.vijayaragha...@gmail.com] Sent: Friday, August 27, 2010 7:20 AM To: Tomcat Users List Subject: Re: clear text keystore password in server.xml Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Thanks! Vijay - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Best practices for deployment on cluster environment
On 27/08/2010 12:21, Domenico Briganti wrote: I've read many response to this thread, but when you redeploy in an enterprise environment (many httpd+mod_jk - 4 tomcat server - a db) independently if use shared or not appBase, manual or scripted deployer, with or without tomcat manager, you return to your client at 404 or worst a 503 when a request reach the tomcat. And for my application it's not permitted This is what I think I can do: Environment (24 Apache+mod_jk - 4 tomcat server) mod_jk with ping_mode=A and prepost_timeout=1000 to redeploy a wabapp: For each tomcat server: Connect to JMX MBean and stop AJP connector. Wait the end of all APJ RequestProcessor. Redeploy webapp with tomcat manager. Restart tomcat. Wait for 60 sec (The default maintenance of mod_jk). end. How about this? If you're using mod_jk you can enable the /jk-manager worker (restricted to known IPs only, of course) and take the cluster member out of service at the proxy level before disabling the Tomcat. You'll have no downtime and won't drop any connections that way. p Regards, Domenico - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Tomcat 5.5 and Windows 7
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: Tomcat 5.5 and Windows 7 I forgot specifically what the problem(s) was/were, but they were trivial. Basically, anything (such as tomcat6w.exe) manipulating a service or the registry must be run as administrator, not just running under an administrator account. Same issues exist on Vista and Server 2K8. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CLIENT-AUTH x509 attribute mapping to user name
On 27/08/2010 15:16, Michael Dockery wrote: Can anyone tell me what class/method i would need to override to make a client x509 cert subject/dn attribute to a valid tomcat username (in memory realm or otherwise) I assume the authenticator method or perhaps the login method... Please resend this message, starting a new email rather than replying to and editing a message from an existing email thread. This is called thread-hijacking. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Engine Cluster definition and FarmWarDeployer
Hi Pid, That's what I suspected. Thanks for your help. Regards, Brett -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Fri 27/08/2010 15:13 To: Tomcat Users List Subject: Re: Engine Cluster definition and FarmWarDeployer On 27/08/2010 11:40, Brett Delle Grazie wrote: On Fri, 2010-08-27 at 10:18 +0100, Pid wrote: On 27/08/2010 09:41, Brett Delle Grazie wrote: Hi, Tomcat: 6.0.29, binary distribution downloaded from apache.org JVM: 1.6.0_21 (Sun, 64-bit). OS: Linux RHEL 5.5, fully patched. I understand that FarmWarDeployer can only be used cluster context defined in a Host, this is fine. I have a cluster fully defined in the Engine context. If you only have one Host, this is a non-issue, right? Just move the cluster definition from the Engine to the Host. Alas I have two hosts (I realise my example didn't show that). What is the best solution when you have two hosts? If you want to use the FarmWarDeployer, you need two Clusters AFAICT. p Thanks, p Brett Delle Grazie __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: clear text keystore password in server.xml
Ken Bowen wrote: If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. At least it would avoid having the sysadmins sticking it on a Post-It on their screens. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CLIENT-AUTH x509 attribute mapping to user name
Can anyone tell me what class.method which I would need to override to map a client x509 cert subject/dn attribute to a valid tomcat username (in memory realm or otherwise) I assume the authenticator method or perhaps the login method...
Re: A little trouble with SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrea, Please keep discussions on the mailing list. On 8/26/2010 5:19 PM, Andrea Freire wrote: I pass you my configuration, go ahead It looks like you have not configured Apache httpd for SSL. Did you want to have SSL terminate at Apache httpd or at Tomcat? Connector className=org.apache.tomcat.service.PoolTcpConnector Parameter name=handler value=org.apache.tomcat.service.http.HttpConnectionHandler/ Parameter name=port value=6443/ Parameter name=socketFactory value=org.apache.tomcat.net.SSLSocketFactory/ Parameter name=keystore value=/root/.keystore / Parameter name=keypass value=my_key_forsecurityreasonsInotputit/ Parameter name=clientAuth value=false/ /Connector That's a weird Connector configuration. Where did you get this example? I note you're trying to use a keystore in /root/.keystore... it's generally not a good idea to run Tomcat as root, and it's generally not a good idea to allow /root to be world-readable. From the above configuration, I suspect you are running Tomcat as root: seriously consider running Tomcat as a non-privileged user. There's a perfectly good SSL connector configuration listed already in server.xml (though it's commented-out): !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- !-- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- You just need to uncomment this and add the following attributes: keystoreFile (note that your attribute was keystore, not keystorefile) keystorePass Please see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for reference. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx36y0ACgkQ9CaO5/Lv0PBsOACfeKqk+2V7sKVtGytEboZG9ESx +hkAoJWJwwfElvvst+FCwZj3w3crWYN+ =94gF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
multiple instances on a server
Hi, If you have a server with 15 GB of ram (or any large number for arguments sake), does it ever make sense to run multiple instances of tomcat on the same server? (serving http requests for the same web application) Or can a single instance utilize all the server resources just fine efficiently? The reason I am asking is that I have read that those hosting ruby on rails, or python web applications usually run multiple instances of their respective web server, each running on its own port, and then proxied using haproxy or the like.
Re: multiple instances on a server
On 27/08/2010 17:57, S Ahmed wrote: Hi, If you have a server with 15 GB of ram (or any large number for arguments sake), does it ever make sense to run multiple instances of tomcat on the same server? (serving http requests for the same web application) If you have a 64bit JVM, probably not. Or can a single instance utilize all the server resources just fine efficiently? If you have a 64bit JVM, probably. The reason I am asking is that I have read that those hosting ruby on rails, or python web applications usually run multiple instances of their respective web server, each running on its own port, and then proxied using haproxy or the like. Each having separate resource (DB) pools, which must make managing them a tad tricky. Or maybe that's not a consideration... p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: CLIENT-AUTH x509 attribute mapping to user name
From: Michael Dockery [mailto:dockeryjava...@yahoo.com] Subject: CLIENT-AUTH x509 attribute mapping to user name Can anyone tell me what class.method Can anyone tell me what Tomcat version you're using? which I would need to override to map a client x509 cert subject/dn attribute to a valid tomcat username (in memory realm or otherwise) Why can't you use just use an auth-method of CLIENT-CERT in the login-config for your webapp and let the container take care of it? (Hint: read the servlet spec.) Also check this wiki entry: http://wiki.apache.org/tomcat/SSLWithFORMFallback - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
André Warnier a...@ice-sa.com wrote on 08/27/2010 12:32:43 PM: Ken Bowen wrote: If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. At least it would avoid having the sysadmins sticking it on a Post- It on their screens. So all the hacker with root privileges has to do is temporarily replace the sysadmins list with a single a phone number, and then restart Tomcat, and (s)he is in business...
Re: Session problem
Hi Chris, sorry for the late reply In your listener, why don't you dump a stack trace when a session attribute is removed? That will let you know where the code is that is removing your attributes. You may be surprised. This would be very useful, but how would i generate it since theres no exception that's been thrown? Do i just throw an exception? -h On Wed, Aug 25, 2010 at 2:50 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hisham, On 8/25/2010 11:07 AM, Hisham wrote: Let me rephrase what I said: I am not using any custom cookies, the JsessionID cookie gets created by default. That makes a lot more sense. So i created an HttpSessionAttributeListener listener. And what i observed is truly weird. Once i click on Messages tab, the request goes through fine, there are a couple of images that are requested that are delivered correctly. After all this has finished, 2 of the attributes i have stored in the session are removed. Mind you, i have more attributes that DON'T get removed. I did a complete hack that IF these other attributes are still present then go ahead and put the 2 attributes back into the session - and it works fine now! Er, that will sort of subvert your own authorization mechanism, right? In your listener, why don't you dump a stack trace when a session attribute is removed? That will let you know where the code is that is removing your attributes. You may be surprised. Of course i'm not gonna leave it like this, i still need to figure out what the hell is going on! Here is my filter code: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean authorized = false; HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; HttpSession session = req.getSession(false); System.out.println(req.getRequestURL()); if (session != null session.getAttribute(ub) != null)) { authorized = true; System.out.println(setting authorized = true); chain.doFilter(request, response); } // forward the request to login page if (!authorized) { System.out.println(kicked someone from +request.getRemoteAddr()); res.setHeader(session, invalid); res.sendError(HttpServletResponse.SC_UNAUTHORIZED, Your session is invalid or have expired.); } } Aside from the odd logic above, this looks okay, except, I don't see a redirect to a login form anywhere, here. You also didn't say what the URL mapping was for this filter was. Is it /*? If so, then you'll probably not be able to serve your login page unless you're logged-in. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx1Zg8ACgkQ9CaO5/Lv0PA6HACcDuDEppOaVSyuDrvYqjB68uD5 Em4AnjyHmIRgcO5ncOAV22CkAPOy18Vp =SOPc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 8/27/2010 1:14 PM, djohn...@desknetinc.com wrote: André Warniera...@ice-sa.com wrote on 08/27/2010 12:32:43 PM: Ken Bowen wrote: If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. At least it would avoid having the sysadmins sticking it on a Post- It on their screens. So all the hacker with root privileges has to do is temporarily replace the sysadmins list with a single a phone number, and then restart Tomcat, and (s)he is in business... For a DOS attach, yes. She also needs to know the password to get anything to work. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clear text keystore password in server.xml
André Warnier a...@ice-sa.com wrote on 08/27/2010 12:32:43 PM: And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. Just put it on Facebook... To quote from some architecture specs: Meaningful programming has not been achieved. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session problem
On 27/08/2010 18:16, Hisham wrote: Hi Chris, sorry for the late reply In your listener, why don't you dump a stack trace when a session attribute is removed? That will let you know where the code is that is removing your attributes. You may be surprised. Thread.dumpStack(); p This would be very useful, but how would i generate it since theres no exception that's been thrown? Do i just throw an exception? -h On Wed, Aug 25, 2010 at 2:50 PM, Christopher Schultz ch...@christopherschultz.net wrote: Hisham, On 8/25/2010 11:07 AM, Hisham wrote: Let me rephrase what I said: I am not using any custom cookies, the JsessionID cookie gets created by default. That makes a lot more sense. So i created an HttpSessionAttributeListener listener. And what i observed is truly weird. Once i click on Messages tab, the request goes through fine, there are a couple of images that are requested that are delivered correctly. After all this has finished, 2 of the attributes i have stored in the session are removed. Mind you, i have more attributes that DON'T get removed. I did a complete hack that IF these other attributes are still present then go ahead and put the 2 attributes back into the session - and it works fine now! Er, that will sort of subvert your own authorization mechanism, right? In your listener, why don't you dump a stack trace when a session attribute is removed? That will let you know where the code is that is removing your attributes. You may be surprised. Of course i'm not gonna leave it like this, i still need to figure out what the hell is going on! Here is my filter code: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean authorized = false; HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; HttpSession session = req.getSession(false); System.out.println(req.getRequestURL()); if (session != null session.getAttribute(ub) != null)) { authorized = true; System.out.println(setting authorized = true); chain.doFilter(request, response); } // forward the request to login page if (!authorized) { System.out.println(kicked someone from +request.getRemoteAddr()); res.setHeader(session, invalid); res.sendError(HttpServletResponse.SC_UNAUTHORIZED, Your session is invalid or have expired.); } } Aside from the odd logic above, this looks okay, except, I don't see a redirect to a login form anywhere, here. You also didn't say what the URL mapping was for this filter was. Is it /*? If so, then you'll probably not be able to serve your login page unless you're logged-in. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Character encoding question
Hi, I'm using Tomcat 6.0.26. I'm noticing that when our JSPs pages are served, we frequently have ?s where apostrophes should be. We think this is because the database-driven content contains the Microsoft style apostrophe. My question is, if I adjust the character encoding on Tomcat, will it serve the MS character instead of a question mark? I read the default encoding is ISO-8859-1, which I thought would include this mystery character, but apparently it doesn't. Do you know what encoding I should use and where I should set it? Thanks, - Dave -- View this message in context: http://old.nabble.com/Character-encoding-question-tp29554957p29554957.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session problem
From: Hisham [mailto:mohis...@gmail.com] Subject: Re: Session problem how would i generate it since theres no exception that's been thrown? Standard API call: Thread.dumpStack(). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat load balancing question x problem
Hi Rainer, I followed your suggestions and it seems to be working, the load balacing, now i need to look into why my application, created with gwt + comet is not working. It seems that comet stopped working. Thanks T Rainer Jung escreveu: On 27.08.2010 14:17, Thiago Locatelli da Silva wrote: Hello list! :) Here at work I was asked to give a try on load balancing two tomcat servers running tomcat 6.0.29. The problem is that I was given only two servers to do this, what gave me only one option: run the apache in one of these servers. So I decided to put the apache httpd server which is going to balance the load among the two tomcat server in the Server A (suppousing I have server A and B running linux). My application which needs to be balanced has /agent context. Everytime I access the URL http://servera/agent my request is redirect either to http://servera:8080/agent or http://serverb:8080/agent. To my understanding, with load balancing, my url would remain http://servera/agent and the redirect would take place behing the scene and I would never see any redirect to tomcat connector port (8080). By the way, i am running the load balancing with mod_proxy in the apache server and my configuration is as follow: = ProxyPass /balancer-manager ! ProxyPass /status ! ProxyStatus On ProxyRequests Off Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from localhost /Location Location /status SetHandler server-status Order Deny,Allow Deny from all Allow from all /Location Proxy * Order deny,allow Allow from all /Proxy Proxy balancer://cluster BalancerMember http://servera:8080/agent/ route=worker0 keepalive=On loadfactor=1 BalancerMember http://serverb:8080/agent/ route=worker1 keepalive=On loadfactor=1 ProxySet lbmethod=byrequests maxattempts=3 stickysession=JSESSIONID|jsessionid /Proxy Location /agent ProxyPass balancer://cluster/ stickysession=JSESSIONID ProxyPassReverse balancer://cluster/ /Location = Not happy with this scenario, i decided to install the apache httpd server in my laptop and made it as my load balancer instead of using servera to load balance. For my surprise, it worked out of the box with no extra configuration other than the one set up in my servera. I see no redirects to 8080 tomcat's port, due to my overall tests i could see only my desired url: http//localhost/agent (since i was running my tests with apache installed locally). So my question is: does it make sense to have the load balancer in the same server as one of the balanced server/application? Does mod_proxy support this? Many thanks for all the attention The wrong redirect URLs should have been rewritten by ProxyPassReverse. Note that using the balancer URL in ProxyPassReverse only works starting with Apache 2.2.12. Before you had to give one ProxyPassReverse statement for each backend URL configured as part of the balancer, e.g. ProxyPassReverse /agent http://servera:8080/agent ProxyPassReverse /agent http://serverb:8080/agent It is simply a rule to rewrite the Location header contained in any 30x response, i.e. replacing the string to the right with the string to the left (if it prefixes the Location URL). I suggest you - make sure you have a recent Apache (2.2.16 is the latest 2.2.x) - inspect the exact redirect response using a browser plugin or network sniffing, especially check the contents of the Location header - try using the split ProxyPassReverse pr backend configuration Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CLIENT-AUTH x509 attribute mapping to user name
Our usernames are not named exactly the same as the x509 cert 'subject' attr. (or any other attr) I was hoping i could do some mapping to match a client cert (attr) to an existing tomcat username ...perhaps similar to the way it appears CAS does https://wiki.jasig.org/display/CASUM/X.509+Certificates From: Caldarale, Charles R chuck.caldar...@unisys.com To: Tomcat Users List users@tomcat.apache.org Sent: Fri, August 27, 2010 1:12:24 PM Subject: RE: CLIENT-AUTH x509 attribute mapping to user name From: Michael Dockery [mailto:dockeryjava...@yahoo.com] Subject: CLIENT-AUTH x509 attribute mapping to user name Can anyone tell me what class.method Can anyone tell me what Tomcat version you're using? which I would need to override to map a client x509 cert subject/dn attribute to a valid tomcat username (in memory realm or otherwise) Why can't you use just use an auth-method of CLIENT-CERT in the login-config for your webapp and let the container take care of it? (Hint: read the servlet spec.) Also check this wiki entry: http://wiki.apache.org/tomcat/SSLWithFORMFallback - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session problem
Yeah i found that through google! Thanks pid and chuck! -h On Fri, Aug 27, 2010 at 1:25 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Hisham [mailto:mohis...@gmail.com] Subject: Re: Session problem how would i generate it since theres no exception that's been thrown? Standard API call: Thread.dumpStack(). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: multiple instances on a server
The only reasons I have ever come up with are all operations-related, not techincal. For example, different maintenance windows requirements get different Tomcat instances. -Original Message- From: S Ahmed [mailto:sahmed1...@gmail.com] Sent: Friday, August 27, 2010 11:57 AM To: users@tomcat.apache.org Subject: multiple instances on a server Hi, If you have a server with 15 GB of ram (or any large number for arguments sake), does it ever make sense to run multiple instances of tomcat on the same server? (serving http requests for the same web application) Or can a single instance utilize all the server resources just fine efficiently? The reason I am asking is that I have read that those hosting ruby on rails, or python web applications usually run multiple instances of their respective web server, each running on its own port, and then proxied using haproxy or the like. __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
If the hacker has root privilages I'm pretty sure you have worse problems. On Fri, Aug 27, 2010 at 7:14 PM, djohn...@desknetinc.com wrote: André Warnier a...@ice-sa.com wrote on 08/27/2010 12:32:43 PM: Ken Bowen wrote: If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. At least it would avoid having the sysadmins sticking it on a Post- It on their screens. So all the hacker with root privileges has to do is temporarily replace the sysadmins list with a single a phone number, and then restart Tomcat, and (s)he is in business... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5 and Windows 7
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 27, 2010 9:35 AM To: Tomcat Users List Subject: RE: Tomcat 5.5 and Windows 7 From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: Tomcat 5.5 and Windows 7 I forgot specifically what the problem(s) was/were, but they were trivial. Basically, anything (such as tomcat6w.exe) manipulating a service or the registry must be run as administrator, not just running under an administrator account. Same issues exist on Vista and Server 2K8. That was one. And getting it to start on user login without error was a trick. I think I had to mark the executable as run-as-admin-always. __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Character encoding question
On 27/08/2010 18:23, laredotornado wrote: Hi, I'm using Tomcat 6.0.26. I'm noticing that when our JSPs pages are served, we frequently have ?s where apostrophes should be. We think this is because the database-driven content contains the Microsoft style apostrophe. [wince] My question is, if I adjust the character encoding on Tomcat, will it serve the MS character instead of a question mark? I read the default encoding is ISO-8859-1, which I thought would include this mystery character, but apparently it doesn't. Do you know what encoding I should use and where I should set it? Depends. What encoding does the DB use? What kind of DB is it? p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: multiple instances on a server
I think the reason for doing this in ruby is that ruby is single threaded, I've been told. The JVM isn't. This is of course muddied with Jruby. http://stackoverflow.com/questions/3086467/confused-are-languages-like-python-ruby-single-threaded-unlike-say-java-for Anyway I don't see any reason you should need to install two instances. I believe that they'll both end up running in the same JVM also but again could be wrong. On Fri, Aug 27, 2010 at 6:57 PM, S Ahmed sahmed1...@gmail.com wrote: Hi, If you have a server with 15 GB of ram (or any large number for arguments sake), does it ever make sense to run multiple instances of tomcat on the same server? (serving http requests for the same web application) Or can a single instance utilize all the server resources just fine efficiently? The reason I am asking is that I have read that those hosting ruby on rails, or python web applications usually run multiple instances of their respective web server, each running on its own port, and then proxied using haproxy or the like. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: multiple instances on a server
From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Subject: Re: multiple instances on a server I believe that they'll both end up running in the same JVM also but again could be wrong. No, separate Tomcat instances would run in separate JVM instances (processes). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CLIENT-AUTH x509 attribute mapping to user name
On 27/08/2010 18:33, Michael Dockery wrote: Our usernames are not named exactly the same as the x509 cert 'subject' attr. (or any other attr) I was hoping i could do some mapping to match a client cert (attr) to an existing tomcat username ...perhaps similar to the way it appears CAS does https://wiki.jasig.org/display/CASUM/X.509+Certificates RealmBase.getPrincipal(X509Certificate usercert) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 and Windows 7
- Original Message - From: Jeffrey Janner jeffrey.jan...@polydyne.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, August 27, 2010 1:37 PM Subject: RE: Tomcat 5.5 and Windows 7 -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 27, 2010 9:35 AM To: Tomcat Users List Subject: RE: Tomcat 5.5 and Windows 7 From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: Tomcat 5.5 and Windows 7 I forgot specifically what the problem(s) was/were, but they were trivial. Basically, anything (such as tomcat6w.exe) manipulating a service or the registry must be run as administrator, not just running under an administrator account. Same issues exist on Vista and Server 2K8. That was one. And getting it to start on user login without error was a trick. I think I had to mark the executable as run-as-admin-always. How do you make something as run-as-admin-always under windows? I have had problems with some apps, so that would be useful. Michel __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: multiple instances on a server
On 27/08/2010 18:51, Wesley Acheson wrote: I think the reason for doing this in ruby is that ruby is single threaded, I've been told. The JVM isn't. I'm raising an eyebrow. This is of course muddied with Jruby. http://stackoverflow.com/questions/3086467/confused-are-languages-like-python-ruby-single-threaded-unlike-say-java-for Anyway I don't see any reason you should need to install two instances. I believe that they'll both end up running in the same JVM also but again could be wrong. [ ] Correct [x] Incorrect Not unless you deliberately configure two Service instances in server.xml. Which would be unusual probably self-defeating, if the goal was separate JVMs. p On Fri, Aug 27, 2010 at 6:57 PM, S Ahmed sahmed1...@gmail.com wrote: Hi, If you have a server with 15 GB of ram (or any large number for arguments sake), does it ever make sense to run multiple instances of tomcat on the same server? (serving http requests for the same web application) Or can a single instance utilize all the server resources just fine efficiently? The reason I am asking is that I have read that those hosting ruby on rails, or python web applications usually run multiple instances of their respective web server, each running on its own port, and then proxied using haproxy or the like. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Tomcat 5.5 and Windows 7
Properties.. -Original Message- From: michel [mailto:compu...@videotron.ca] Sent: Friday, August 27, 2010 2:03 PM To: Tomcat Users List Subject: Re: Tomcat 5.5 and Windows 7 - Original Message - From: Jeffrey Janner jeffrey.jan...@polydyne.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, August 27, 2010 1:37 PM Subject: RE: Tomcat 5.5 and Windows 7 -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 27, 2010 9:35 AM To: Tomcat Users List Subject: RE: Tomcat 5.5 and Windows 7 From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: Tomcat 5.5 and Windows 7 I forgot specifically what the problem(s) was/were, but they were trivial. Basically, anything (such as tomcat6w.exe) manipulating a service or the registry must be run as administrator, not just running under an administrator account. Same issues exist on Vista and Server 2K8. That was one. And getting it to start on user login without error was a trick. I think I had to mark the executable as run-as-admin-always. How do you make something as run-as-admin-always under windows? I have had problems with some apps, so that would be useful. Michel ___ ___ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: multiple instances on a server
On Fri, Aug 27, 2010 at 9:41 PM, Pid p...@pidster.com wrote: On 27/08/2010 18:51, Wesley Acheson wrote: I think the reason for doing this in ruby is that ruby is single threaded, I've been told. The JVM isn't. I'm raising an eyebrow. Huh? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vijay, On 8/27/2010 5:41 AM, Vijay wrote: I am looking for a way to use only encrypted passwords. Cool. How are you going to do that? I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. Something in the lines of : public class WrapperTomcatBootstrap { public static void main(String args[]) { String encryptedKeystorePassword = System.getenv(ENCRYPTED_KEYSTORE_PASSWORD); Uh... the environment isn't safe, either. How will you protect the environment? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx4M9EACgkQ9CaO5/Lv0PChhACfdQTWJqANWEcmpYIpInNi2bzT 7T8AoJjS1pPfc3oXpMB/AU8coCtKMetE =IVNT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: multiple instances on a server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ahmed, On 8/27/2010 12:57 PM, S Ahmed wrote: If you have a server with 15 GB of ram (or any large number for arguments sake), does it ever make sense to run multiple instances of tomcat on the same server? (serving http requests for the same web application) If you want complete isolation between the webapps, then it might make sense to run separate instances of Tomcat. We do this in production so we can bring one instance of Tomcat down without disturbing the others. It also allows us to mix/match JVM and Tomcat versions between the webapps. Or can a single instance utilize all the server resources just fine efficiently? Generally, yes. As Pid points out, you'll need a 64-bit JVM to use all that RAM. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx4NTIACgkQ9CaO5/Lv0PAUtgCfVAP0tqKzanVsInqR59GfsV9f QmcAoIrUsKwbdD526Fg6RecxZDX5/tYE =YNo3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat load balancing question x problem
On 27.08.2010 19:22, Thiago Locatelli da Silva wrote: Hi Rainer, I followed your suggestions and it seems to be working, the load balacing, now i need to look into why my application, created with gwt + comet is not working. It seems that comet stopped working. Any information about what the solution was? Upgrading Apache, using the backend server URLs in ProxyPassReverse, something else? Regards, Rainer Rainer Jung escreveu: On 27.08.2010 14:17, Thiago Locatelli da Silva wrote: Hello list! :) Here at work I was asked to give a try on load balancing two tomcat servers running tomcat 6.0.29. The problem is that I was given only two servers to do this, what gave me only one option: run the apache in one of these servers. So I decided to put the apache httpd server which is going to balance the load among the two tomcat server in the Server A (suppousing I have server A and B running linux). My application which needs to be balanced has /agent context. Everytime I access the URL http://servera/agent my request is redirect either to http://servera:8080/agent or http://serverb:8080/agent. To my understanding, with load balancing, my url would remain http://servera/agent and the redirect would take place behing the scene and I would never see any redirect to tomcat connector port (8080). By the way, i am running the load balancing with mod_proxy in the apache server and my configuration is as follow: = ProxyPass /balancer-manager ! ProxyPass /status ! ProxyStatus On ProxyRequests Off Location /balancer-manager SetHandler balancer-manager Order Deny,Allow Deny from all Allow from localhost /Location Location /status SetHandler server-status Order Deny,Allow Deny from all Allow from all /Location Proxy * Order deny,allow Allow from all /Proxy Proxy balancer://cluster BalancerMember http://servera:8080/agent/ route=worker0 keepalive=On loadfactor=1 BalancerMember http://serverb:8080/agent/ route=worker1 keepalive=On loadfactor=1 ProxySet lbmethod=byrequests maxattempts=3 stickysession=JSESSIONID|jsessionid /Proxy Location /agent ProxyPass balancer://cluster/ stickysession=JSESSIONID ProxyPassReverse balancer://cluster/ /Location = Not happy with this scenario, i decided to install the apache httpd server in my laptop and made it as my load balancer instead of using servera to load balance. For my surprise, it worked out of the box with no extra configuration other than the one set up in my servera. I see no redirects to 8080 tomcat's port, due to my overall tests i could see only my desired url: http//localhost/agent (since i was running my tests with apache installed locally). So my question is: does it make sense to have the load balancer in the same server as one of the balanced server/application? Does mod_proxy support this? Many thanks for all the attention The wrong redirect URLs should have been rewritten by ProxyPassReverse. Note that using the balancer URL in ProxyPassReverse only works starting with Apache 2.2.12. Before you had to give one ProxyPassReverse statement for each backend URL configured as part of the balancer, e.g. ProxyPassReverse /agent http://servera:8080/agent ProxyPassReverse /agent http://serverb:8080/agent It is simply a rule to rewrite the Location header contained in any 30x response, i.e. replacing the string to the right with the string to the left (if it prefixes the Location URL). I suggest you - make sure you have a recent Apache (2.2.16 is the latest 2.2.x) - inspect the exact redirect response using a browser plugin or network sniffing, especially check the contents of the Location header - try using the split ProxyPassReverse pr backend configuration Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 and Windows 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 8/27/2010 3:37 AM, Pid wrote: On 27/08/2010 04:22, Marcos Molina wrote: Hi there, I only wanna know if i can run Tomcat 5.5 on windows 7 ??? And if i have to take any considerations to do it. Thanks for yours answers. Only if you install Java first. And only if you don't need stability from your OS. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx4Nj0ACgkQ9CaO5/Lv0PCYogCeLaDhPyrrRrPa1Spwf3F9Mjyi 11QAoJ+aME871tP7yWueMDo8BdvZ4idK =aepJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mike Wilde is out of the office
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 8/27/2010 9:38 AM, Martin Gainty wrote: what is a TST DBAMR USD queue ? See? I told you this guy goes on a lot of vacations. Heh. TST DBAMR USD -Mike is a Google thwack. Not for long, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx4NxcACgkQ9CaO5/Lv0PAr9wCfYp6fNg81KK89nU3FN2/t6wVo nmcAnivRTYjrvgMM4xbV2eDVGmkDzn4x =D7h3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: multiple instances on a server
On 27.08.2010 21:58, Wesley Acheson wrote: On Fri, Aug 27, 2010 at 9:41 PM, Pidp...@pidster.com wrote: On 27/08/2010 18:51, Wesley Acheson wrote: I think the reason for doing this in ruby is that ruby is single threaded, I've been told. The JVM isn't. I'm raising an eyebrow. Huh? Adding unqualified rumors: Ruby is not single-threaded, but the Rails framework has a huge lock that effectively make the biggest part of request handling serialized. Usually Ruby webapps are based on Rails. So yes, Ruby on Rails needs multiple server processes in parallel to effectively scale. That might be an outdated rumor though. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access StandardContext in WebappClassLoader
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stefan, On 8/27/2010 7:34 AM, Chefo wrote: thanks for the interest - of course I'll give you an example. Surprisingly it is not java.lang.Object that I'm trying to hide but the stax api in java 6. I need to do so because of the notorious fault in the XMLOutputFactory#newInstance(String, ClassLoader). Interesting. Why not simply put your replacement STAX into the system's endorsed libraries? Wouldn't that fix pretty much everything, and require much less work? The thing is that osgi runtime in which the catalina lives complicates the class loading a bit. Note that this black voodoo magic for configuring restricted system packages is not something I've invented - I just saw there is such thing in jetty and was extremely happy to see it could be implemented with little effort in tomcat as well. Jetty is OSS... can you steal their ClassLoader implementation? I highly recommend Rainer's suggestion of writing a loader to configure your ClassLoader, rather than trying to get the ClassLoader to configure itself (always tricky). Good luck, and let us know how it goes. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx4OGAACgkQ9CaO5/Lv0PD+TACeOVU9e2L41rqdmZ8pRx/DIktv Rh0An1OC5U/ZXarXx7e2xEAwt7DPyB5+ =BvEJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
PHP on Tomcat?
I have tried running PHP using Quercus, and I may have screwed it up but it worked poorly, with some of the PHP code not being interpreted, instead showing up on the wepage as text. I have also seen different PHP/Java bridge implementation, but just looking at how to set one of them up had me nervous at all the different steps. have people had much success setting up PHP on Tomcat? Simple is best. Michel