Re: SSLSession invalidate
On 15 Sep 2011, at 23:30, Peter wrote: > A connection is streaming a video, when you "logout" of it's session. > > What happens? I have not tried it. I'll put up some code in Java so you can try it out soon. > > The browser caches img files retrived from on the same server path as the > application to which then one sends an ssl "logout signal". A browser plugin > references the https uri of the image. > > Does the cache release the image, collected over a session that is now closed? > > Sent from my iPhone > > On Sep 15, 2011, at 1:23 AM, Henry Story wrote: > >> You can break TLS sessions once you have the session_id. I tried this in >> Clerezza (an apache incubator project) to see if I could get something like >> a logout functionality to work. I even tried to see if breaking a connection >> and throwing one of the exceptions that TLS defines would force the browser >> to ask the user for another certificate, but it does not work - or only >> quite randomly in most browsers. >> >> https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala >> >> I think it is a bug that they don't react properly to the defined exceptions >> being thrown. >> >> What does work for Firefox and I think IE (Not tested yet, please let me >> know) is the following javascript logout: >> >> function logout(elem) { >> if (document.all == null) { >> if (window.crypto) { >> try{ >> window.crypto.logout(); >> return false; //firefox ok -- no need to follow the link >> } catch (err) {//Safari, Opera, Chrome -- try with tis session >> breaking >> } >> } else { //also try with session breaking >> } >> } else { // MSIE 6+ >> document.execCommand('ClearAuthenticationCache'); >> return false; >> }; >> return true >> } >> >> function login(elem) { logout(elem) } >> >> - >> >> Then you can just put the following html in your page >> >> Joe|> onclick="return logout();">logout >> >> I have added this to the foaf+ssl (WebID protocol) wiki >> http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout >> >> Henry >> >> On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote: >> >>> Don't assume your SSL session or connection hasn't been invalidated just >>> because you aren't asked to choose a certificate from your browser certs >>> when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP >>> session and Single Sign-on session are invalidated upon logout, and we see >>> similar behavior (no need to select certificate) upon re-login because the >>> browser caches the user's certificate choice (and smart card PIN). Is your >>> session ID the same when you go back in? >>> >>> If you are using IE and you want to clear the browser cache to select >>> another certificate, go to Tools->Internet Options, select Content tab, and >>> click Clear SSL state. >>> >>> -Original Message- >>> From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org >>> [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On >>> Behalf Of Jürgen Jakobitsch >>> Sent: Tuesday, September 06, 2011 3:12 PM >>> To: Tomcat Users List >>> Subject: Re: SSLSession invalidate >>> >>> thanks mark, >>> >>> if i understand you correct, it is simply NOT possible to invalidate the >>> SSLSession of which i can get the id with >>> request.getAttribute("javax.servlet.request.ssl_session") >>> (it works with this key in 6.0.32) >>> >>> wkr turnguard >>> >>> - Original Message - >>> From: "Mark Thomas" >>> To: "Tomcat Users List" >>> Sent: Wednesday, September 7, 2011 12:08:29 AM >>> Subject: Re: SSLSession invalidate >>> >>> On 06/09/2011 22:42, Jürgen Jakobitsch wrote: apparently there is one, i can get it's id with request.getAttribute("javax.servlet.request.ssl_session") >>> >>> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id >>> in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well. >>> >>> Your wild guess is wrong. That feature is in Tomcat 7 onwards. >>> >>> Mark >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> -- >>> | Jürgen Jakobitsch, >>> | Software Developer >>> | Semantic Web Company GmbH >>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria >>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 >>> >>> COMPANY INFORMATION >>> | http://www.semantic-web.at/ >>> >>> PERSONAL INFORMATION >>> | web : http://www.turnguard.com >>> | foaf : http://www.turnguard.com/turnguard >>> | skype : jakobitsch-punkt >>> >>> -
RE: 501 error not going to location
Thank you for your reply, The is configured in a web.xml inside my webapp. As for the tomcat version it is Tomcat 7.0.21. Before adding the inside my webapp i was seeing - HTTP Status 501 - Method METHOD is not is not implemented by this servlet for this URI type Status reportmessage Method METHOD is not is not implemented by this servlet for this URI description The server does not support the functionality needed to fulfill this request (Method METHOD is not is not implemented by this servlet for this URI ).Apache Tomcat/7.0.21 After adding the inside my webapp i am see nothing. n828cl wrote: > >> From: kkrikor [mailto:krikor.kruml...@gmail.com] >> Subject: 501 error not going to location > >> I have set up an error page for the 501 error code. > > Where did you configure the ? (Be precise.) > >> Testing with Tomcat 7. > > Tomcat 7.what.what? (Be precise.) > > Since error pages are specific to individual webapps, Tomcat cannot honor > such configuration if the request is so malformed that it's impossible to > select a webapp to which to give the request. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/501-error-not-going-to-location-tp32466722p32475425.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dean, On 9/14/2011 1:14 PM, Dean Hoover wrote: > I am running Tomcat 5.5 in support of a internal-use only JSPWiki > site. Time to upgrade. It's 7.0.21 time. > To consolidate, I decided to move our internal calendars (using the > iCal .ics extension) from our very old Win2k server to the root > directory of Tomcat as well. > > The problem I am having is that we are unable to modify (add/remove > calendar entries) after the move. We can read them just fine. You should look at your old configuration to see what was enabling the writes to those files. I suspect that WebDAV is involved. Tomcat does support WebDAV: http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/servlets/WebdavServlet.html > I figure there is an issue of permissions, and have Googled many > sites that tell me to change the catalina.policy file and add the > ability for that directory to have read and write access. I've > even used the AllPermissions setting, but with no success. catalina.policy is only for use with a SecurityManager. You may still have a file and/or directory permissions problem. Something I would also caution you about: if you undeploy your webapp, Tomcat will delete all the files in the deployment directory, probably including your calendar files. So maybe you want to put those somewhere else when you configure WebDAV. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5yZ6QACgkQ9CaO5/Lv0PB9PgCgr6BUM3WJSM/9tVydfVjMGKFL iAMAnRv9t7yYbSvGb2z4LX9m2CnSRHtT =W+0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_proxy_balancer anomaly Question
Shanti Suresh wrote: All, I am trying to understand some anomaly with mod_proxy and mod_proxy_balancer. mod_proxy works fine if the (reverse)Proxying is done to the local Tomcat Engine rather than going through the balancer. If it goes through the "balancer", then an extra "/" is added on 302 Redirects after the hostname in URLs. Adding "ProxyPreserveHost On" gets the proper 302 Redirects without the extra "/". Short of reading source code, I was hoping someone can explain the: Short answers : (1) purpose of "ProxyPreserveHost On" -> It is to pass the "Host" header from the incoming request onto Tomcat Yes. Because the default is that the front-end uses the hostname named in the ProxyPass statements, to replace the Host header received from the client. (2) Does "ProxyPreserveHost" have any implication on the "Location:" Header going out in 302 responses? It could have, indirectly, if the Tomcats have virtual hosts themselves. E.g. : without the "ProxyPreserveHost", the "Host:" header sent to Tomcat will always be the one from the ProxyPass directive. So this will always be processed by the same virtual host under Tomcat. With the "ProxyPreserveHost", the "Host" header sent by the client will be left unchanged. So it could potentially "select" another virtual host within Tomcat, and this virtual host within Tomcat may return its 302 "Location" header differently than the virtual host mentioned above. (I cannot think of a good reason why this could happen, but I suppose it could) (3) I thought the "ProxyPassReverse" directive was used for setting (rewriting) the "Location:" header in the 302 responses. It is. And it should only rewrite the hostname part of the value. (4) How does Tomcat work without "ProxyPreserveHost On" when requests don't go through the balancer? It will work fine, thank you. ;-) Seriously, at the simplest level, Tomcat doesn't know that it is being proxied to, or balanced, and does not know if in Apache httpd there is a ProxyPreserveHost or not. It gets a HTTP request which contains a Host header. It tries to match that name with one of its own tags. If it finds a match, it dispatches the request to that within Tomcat. If it does not find a match, it dispatches the request to its default host, which is the whose name is mentioned in the tag. What would help figuring this out, is - a copy of the Tomcat's server.xml (edited, remove comments and sensitive info), pasted into your next message (this list strips most attachments) - to know what really creates the 302 Redirect response within Tomcat (and its Location header) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
I forgot to add : Since previously the application was running on a Win2K server, it may be that this Win2K server just "shared" (windows-like) the directory where the .ics files were located, and this being in a local LAN, that the client were just writing the files there via a Windows network file mechanism (and nothing to do with HTTP thus). That sounds quite unsafe and limited, but in a small intranet may be acceptable. If such was the case (and again the client setup should contain a hint), then maybe all that's missing is to "share" the new directory under Tomcat where you put the files. Tomcat won't be involved in the writing part, so it should not stand in the way, at least as long as when a client writes there, the permissions don't prevent Tomcat from reading the files (for the "download" part). Don't take this as a recommendation of how to do it. André Warnier wrote: Right. There should be some setting/parameter corresponding to the Thunderbird plugin, which indicates /how/ it is trying to write files to the server. In Options..Advanced..Config Editor ? I find some traces there in my Thunderbird setup, of parameters starting with "SyncKolab".. (That may be something else though) The point which several people were trying to make here is : Any "sane" webserver setup will never allow a user to /upload/ files to the server, just by specifying their URL. That is because it is potentially a very big security hole. (One generally does not want the first miscreant around to deface one's server by loading his own pages or applications) It is /possible/ to allow this (and there are even special HTTP commands to do that), but you need to add something to the server, in terms of additional modules to handle such uploads, and a special (and careful) configuration to go with it. It is not sufficient to just put the files somewhere where they can be seen and retrieved by a browser, and make them writeable. Thankfully. (Note that all this is not specific to Tomcat. Any reasonable webserver is like that.) One such fairly standard server add-on, in the case of Tomcat, is the DAV application. It is available on the Tomcat website, but not as part of the standard download (I think), and it is certainly not installed by default. It is not the only way, and maybe this particular plugin expects the webserver to run an application which comes along with the plugin. But again, you'd need to install it on the server, it will not be there by default. In any case, one would expect, either in the plugin documentation or in the parameters somwhere on the client, to find a hint as to how the file upload to the server is supposed to happen. Dean Hoover wrote: Fair enough, Chuck. I don't know exactly what writes the file, but since we are using the Lightning add-on from Thunderbird, I would assume that Lightning is doing the work. As far as how it used to work, everyone would read from the .ics calendar on the old server from Lightning via a web link. Those with the proper access were able to write to it for adding/updating/deleting calendar entries. Don't get me wrong, I appreciate the feedback. It seems that this is a little more involved than I thought, which is fine. I see there are open-source alternatives, so I will pursue those. It's all good. Thanks again. Dean On Thu, Sep 15, 2011 at 9:47 AM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote: From: Dean Hoover [mailto:kb7...@gmail.com] Subject: Re: Using calendar .ics files over Tomcat 5.5 We are not using DAV, just simple iCalendar (.ics) files. But what _writes_ the files? Unless you have your own servlet to do this, or use DAV or a similar file upload mechanism, nothing cause an update of data on the server. It was running on an old Win2k server using an even older Apache web service before. Perhaps if you explained more fully how the prior mechanism worked, we could suggest an alternative for use with Tomcat. So far, we've really got nothing to go on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
Right. There should be some setting/parameter corresponding to the Thunderbird plugin, which indicates /how/ it is trying to write files to the server. In Options..Advanced..Config Editor ? I find some traces there in my Thunderbird setup, of parameters starting with "SyncKolab".. (That may be something else though) The point which several people were trying to make here is : Any "sane" webserver setup will never allow a user to /upload/ files to the server, just by specifying their URL. That is because it is potentially a very big security hole. (One generally does not want the first miscreant around to deface one's server by loading his own pages or applications) It is /possible/ to allow this (and there are even special HTTP commands to do that), but you need to add something to the server, in terms of additional modules to handle such uploads, and a special (and careful) configuration to go with it. It is not sufficient to just put the files somewhere where they can be seen and retrieved by a browser, and make them writeable. Thankfully. (Note that all this is not specific to Tomcat. Any reasonable webserver is like that.) One such fairly standard server add-on, in the case of Tomcat, is the DAV application. It is available on the Tomcat website, but not as part of the standard download (I think), and it is certainly not installed by default. It is not the only way, and maybe this particular plugin expects the webserver to run an application which comes along with the plugin. But again, you'd need to install it on the server, it will not be there by default. In any case, one would expect, either in the plugin documentation or in the parameters somwhere on the client, to find a hint as to how the file upload to the server is supposed to happen. Dean Hoover wrote: Fair enough, Chuck. I don't know exactly what writes the file, but since we are using the Lightning add-on from Thunderbird, I would assume that Lightning is doing the work. As far as how it used to work, everyone would read from the .ics calendar on the old server from Lightning via a web link. Those with the proper access were able to write to it for adding/updating/deleting calendar entries. Don't get me wrong, I appreciate the feedback. It seems that this is a little more involved than I thought, which is fine. I see there are open-source alternatives, so I will pursue those. It's all good. Thanks again. Dean On Thu, Sep 15, 2011 at 9:47 AM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote: From: Dean Hoover [mailto:kb7...@gmail.com] Subject: Re: Using calendar .ics files over Tomcat 5.5 We are not using DAV, just simple iCalendar (.ics) files. But what _writes_ the files? Unless you have your own servlet to do this, or use DAV or a similar file upload mechanism, nothing cause an update of data on the server. It was running on an old Win2k server using an even older Apache web service before. Perhaps if you explained more fully how the prior mechanism worked, we could suggest an alternative for use with Tomcat. So far, we've really got nothing to go on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request params randomly null in servlet(s)
Pid * wrote: > > > Exactly which version of Tomcat are you running? > > Latest, 7.0.21. -- View this message in context: http://old.nabble.com/Request-params-randomly-null-in-servlet%28s%29-tp32461421p32474158.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat started and localhost:8080 is loading
I had some issues regarding Eclipse and Tomcat. Try setting the IP address for your tomcat to 127.0.0.1 Access it from your browser by the same ip and your port and you should be able to load the tomcat welcome page. --b -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, August 29, 2011 5:17 PM To: Tomcat Users List Subject: Re: Tomcat started and localhost:8080 is loading Hi. At the beginning, you said : When I start startup.sh, I can load the localhost:8080 page. But when I start Tomcat from Eclipse, it is able to start but I'm unable to load the localhost page. Explorer says, "could not connect to localhost:8080". That seems to indicate that Tomcat is not listening on port 8080, when you start it from Eclipse. I am not an Eclipse user, but from similar previous posts on this list, that seems to indicate that Eclipse is using another set of configuration files for Tomcat, than the ones that are used when you start Tomcat from startup.sh. You did not say on which platform you are running this, but try the following to confirm : A) 1) start Tomcat with startup.sh 2) in a command window, enter "netstat -pan" (Linux) or "netstat -aopn" (Windows), and look for lines containing the word LISTEN. You should see a line containing the port ":8080". That is Tomcat, and its PID is at the end of the same line. 3) stop Tomcat B) 1) start Tomcat with Eclipse 2) in a command window, enter "netstat -pan" (Linux) or "netstat -aopn" (Windows), and look for lines containing the word LISTEN. Do you see a line containing the port ":8080" ? If not, and you see for instance a line with port ":80" instead, then it means that Tomcat is started differently. (And try "http://localhost:80";) If so, search the archives of this list as to how to correct that issue. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_proxy_balancer anomaly Question
On 15/09/2011 16:18, Shanti Suresh wrote: > All, > > I am trying to understand some anomaly with mod_proxy and mod_proxy_balancer. > mod_proxy works fine if the (reverse)Proxying is done to the local Tomcat > Engine rather than going through the balancer. If it goes through the > "balancer", then an extra "/" is added on 302 Redirects after the hostname in > URLs. Adding "ProxyPreserveHost On" gets the proper 302 Redirects without > the extra "/". > > Short of reading source code, I was hoping someone can explain the: > (1) purpose of "ProxyPreserveHost On" -> It is to pass the "Host" header > from the incoming request onto Tomcat > (2) Does "ProxyPreserveHost" have any implication on the "Location:" Header > going out in 302 responses? > (3) I thought the "ProxyPassReverse" directive was used for setting > (rewriting) the "Location:" header in the 302 responses. > (4) How does Tomcat work without "ProxyPreserveHost On" when requests don't > go through the balancer? Please start an entirely new email thread. Replying to an existing thread, just editing subject & body, is called thread-hijacking and makes your message appear in the middle of another conversation in threaded mail readers. p signature.asc Description: OpenPGP digital signature
Re: Request params randomly null in servlet(s)
On 15/09/2011 14:46, Darius D. wrote: > > > > Pid * wrote: >> >> >> What is your server.xml config? (please remove comments, passwords etc >> & post it inline, in the response) >> >> > > Here it is, nothing special ( except usage of RemoteIpValve ). Thanks for > looking into this problem. > > > > >SSLEngine="on" /> > >className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> >className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> > > >type="org.apache.catalina.UserDatabase" > description="User database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml" /> > > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" >connectionTimeout="2" >enableLookups="false" >acceptCount="1000" >maxThreads="500" >maxPostSize="10485760" > /> > > > > > resourceName="UserDatabase"/> > > >unpackWARs="true" autoDeploy="true"> > > protocolHeader="X-Forwarded-Proto" /> > > directory="logs" >prefix="localhost_access_log." suffix=".txt" >pattern="%h %l %u %t "%r" %s %b" > resolveHosts="false"/> > > > > > Exactly which version of Tomcat are you running? p signature.asc Description: OpenPGP digital signature
Re: Tomcat 7.0.21: BufferOverflowException in AjpAprProcessor.output()
Hi Christopher, thanks for your reply. I would like to add that the Exceptions seems to have occured when the client aborted the connection, because at the same time of the exception, in the ISAPI log was the following: [Wed Sep 14 13:55:20.645 2011] [736:7288] [error] iis_write::jk_isapi_plugin.c (1337): Vector write of chunk encoded response failed with 995 (0x03e3) However it's still a bit strange, and I didn't see this Exception in previous versions of Tomcat, when a 995 error appeared in the ISAPI log. -Original-Nachricht- > Von: Christopher Schultz > An: Tomcat Users List > Betreff: Re: Tomcat 7.0.21: BufferOverflowException in > AjpAprProcessor.output() > Datum: Wed, 14 Sep 2011 23:57:45 +0200 > Are you using unusually large requests, possibly including chains of > client certs? If you mean SSL certificates: I don't have any SSL certificate / HTTPS connection on Tomcat. I just use a normal AJP-APR connector and clients connect to IIS through HTTP. Sometimes I send large requests, but I wouldn't expect such an Exception to occur. > > If you have a lot of info that needs to be forwarded from the proxy to > Tomcat, you can exceed the max packet size of the connector, and it's > possible you could get this exception (instead of a nicer error > message). The default is 8k, so if you have large amounts of requests > data, you could be overflowing this packet size. > > Have you set "packetSize" on your ? Have you set > max_packet_size on any of your workers? If so, the > worker.max_packet_size and must agree. I don't have set any of these attributes; I just use the default settings (besides the port). My element is this: My workers.properties from the ISAPI redirector contains this: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8019 Thanks, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
Fair enough, Chuck. I don't know exactly what writes the file, but since we are using the Lightning add-on from Thunderbird, I would assume that Lightning is doing the work. As far as how it used to work, everyone would read from the .ics calendar on the old server from Lightning via a web link. Those with the proper access were able to write to it for adding/updating/deleting calendar entries. Don't get me wrong, I appreciate the feedback. It seems that this is a little more involved than I thought, which is fine. I see there are open-source alternatives, so I will pursue those. It's all good. Thanks again. Dean On Thu, Sep 15, 2011 at 9:47 AM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote: > > From: Dean Hoover [mailto:kb7...@gmail.com] > > Subject: Re: Using calendar .ics files over Tomcat 5.5 > > > We are not using DAV, just simple iCalendar (.ics) files. > > But what _writes_ the files? Unless you have your own servlet to do this, > or use DAV or a similar file upload mechanism, nothing cause an update of > data on the server. > > > It was running on an old Win2k server using an even > > older Apache web service before. > > Perhaps if you explained more fully how the prior mechanism worked, we > could suggest an alternative for use with Tomcat. So far, we've really got > nothing to go on. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: HTTP errors Logging
Michael Gesundheit wrote: What?? Ok, I will take the candle. Michael, to send your original message, what you did was : - you edited an older message, which had a subject "Tomcat Redirect Issue - Extra "/" after hostname - Help Please" - then you changed the subject line - then you typed your message - then you sent that message to the list What Pid is telling you, is that this is not a correct way to start a new subject of discussion on this list (and not only on this one). The reason is that when you do it like above, the message that you send still has references in it to the old message that you copied (even if you do not see this). And for people who display list messages in their reader using the "threaded" view, this is very annoying, because your message appears in the middle of the discussion of the other message, while it has nothing to do with that old subject. Like this : Tomcat Redirect Issue - Extra "/" after hostname... - answer #1 : Re: Tomcat Redirect Issue - Extra "/" after hostname... - answer #2 : Re: Tomcat Redirect Issue - Extra "/" after hostname... - answer to answer #2 : Re: Tomcat Redirect Issue - Extra "/" after hostname... - answer #3 : HTTP errors logging - answer #4 : Re: Tomcat Redirect Issue - Extra "/" after hostname... Got it ? To start a new subject, start a new message, do not copy an old one. --- On Thu, 9/15/11, Pid wrote: From: Pid Subject: Re: HTTP errors Logging To: "Tomcat Users List" Date: Thursday, September 15, 2011, 6:13 AM On 14/09/2011 16:26, Michael Gesundheit wrote: Hi, I could not find anything in the archive so here is my question:Is there any way to get DEBUG or any log regarding HTTP error messages? I currently get a 403 but, so far, can't find the root cause. Thanks,-Michael Please start an entirely new email in future. Replying to an existing thread, just editing subject & body, is called thread-hijacking and makes your message appear in the middle of another conversation in threaded mail readers. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_proxy_balancer anomaly Question
All, I am trying to understand some anomaly with mod_proxy and mod_proxy_balancer. mod_proxy works fine if the (reverse)Proxying is done to the local Tomcat Engine rather than going through the balancer. If it goes through the "balancer", then an extra "/" is added on 302 Redirects after the hostname in URLs. Adding "ProxyPreserveHost On" gets the proper 302 Redirects without the extra "/". Short of reading source code, I was hoping someone can explain the: (1) purpose of "ProxyPreserveHost On" -> It is to pass the "Host" header from the incoming request onto Tomcat (2) Does "ProxyPreserveHost" have any implication on the "Location:" Header going out in 302 responses? (3) I thought the "ProxyPassReverse" directive was used for setting (rewriting) the "Location:" header in the 302 responses. (4) How does Tomcat work without "ProxyPreserveHost On" when requests don't go through the balancer? Thanks! -Shanti -- Shanti Suresh sha...@umich.edu http://lsa.umich.edu/cms
Re: Issue with outofMemory in Tomcat 6.0.32
We just fixed that very same error by adding "-XX:MaxPermSize=128m" to our java arguments. -kari On Sep 15, 2011, at 10:07 AM, wrote: > Hi, > > We have tomat 6.0.32 running with three different applications and oracle 11g > as database with hibernate as the persistence layer. > > We are facing with the following error very frequently. Any idea what could > be reasons for this error. > > Sep 13, 2011 10:28:31 AM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Allocate exception for servlet AxisServlet > java.lang.OutOfMemoryError: PermGen space >at java.lang.Throwable.getStackTraceElement(Native Method) >at java.lang.Throwable.getOurStackTrace(Throwable.java:591) >at java.lang.Throwable.printStackTrace(Throwable.java:510) >at java.util.logging.SimpleFormatter.format(Unknown Source) >at org.apache.juli.FileHandler.publish(FileHandler.java:158) >at java.util.logging.Logger.log(Unknown Source) >at java.util.logging.Logger.doLog(Unknown Source) >at java.util.logging.Logger.logp(Unknown Source) >at org.apache.juli.logging.DirectJDKLog.log(D > > Regards > Dayakar > > Please do not print this email unless it is absolutely necessary. > > The information contained in this electronic message and any attachments to > this message are intended for the exclusive use of the addressee(s) and may > contain proprietary, confidential or privileged information. If you are not > the intended recipient, you should not disseminate, distribute or copy this > e-mail. Please notify the sender immediately and destroy all copies of this > message and any attachments. > > WARNING: Computer viruses can be transmitted via email. The recipient should > check this email and any attachments for the presence of viruses. The company > accepts no liability for any damage caused by any virus transmitted by this > email. > > www.wipro.com _ Kari Scott Senior Programmer kari.sc...@cdw.com CDW 5520 Research Park Drive Madison, WI 53711 Office: 608 298 1223 Fax: 608 288 3007 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Issue with outofMemory in Tomcat 6.0.32
Hi, We have tomat 6.0.32 running with three different applications and oracle 11g as database with hibernate as the persistence layer. We are facing with the following error very frequently. Any idea what could be reasons for this error. Sep 13, 2011 10:28:31 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Allocate exception for servlet AxisServlet java.lang.OutOfMemoryError: PermGen space at java.lang.Throwable.getStackTraceElement(Native Method) at java.lang.Throwable.getOurStackTrace(Throwable.java:591) at java.lang.Throwable.printStackTrace(Throwable.java:510) at java.util.logging.SimpleFormatter.format(Unknown Source) at org.apache.juli.FileHandler.publish(FileHandler.java:158) at java.util.logging.Logger.log(Unknown Source) at java.util.logging.Logger.doLog(Unknown Source) at java.util.logging.Logger.logp(Unknown Source) at org.apache.juli.logging.DirectJDKLog.log(D Regards Dayakar Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
RE: Using calendar .ics files over Tomcat 5.5
> From: Dean Hoover [mailto:kb7...@gmail.com] > Subject: Re: Using calendar .ics files over Tomcat 5.5 > We are not using DAV, just simple iCalendar (.ics) files. But what _writes_ the files? Unless you have your own servlet to do this, or use DAV or a similar file upload mechanism, nothing cause an update of data on the server. > It was running on an old Win2k server using an even > older Apache web service before. Perhaps if you explained more fully how the prior mechanism worked, we could suggest an alternative for use with Tomcat. So far, we've really got nothing to go on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
We are not using DAV, just simple iCalendar (.ics) files. It was running on an old Win2k server using an even older Apache web service before. Was just hoping to be able to move the files over and allow write permissions in Tomcat. If that's not possible, I will pursue another option to make it work. Thanks everyone for your comments. Dean On Thu, Sep 15, 2011 at 8:05 AM, Pid wrote: > On 15/09/2011 13:28, André Warnier wrote: > > Pid wrote: > >> On 15/09/2011 02:08, Dean Hoover wrote: > >>> We're using Lightning (add-on from Thunderbird email client). The > >>> error we > >>> get is MODIFICATION_FAILED, which from some review points to > >>> permissions to > >>> the .ics file. > >>> > >>> On Wed, Sep 14, 2011 at 4:34 PM, Pid wrote: > >>> > On 14/09/2011 18:14, Dean Hoover wrote: > > The problem I am having is that we are unable to modify (add/remove > calendar > > entries) after the move. > How are you trying to update them? > >> > >> So you are trying to execute a write operation on the file over HTTP? > >> It is not possible to simply write to files published on web servers > >> over HTTP, as if they are on an accessible file system. > > > > Unless that thing uses DAV, and the server is configured to support it > > of course. I have a vague recollection that this is what this plugin > > expects. > > Correct, but then that is not a 'simple' write to the file... > The OP hasn't mentioned DAV yet. > > > p > >
Re: HTTP errors Logging
What?? --- On Thu, 9/15/11, Pid wrote: From: Pid Subject: Re: HTTP errors Logging To: "Tomcat Users List" Date: Thursday, September 15, 2011, 6:13 AM On 14/09/2011 16:26, Michael Gesundheit wrote: > Hi, > I could not find anything in the archive so here is my question:Is there any > way to get DEBUG or any log regarding HTTP error messages? > I currently get a 403 but, so far, can't find the root cause. > Thanks,-Michael Please start an entirely new email in future. Replying to an existing thread, just editing subject & body, is called thread-hijacking and makes your message appear in the middle of another conversation in threaded mail readers. p
JK Status: Load Balancer Value has offset , negative number of backend connections
Hi we have pretty often an offset on our Load Balancer Values and negative number of backend connections (see jk-status screenshot). We just updated mod_jk but the problems just come more frequent IMHO. Might this (little bit older) statistics for worker catalog5 be helpful for solving / determining our issues? > tail -n 1 mod_jk.log | grep "Tue Sep 13.*catalog5.*Tomcat is down or > refused" -m 1 [Tue Sep 13 00:12:38 2011] [25200:140196360267520] [error] ajp_get_reply::jk_ajp_common.c (2118): (catalog5) Tomcat is down or refused connection. No response has been sent to the client (yet) > tail -n 1 mod_jk.log | grep "Tue Sep 13.*catalog5.*Tomcat is down or > refused" | wc -l 39 > tail -n 1 mod_jk.log | grep "Tue Sep 13.*\[error\].*catalog5" | wc -l 43 By the way I often saw a huge negative number (400-700) of backend connections during Err contained this number (plus some more), too. Do you have any ideas how to fix these problems? Server version: Apache Tomcat/6.0.20 Server built: May 14 2009 01:13:50 Server number: 6.0.20.0 OS Name:Linux OS Version: 2.6.30 Architecture: i386 JVM Version:1.6.0_26-b03 JVM Vendor: Sun Microsystems Inc. Thanx SPH http://old.nabble.com/file/p32471854/jk-status-faulty-value.png jk-status-faulty-value.png -- View this message in context: http://old.nabble.com/JK-Status%3A-Load-Balancer-Value-has-offset-%2C-negative-number-of-backend-connections-tp32471854p32471854.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request params randomly null in servlet(s)
Pid * wrote: > > > What is your server.xml config? (please remove comments, passwords etc > & post it inline, in the response) > > Here it is, nothing special ( except usage of RemoteIpValve ). Thanks for looking into this problem. -- View this message in context: http://old.nabble.com/Request-params-randomly-null-in-servlet%28s%29-tp32461421p32471737.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Bad documentation error on Tomcat 6.0 howto site
On 09/15/2011 08:09 AM, Konstantin Kolinko wrote: 2011/9/15 Steve Cohen: 6.0.20. Yes, it is old... Someone told me that the manager-gui, manager-script stuff was 7.0, I switched it to manager and it worked. So evidently, this was changed in a later 6.0.x version. To me, that seems like sort of a major change to make in a minor upgrade version and it should at least be documented. See changelog, as well as release announcements. Or is the tomcat 6.0 documentation ONLY supposed to cover the latest release? It covers only the latest release. The documentation for the version that you are using is included in the download itself (see webapps/docs). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ok, thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request params randomly null in servlet(s)
On 14/09/2011 16:38, Darius D. wrote: > >> p >> > > Well the problem is that we already looked for that mode of failure, our > servlet class has 0 instance variables... Basically it is a method like i > pasted before, doing HttpSession session = request.getSession(); and if > session is valid (it is!) immediately reading those params with String > action = request.getParameter("type"); > > Request object is perfectly valid when those params are missing ( session, > query etc are preserved, its just those params we are missing ). Error > happens in bursts in a rate of ~25 / million requests. What is your server.xml config? (please remove comments, passwords etc & post it inline, in the response) p signature.asc Description: OpenPGP digital signature
Re: HTTP errors Logging
On 14/09/2011 16:26, Michael Gesundheit wrote: > Hi, > I could not find anything in the archive so here is my question:Is there any > way to get DEBUG or any log regarding HTTP error messages? > I currently get a 403 but, so far, can't find the root cause. > Thanks,-Michael Please start an entirely new email in future. Replying to an existing thread, just editing subject & body, is called thread-hijacking and makes your message appear in the middle of another conversation in threaded mail readers. p signature.asc Description: OpenPGP digital signature
Re: Bad documentation error on Tomcat 6.0 howto site
2011/9/15 Steve Cohen : > 6.0.20. Yes, it is old... > Someone told me that the manager-gui, manager-script stuff was 7.0, > I switched it to manager and it worked. So evidently, this was changed in a > later 6.0.x version. To me, that seems like sort of a major change to make > in a minor upgrade version and it should at least be documented. See changelog, as well as release announcements. > Or is the > tomcat 6.0 documentation ONLY supposed to cover the latest release? It covers only the latest release. The documentation for the version that you are using is included in the download itself (see webapps/docs). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
On 15/09/2011 13:28, André Warnier wrote: > Pid wrote: >> On 15/09/2011 02:08, Dean Hoover wrote: >>> We're using Lightning (add-on from Thunderbird email client). The >>> error we >>> get is MODIFICATION_FAILED, which from some review points to >>> permissions to >>> the .ics file. >>> >>> On Wed, Sep 14, 2011 at 4:34 PM, Pid wrote: >>> On 14/09/2011 18:14, Dean Hoover wrote: > The problem I am having is that we are unable to modify (add/remove calendar > entries) after the move. How are you trying to update them? >> >> So you are trying to execute a write operation on the file over HTTP? >> It is not possible to simply write to files published on web servers >> over HTTP, as if they are on an accessible file system. > > Unless that thing uses DAV, and the server is configured to support it > of course. I have a vague recollection that this is what this plugin > expects. Correct, but then that is not a 'simple' write to the file... The OP hasn't mentioned DAV yet. p signature.asc Description: OpenPGP digital signature
Re: Bad documentation error on Tomcat 6.0 howto site
On 09/15/2011 07:39 AM, Konstantin Kolinko wrote: 2011/9/15 Steve Cohen: There is a bad error on the Tomcat 6.0 documentation website: http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access They give the 7.0 syntax for manager role names. 6.0 requires "manager", not "manager-gui" or "manager-script" and it led astray for several hours. The documentation is correct. You are probably using an old version of Tomcat 6 (and you are not telling us which one). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 6.0.20. Someone told me that the manager-gui, manager-script stuff was 7.0, I switched it to manager and it worked. So evidently, this was changed in a later 6.0.x version. To me, that seems like sort of a major change to make in a minor upgrade version and it should at least be documented. Or is the tomcat 6.0 documentation ONLY supposed to cover the latest release? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Thu, Sep 15, 2011 at 14:54, André Warnier wrote: [...] > > One difficulty with implementing an Apache httpd-like scheme is that, in > httpd, the order of the allow/deny plays a big role, and preserving the > order is generally more difficult in XML. > Which is why there is "Order" ;) > But maybe just this : the "localhost" case is so frequent, that maybe it > could just be a separate attribute in the Valve, like : > localhostAllow="true/false" or even localhost="allow/deny" > and internally match any form of localhost. > That may allow for some optimisation. I'm sure the impact would be tiny, > but since this is code that gets invoked at just every request and generally > quite early, it may be significant. > I was rather thinking about a completely new valve, allowing to specify CIDR ranges, subdomains, etc etc. It is certainly doable. -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
2011/9/15 André Warnier : > Konstantin Kolinko wrote: >> >> 2011/9/15 André Warnier : >>> >>> On the other hand, using a regexp provides for quite a bit of flexibility >>> regarding ranges of addresses. You could use something like : >>> "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)" >> >> Just 127\.0\.0\.1 >> It is XML - no need to double the slashes. > > For XML parsing not. But then it becomes a String, and this String is > passed to the regexp engine.. > And the regexp engine will interpret "." as "any character", while it > interprets "\." as "a dot character". > So, are you sure ? String needs double "\" when it is written in Java sources or in properties files. Double slash becomes single slash when the class is compiled or when the properties file is read. When it is in memory it does not need the double slashes. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Francis GALIEGUE wrote: On Thu, Sep 15, 2011 at 14:25, André Warnier wrote: [...] OK, I've found the bug... I have added an access log valve and here is what I see in it: [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403 GET //manager/text/list HTTP/1.0 That explains it. So, I do have IPv6, but the valve doesn't recognize ::1 as being equivalent to the fully expanded IPv6 address... If it only tries and matches the regex, the behaviour is therefore normal. Aha. So I do get a Debugger Bonus Point after all. Yes, indeed. Even though I have NETWORKING_IPV6=no in /etc/sysconfig/network. Bah. I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it does work... So, PEBKAC mostly, but I think Tomcat should be able to treat reduced IPv6 address formats. That would mean that both the address configured in the Valve, and the client address, would need to be "canonicalised" and then compared. You'll probably see the traditional "patches are welcome" soon. On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges of addresses. You could use something like : "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)" Well, checking address ranges would be _much_ easier if regexes were not anchored... But anyway, the "allow" and "deny" as they exist currently just don't cut the mustard, and are far from being as potent as, say Apache's Allow from and Deny from. This should be the goal. RemoteAddrValveEvolved? One difficulty with implementing an Apache httpd-like scheme is that, in httpd, the order of the allow/deny plays a big role, and preserving the order is generally more difficult in XML. But maybe just this : the "localhost" case is so frequent, that maybe it could just be a separate attribute in the Valve, like : localhostAllow="true/false" or even localhost="allow/deny" and internally match any form of localhost. That may allow for some optimisation. I'm sure the impact would be tiny, but since this is code that gets invoked at just every request and generally quite early, it may be significant. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Konstantin Kolinko wrote: 2011/9/15 André Warnier : On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges of addresses. You could use something like : "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)" Just 127\.0\.0\.1 It is XML - no need to double the slashes. For XML parsing not. But then it becomes a String, and this String is passed to the regexp engine.. And the regexp engine will interpret "." as "any character", while it interprets "\." as "a dot character". So, are you sure ? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Bad documentation error on Tomcat 6.0 howto site
2011/9/15 Steve Cohen : > There is a bad error on the Tomcat 6.0 documentation website: > http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access > > They give the 7.0 syntax for manager role names. 6.0 requires "manager", > not "manager-gui" or "manager-script" and it led astray for several hours. The documentation is correct. You are probably using an old version of Tomcat 6 (and you are not telling us which one). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Bad documentation error on Tomcat 6.0 howto site
There is a bad error on the Tomcat 6.0 documentation website: http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access They give the 7.0 syntax for manager role names. 6.0 requires "manager", not "manager-gui" or "manager-script" and it led astray for several hours. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
2011/9/15 André Warnier : > On the other hand, using a regexp provides for quite a bit of flexibility > regarding ranges of addresses. You could use something like : > "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)" Just 127\.0\.0\.1 It is XML - no need to double the slashes. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Thu, Sep 15, 2011 at 14:25, André Warnier wrote: [...] >> >> OK, I've found the bug... >> >> I have added an access log valve and here is what I see in it: >> >> [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403 >> GET //manager/text/list HTTP/1.0 >> >> That explains it. So, I do have IPv6, but the valve doesn't recognize >> ::1 as being equivalent to the fully expanded IPv6 address... If it >> only tries and matches the regex, the behaviour is therefore normal. > > Aha. So I do get a Debugger Bonus Point after all. > Yes, indeed. Even though I have NETWORKING_IPV6=no in /etc/sysconfig/network. Bah. >> >> I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it >> does work... >> >> So, PEBKAC mostly, but I think Tomcat should be able to treat reduced >> IPv6 address formats. >> > > That would mean that both the address configured in the Valve, and the > client address, would need to be "canonicalised" and then compared. > You'll probably see the traditional "patches are welcome" soon. > > On the other hand, using a regexp provides for quite a bit of flexibility > regarding ranges of addresses. You could use something like : > "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)" > Well, checking address ranges would be _much_ easier if regexes were not anchored... But anyway, the "allow" and "deny" as they exist currently just don't cut the mustard, and are far from being as potent as, say Apache's Allow from and Deny from. This should be the goal. RemoteAddrValveEvolved? -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
Pid wrote: On 15/09/2011 02:08, Dean Hoover wrote: We're using Lightning (add-on from Thunderbird email client). The error we get is MODIFICATION_FAILED, which from some review points to permissions to the .ics file. On Wed, Sep 14, 2011 at 4:34 PM, Pid wrote: On 14/09/2011 18:14, Dean Hoover wrote: The problem I am having is that we are unable to modify (add/remove calendar entries) after the move. How are you trying to update them? So you are trying to execute a write operation on the file over HTTP? It is not possible to simply write to files published on web servers over HTTP, as if they are on an accessible file system. Unless that thing uses DAV, and the server is configured to support it of course. I have a vague recollection that this is what this plugin expects. Is there an access log configured, and if so, what are the log lines that show access attempts to those files? p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Francis GALIEGUE wrote: On Thu, Sep 15, 2011 at 10:06, Francis GALIEGUE wrote: On Wed, Sep 14, 2011 at 20:49, Mark Eggers wrote: [...] I've not tried this in Tomcat, but here's a thought. According to: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter Tomcat uses java.util.regex for pattern matching. This means that if you want a string regular expression to include a ".", you'll end up entering it as \\. Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem. I have no idea why it would work in previous versions (have not checked the change log). . . . . just my two cents. Yep, fair enough. But in this case "\." would have expanded to a dot and it would have matched anyway. @André: I do connect from localhost using wget, mainly: wget -O - -nv --http-user= --http-password= http://localhost:8080//manager/text/list But even so, using "127\\.0\\.0\\.1", I get 403... There definitely is something broken :( OK, I've found the bug... I have added an access log valve and here is what I see in it: [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403 GET //manager/text/list HTTP/1.0 That explains it. So, I do have IPv6, but the valve doesn't recognize ::1 as being equivalent to the fully expanded IPv6 address... If it only tries and matches the regex, the behaviour is therefore normal. Aha. So I do get a Debugger Bonus Point after all. I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it does work... So, PEBKAC mostly, but I think Tomcat should be able to treat reduced IPv6 address formats. That would mean that both the address configured in the Valve, and the client address, would need to be "canonicalised" and then compared. You'll probably see the traditional "patches are welcome" soon. On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges of addresses. You could use something like : "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)" - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using calendar .ics files over Tomcat 5.5
On 15/09/2011 02:08, Dean Hoover wrote: > We're using Lightning (add-on from Thunderbird email client). The error we > get is MODIFICATION_FAILED, which from some review points to permissions to > the .ics file. > > On Wed, Sep 14, 2011 at 4:34 PM, Pid wrote: > >> On 14/09/2011 18:14, Dean Hoover wrote: >>> The problem I am having is that we are unable to modify (add/remove >> calendar >>> entries) after the move. >> >> How are you trying to update them? So you are trying to execute a write operation on the file over HTTP? It is not possible to simply write to files published on web servers over HTTP, as if they are on an accessible file system. Is there an access log configured, and if so, what are the log lines that show access attempts to those files? p signature.asc Description: OpenPGP digital signature
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Thu, Sep 15, 2011 at 10:26, Francis GALIEGUE wrote: [...] > > I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it > does work... > Which makes me think: the documentation SHOULD specify that regexes in the "allow" and "deny" parameters of the valve are ANCHORED. That's a pity, since it means you cannot really use the full power of regexes... -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Thu, Sep 15, 2011 at 10:06, Francis GALIEGUE wrote: > On Wed, Sep 14, 2011 at 20:49, Mark Eggers wrote: > [...] >> >> I've not tried this in Tomcat, but here's a thought. >> >> According to: >> >> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter >> >> >> Tomcat uses java.util.regex for pattern matching. This means that if you >> want a string regular expression to include a ".", you'll end up entering it >> as \\. >> >> Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem. >> >> I have no idea why it would work in previous versions (have not checked the >> change log). >> >> . . . . just my two cents. > > Yep, fair enough. But in this case "\." would have expanded to a dot > and it would have matched anyway. > > @André: I do connect from localhost using wget, mainly: > > wget -O - -nv --http-user= --http-password= > http://localhost:8080//manager/text/list > > But even so, using "127\\.0\\.0\\.1", I get 403... There definitely is > something broken :( > OK, I've found the bug... I have added an access log valve and here is what I see in it: [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403 GET //manager/text/list HTTP/1.0 That explains it. So, I do have IPv6, but the valve doesn't recognize ::1 as being equivalent to the fully expanded IPv6 address... If it only tries and matches the regex, the behaviour is therefore normal. I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it does work... So, PEBKAC mostly, but I think Tomcat should be able to treat reduced IPv6 address formats. -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLSession invalidate
You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers. https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala I think it is a bug that they don't react properly to the defined exceptions being thrown. What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout: function logout(elem) { if (document.all == null) { if (window.crypto) { try{ window.crypto.logout(); return false; //firefox ok -- no need to follow the link } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking } } else { //also try with session breaking } } else { // MSIE 6+ document.execCommand('ClearAuthenticationCache'); return false; }; return true } function login(elem) { logout(elem) } - Then you can just put the following html in your page Joe|logout I have added this to the foaf+ssl (WebID protocol) wiki http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout Henry On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote: > Don't assume your SSL session or connection hasn't been invalidated just > because you aren't asked to choose a certificate from your browser certs when > you log in again. In our system (Tomcat 5.5.33), I know that our HTTP > session and Single Sign-on session are invalidated upon logout, and we see > similar behavior (no need to select certificate) upon re-login because the > browser caches the user's certificate choice (and smart card PIN). Is your > session ID the same when you go back in? > > If you are using IE and you want to clear the browser cache to select another > certificate, go to Tools->Internet Options, select Content tab, and click > Clear SSL state. > > -Original Message- > From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org > [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On > Behalf Of Jürgen Jakobitsch > Sent: Tuesday, September 06, 2011 3:12 PM > To: Tomcat Users List > Subject: Re: SSLSession invalidate > > thanks mark, > > if i understand you correct, it is simply NOT possible to invalidate the > SSLSession of which i can get the id with > request.getAttribute("javax.servlet.request.ssl_session") > (it works with this key in 6.0.32) > > wkr turnguard > > - Original Message - > From: "Mark Thomas" > To: "Tomcat Users List" > Sent: Wednesday, September 7, 2011 12:08:29 AM > Subject: Re: SSLSession invalidate > > On 06/09/2011 22:42, Jürgen Jakobitsch wrote: >> apparently there is one, i can get it's id with >> request.getAttribute("javax.servlet.request.ssl_session") > > That is a Tomcat bug it should be javax.servlet.request.ssl_session_id > >> in tomcat7 there's the possibility to use SSLSessionManager to >> invalidate SSLSession, so i'm doing a wild guess, that something similar has >> to be possible with tomcat6 as well. > > Your wild guess is wrong. That feature is in Tomcat 7 onwards. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- > | Jürgen Jakobitsch, > | Software Developer > | Semantic Web Company GmbH > | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria > | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 > > COMPANY INFORMATION > | http://www.semantic-web.at/ > > PERSONAL INFORMATION > | web : http://www.turnguard.com > | foaf : http://www.turnguard.com/turnguard > | skype : jakobitsch-punkt > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Social Web Architect http://bblfish.net/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Availability of Apache Tomcat 6.0.34?
Hi, Does anyone know when the fix for the specific vulnerability: CVE-2011-3190 will be available for the 6.0.33 version of Apache Tomcat? Best Regards, Shanti
Re: tomcat 7.0.21: bug in RemoteAddrValve?
On Wed, Sep 14, 2011 at 20:49, Mark Eggers wrote: [...] > > I've not tried this in Tomcat, but here's a thought. > > According to: > > http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter > > > Tomcat uses java.util.regex for pattern matching. This means that if you want > a string regular expression to include a ".", you'll end up entering it as \\. > > Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem. > > I have no idea why it would work in previous versions (have not checked the > change log). > > . . . . just my two cents. Yep, fair enough. But in this case "\." would have expanded to a dot and it would have matched anyway. @André: I do connect from localhost using wget, mainly: wget -O - -nv --http-user= --http-password= http://localhost:8080//manager/text/list But even so, using "127\\.0\\.0\\.1", I get 403... There definitely is something broken :( -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Clustering / High Availability edge cases?
On 14/09/2011 23:03, Christopher Schultz wrote: > John, > > On 9/13/2011 5:51 AM, John Bass wrote: >> In the event of a node failure, I'm assuming that there's no way >> to recover from that and the failure will be visible to a client >> application. > > Correct: no other node in the cluster can serve the response being > generated by a dying Tomcat instance. As Pid points out, this > isn't unique to Tomcat. Wrong. See my longer response. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Clustering / High Availability edge cases?
On 13/09/2011 10:51, John Bass wrote: > Hi all, > > I'm relatively new to clustering with Tomcat and I'm trying to understand > the edge cases. If I'd like to guarantee continuous availability, what are > the caveats? > > As I understand it, Tomcat clustering will ensure that session information > is persisted in the event of a failure. That's fine, however, what about > long running I/O operations? What if my node dies in the middle of serving > an HTTP response? In the event of a node failure, I'm assuming that there's > no way to recover from that and the failure will be visible to a client > application. Wrong. Recovery options depend on the exact failure mode and the load-balancer configuration. The typical sequence of events is: - load-balancer sends request to Tomcat - request fails - load-balancer detects failure (either by return code or lack of response) - load-balancer replays request to a different Tomcat node - Tomcat generates response - load-balancer returns response to the client - client is unaware of failure although the request may appear slow particularly if the failure was detected via a timeout The load-balacer configuration will control the exact circumstances under which a request will be replayed. > Similarly, if a node fails during a long running calculation, I'm assuming > that there's no way to persist that execution state. Out of the box, no. You'd need to code that within the app. > Are those assumptions correct? If anyone has any other comments on further > scenarios where clustering and session persistence will not be useful in an > HA context, i'd love to hear them. Another failure mode to consider is node failure after the request has been processed but before the updated session data has been replicated to other nodes in the cluster. If you use synchronous replication (the replication happens before the response is completed) then this can't happen but your responses are delayed until the replication completes. If you use asynchronous replication then there is the possibility of node failure before the data is replicated. Also, you must use sticky sessions in this case since you don't want the next request being directed to a different node before the updated session data has been replicated. Finally, if using the back-up manager multiple node failures in quick succession will cause the loss of session data. With this manager, each node distributes the backup copies of the session data (each primary session has a single backup) around the other nodes in the cluster. So, for example, in a four node cluster if node A has 30 primary sessions 10 of those will be backed up on node B, 10 on node C and 10 on node D. If node A fails, the remaining nodes will detect this, make themselves the primary node for the sessions they are backing up and start the process of creating new backups on one of the remaining nodes. If a second node fails before this is complete there is the possibility of session loss. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org