Re: Spring MVC 3 application gives "Could not open JPA EntityManager" only on server

2011-11-23 Thread Will Glass-Husain 
I'd guess a firewall is blocking the database requests when you use the
full domain name.

Now it sounds like you have incorrect query syntax.

Good luck!

WILL

On Wed, Nov 23, 2011 at 10:04 PM, MiB  wrote:

>
> 24 nov 2011 kl. 06.25 Will Glass-Husain suggested:
>
>  telnet dbserver 3306
>>
>
> I did connect via SSH and I did get a "telnet: Unable to connect to remote
> host: Connection refused" on both of my IPs.
>
> But I can connect with "mysql -uXXX p-XXX -h127.0.0.1 dbName" so I changed
> to that in "database.properties" and rebuilt my application.
> I've redeployed and I can connect now but unfortunately I get another
> error now: "org.hibernate.exception.**SQLGrammarException: could not get
> or update next value; nested exception is 
> javax.persistence.**PersistenceException".
>  This happen only on server, not on the local Tomcat.
>
> Thanks for your response, Will!
>
>
>
> /MiB
>
>
>
>
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Query related to detection of the Source IP Address in Load-balancing mode

2011-11-23 Thread André Warnier 

Faseela K wrote:

Hi,

  The client is on the same physical server(Server #1) as the Tomcat,
  but the load balancer decides that the request is to be processed by Server 
#2.
  Then,in Server #2,I see _request.getRemoteAddr() returns 127.0.0.1.(though 
the request came from Server #1).That is the issue.



And where, and what, is the load-balancer ?

Can you tell us exactly where /all/ the different pieces are running?



Thanks,
Faseela 


-Original Message-
From: Pid [mailto:p...@pidster.com] 
Sent: Thursday, November 24, 2011 1:08 AM

To: Tomcat Users List
Subject: Re: Query related to detection of the Source IP Address in 
Load-balancing mode

On 23/11/2011 06:37, Faseela K wrote:

Hi,

I have applications running on two tomcat servers which are in load balancing 
mode.


OK so far.

If I try to access the application from the first server,and if the 
request is forwarded to the second server, the request.getRemoteAddr() on the second server still returns "127.0.0.1"(instead of first server IP).


So server #1 connects to the load balancer?

On which server is the load balancer?



If the client is outside the two loadbancing servers, I am getting the proper 
client IP address.


Sounds like the application is working properly then.



I am using tomcat 5.5.31 and mod_jk module for load balancing,and my platform 
is solaris 10.
Is there a way to get the actual client IP,rather than localhost,if the client 
is on the same box as the tomcat server,and if the request is forwarded to the 
second load balancing server?


If the client is on the same physical server as the Tomcat, then the correct IP 
address *is* 127.0.0.1.

Your networking stack may well identify that it's a local operation & bypass 
the time-consuming roundtrip through the network device, just doing a shorter 
in-memory operation via the loopback address.


p




Thanks,
Faseela








-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Query related to detection of the Source IP Address in Load-balancing mode

2011-11-23 Thread Faseela K 
Hi,

  The client is on the same physical server(Server #1) as the Tomcat,
  but the load balancer decides that the request is to be processed by Server 
#2.
  Then,in Server #2,I see _request.getRemoteAddr() returns 127.0.0.1.(though 
the request came from Server #1).That is the issue.


Thanks,
Faseela 

-Original Message-
From: Pid [mailto:p...@pidster.com] 
Sent: Thursday, November 24, 2011 1:08 AM
To: Tomcat Users List
Subject: Re: Query related to detection of the Source IP Address in 
Load-balancing mode

On 23/11/2011 06:37, Faseela K wrote:
> 
> Hi,
> 
> I have applications running on two tomcat servers which are in load balancing 
> mode.

OK so far.

> If I try to access the application from the first server,and if the 
> request is forwarded to the second server, the request.getRemoteAddr() on the 
> second server still returns "127.0.0.1"(instead of first server IP).

So server #1 connects to the load balancer?

On which server is the load balancer?


> If the client is outside the two loadbancing servers, I am getting the proper 
> client IP address.

Sounds like the application is working properly then.


> I am using tomcat 5.5.31 and mod_jk module for load balancing,and my platform 
> is solaris 10.
> Is there a way to get the actual client IP,rather than localhost,if the 
> client is on the same box as the tomcat server,and if the request is 
> forwarded to the second load balancing server?

If the client is on the same physical server as the Tomcat, then the correct IP 
address *is* 127.0.0.1.

Your networking stack may well identify that it's a local operation & bypass 
the time-consuming roundtrip through the network device, just doing a shorter 
in-memory operation via the loopback address.


p



> 
> Thanks,
> Faseela
> 
> 


-- 

[key:62590808]


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Spring MVC 3 application gives "Could not open JPA EntityManager" only on server

2011-11-23 Thread MiB 


24 nov 2011 kl. 06.25 Will Glass-Husain suggested:


telnet dbserver 3306


I did connect via SSH and I did get a "telnet: Unable to connect to  
remote host: Connection refused" on both of my IPs.


But I can connect with "mysql -uXXX p-XXX -h127.0.0.1 dbName" so I  
changed to that in "database.properties" and rebuilt my application.
I've redeployed and I can connect now but unfortunately I get another  
error now: "org.hibernate.exception.SQLGrammarException: could not get  
or update next value; nested exception is  
javax.persistence.PersistenceException".  This happen only on server,  
not on the local Tomcat.


Thanks for your response, Will!


/MiB





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Spring MVC 3 application gives "Could not open JPA EntityManager" only on server

2011-11-23 Thread Will Glass-Husain 
First, make sure your server can talk to the db server.  I usually ssh onto
the web server, then from there, do

telnet dbserver 3306

and make sure there's no connection error. (connection refused, likely due
to firewall or other reason for db not being accessible)

If that works, connect with the mysql client (again, from the web server)
using the same user and password

mysql -u XXX -pXXX -h dbserver  dbname

and make sure you have permission to connect.  It's probably one of those
two things.

WILL

On Wed, Nov 23, 2011 at 8:43 PM, MiB  wrote:

> I have a Debian 5 server where I run 2 sites on Apache Tomcat 6.0.33 and
> have installed MySQL 5.1.58. I use 2 different IPs for virtual hosting. I
> have developed a simple Spring MVC 3 application with Hibernate 3 for one
> of these sites and on my OS X developer machine I have testdeployed a
> packaged war file successfully on a default Tomcat 6.0.33 and MySQL 5.1.39.
> Integration tests work fine as do using the site this way.
> I edited hosts with my domain name pointing to my developer machine in
> order to mimic my server.
>
> I used maven to build a new war file with database.properties adjusted for
> the server environment, which I had to do with tests suppressed as I can't
> connect directly over the net because of firewall settings (so integration
> tests failed unsurprisingly with those).
> However, while the deploy to my real server works fine and response is as
> expected for non-DB requests, I get a "Could not open JPA EntityManager for
> transaction" error at the point of persistence — full error stack at
> http://pastebin.com/quHZisMM";] —  indicating that my application can't
> connect to my DB.
> I can connect via SSH to my server with the same connection data (user,
> password), so clearly my db is running and is connectable and I can create
> and delete rows no problem.
>
> I'm at a loss currently on how to diagnose this further. Any ideas?
>
>
> /MiB
>
>
>
>
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Spring MVC 3 application gives "Could not open JPA EntityManager" only on server

2011-11-23 Thread MiB 
I have a Debian 5 server where I run 2 sites on Apache Tomcat 6.0.33  
and have installed MySQL 5.1.58. I use 2 different IPs for virtual  
hosting. I have developed a simple Spring MVC 3 application with  
Hibernate 3 for one of these sites and on my OS X developer machine I  
have testdeployed a packaged war file successfully on a default Tomcat  
6.0.33 and MySQL 5.1.39. Integration tests work fine as do using the  
site this way.
I edited hosts with my domain name pointing to my developer machine in  
order to mimic my server.


I used maven to build a new war file with database.properties adjusted  
for the server environment, which I had to do with tests suppressed as  
I can't connect directly over the net because of firewall settings (so  
integration tests failed unsurprisingly with those).
However, while the deploy to my real server works fine and response is  
as expected for non-DB requests, I get a "Could not open JPA  
EntityManager for transaction" error at the point of persistence —  
full error stack at http://pastebin.com/quHZisMM";] —  indicating that  
my application can't connect to my DB.
I can connect via SSH to my server with the same connection data  
(user, password), so clearly my db is running and is connectable and I  
can create and delete rows no problem.


I'm at a loss currently on how to diagnose this further. Any ideas?


/MiB





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat user roles

2011-11-23 Thread Bill Wang 
Hi Tomcat guru,

I have questions for the tomcat user roles setup.

On-call team (24*7 support)  need permission to restart one tomcat
services, if they get call.  I think it is maybe possible to let them
restart tomcat throught "Tomcat Web Application Manager" (the admin url
http://server:port/manager)

My request is, I can't give the admin username and password directly to
on-call team, admin account can not only restart the application, it can
deploy and undeploy applications, that's too dangerous.

So how can I setup the tomcat-users.xml or other config file to let on-call
team has only permission to restart that particular application, not else.

Regards,
Bill

Re: Babysitting ThreadLocals

2011-11-23 Thread Terence M. Bandoian 

 On 1:59 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I've got a servlet that needs to log every request (potentially big
requests) to files on the disk. In order to do that in a
reasonably-tidy way, we write each file into a directory with the
current date in the path, something like this:

.../logs/2011-11-23/request-XYX.log

To do this, we have a SimpleDateFormat object that we use to ensure we
target the right directory. Since SimpleDateFormat isn't threadsafe,
we have two choices: synchronize or use ThreadLocal. We have opted for
the latter: ThreadLocal.

Our servlet defines the ThreadLocal to be protected (because this is a
base class for several servlets that all do similar things) and
transient (because we just don't need it to be serialized) and
override the initialValue method, like this:

 protected transient ThreadLocal  dayFormat = new
ThreadLocal() {
 public SimpleDateFormat initialValue()
 {
 return new SimpleDateFormat("-MM-dd");
 }
 };

In the servlet's destroy method, we dutifully call dayFormat.remove().
Tomcat complains that we are leaving sloppy ThreadLocals around on
shutdown. Duh: Servlet.destroy is called by a single thread and won't
actually remove the ThreadLocal in any meaningful way.

So, my question is whether or not there is a good way to clean-out the
ThreadLocals from our webapp?

Given the declaration above, we are creating a new class which will be
loaded by our webapp's ClassLoader and therefore pinning that
ClassLoader in memory definitely causing a memory leak across reploy
cycles.

One way to avoid this would be to have a library at the server-level
that only contains this simple ThreadLocat
definition, but that seems like kind of an awkward solution.

Removing the ThreadLocal after every request of course means that the
use of ThreadLocal is entirely useless.

Should I stop worrying about the overhead of creating a
SimpleDateFormat? Should I look for a threadsafe implementation of
SimpleDateFormat (maybe in commons-lang or something)? Should I
synchronize access to the object?

Any suggestions would be very helpful.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NFcAACgkQ9CaO5/Lv0PDIoACgrc5nNYGXUxjJ+hz1kWpiIL6J
SpYAoJQ6dcxCi4WmPX+1BJs9b3c+UQB5
=3bj2
-END PGP SIGNATURE-


Hi, Chris-

This sounds very similar to the problem I faced when trying to terminate 
an executor in contextDestroyed.  I worked around that by calling 
Thread.yield() after terminating the executor.


public void contextDestroyed( ServletContextEvent sce )
{
if ( executor != null )
{
boolean isTerminated = false;

executor.shutdown();

do
{
try
{
isTerminated = executor.awaitTermination(
1, TimeUnit.SECONDS );
}
catch ( InterruptedException ignore )
{
}
}
while ( !isTerminated );

executor = null;

Thread.yield();
}
}

Adding Thread.yield() eliminated the error message from the log.

Hope that helps.

-Terence Bandoian


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat cluster communication

2011-11-23 Thread Afkham Azeez 
Thanks Filip. I will try to implement this & contribute it back to Tomcat
if that would be useful.

Azeez

On Thu, Nov 24, 2011 at 2:06 AM, Filip Hanik - Dev Lists  wrote:

> Yes, that way you could encrypt your data packets and not worry about the
> wire protocol.
> the placement of the interceptor will be important, so that you don't
> encrypt packets you don't need to (like ping and failure detection)
>
> Filip
>
>
> On 11/23/2011 10:53 AM, Afkham Azeez wrote:
>
>> On Wed, Nov 23, 2011 at 8:48 PM, Filip Hanik - Dev Lists<
>> devli...@hanik.com
>>
>>> wrote:
>>> On 10/6/2011 8:31 AM, Afkham Azeez wrote:
>>>
>>>  I had a look at the Tribes code. Can somebody please explain how
 Channel.SEND_OPTIONS_SECURE works?

  not yet implemented :(
>>>
>>>  What is the proper way of implementing this if I was to do it?
>> Implement an
>> interceptor which will handle encryption/decryption? This is for Axis2
>> clustering which uses Tribes, so we could use the Tribes API.
>>
>>
>>
>>   From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an
>
 encrypted
 channel

 How is this encrypted channel setup? How do we define the keys/keystores
 etc?


 On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez   wrote:

  Hi folks,

> Is there a way to do authentication in Tribes when new members try to
> join
> a cluster so that unauthorized nodes cannot join in? Also, when
> clustering
> messages are sent back&   forth, how do we ensure security?
>
> Thanks
> Azeez
>
>
>
>  --**
>>> --**-
>>> To unsubscribe, e-mail: 
>>> users-unsubscribe@tomcat.**apa**che.org
>>> 
>>> >
>>>
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
*Afkham Azeez*
Director of Architecture; WSO2, Inc.; http://wso2.com,
*Member; Apache Software Foundation;
**http://www.apache.org/*
*
*
*email: **az...@wso2.com* * cell: +94 77 3320919
blog: **http://blog.afkham.org* *
twitter: **http://twitter.com/afkham_azeez*
*
linked-in: **http://lk.linkedin.com/in/afkhamazeez*
*
*
*Lean . Enterprise . Middleware*
*
*

Re: Adding an additional static resource directory to a webapp via API

2011-11-23 Thread Benson Margulies 
Yes. It's a jquery theme at the moment.

I just posted a bz with code I wrote involving subclasses of
StandardContext and also FileDirContext that pulls this off.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52236. What do you
think?

On Wed, Nov 23, 2011 at 2:29 PM, Pid  wrote:
> On 23/11/2011 18:06, Benson Margulies wrote:
>> I'm launching Tomcat 7 via the API.
>>
>> One of the uses of this is that I can launch from Eclipse and
>> 'live-edit' my static files, without tangling myself up in the Eclipse
>> JEE facilities, which I have never succeeded in using very well.
>>
>> Now, I want to meld some shared content into the webapp. In the maven
>> build, I use the maven 'overlay' concept. For live development, I'm
>> looking to do the same thing.
>>
>> Essentially, I want to map in a directory of additional static
>> resources into the Context. I see addResourceJarUrl, and I wonder what
>> it does with a file:/ url, though the comment in the javadoc about
>> META-INF/resources suggests that I'd need to conform to that directory
>> structure. (and reading the code in BaseDirContext confirms this).
>>
>> Is 'addAlias' the way to go here?
>
> What is the shared content?  Static files?
>
>
> p
>
>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> --
>
> [key:62590808]
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 not working with javax.net.ssl.keyStorePassword property

2011-11-23 Thread Mark Thomas 
On 22/11/2011 20:42, Satish Mittal wrote:
> Hi All,
> 
> I have observed a regression between tomcat 5 and tomcat 7.

That is https://issues.apache.org/bugzilla/show_bug.cgi?id=38774 that
was fixed only in the 5.5.x branch.

I'm not a huge fan of using system properties for configuration so I
prefer the Tomcat 6+ approach that requires explicit configuration (even
though some system properties are still used as fall back).

Mark


> 
> In my tomcat webapp, before I spawn another tomcat webapp process, I pass
> on the keystore password by setting the system property
> "javax.net.ssl.keyStorePassword" to keystore password, instead of writing
> the keystore password in plain-text as an attribute in server.xml.
> 
> This used to work in tomcat 5. However in tomcat 7, the same
> webapp/keystore throws the following error:
> 
> Nov 22, 2011 8:04:45 PM org.apache.coyote.AbstractProtocol init
> SEVERE: Failed to initialize end point associated with ProtocolHandler
> ["http-bio-8096"]
> java.io.IOException: Keystore was tampered with, or password was incorrect
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
>  at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
> at java.security.KeyStore.load(KeyStore.java:1185)
>  at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)
>  at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
>  at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
>  at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:373)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:498)
>  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
> at
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
>  at org.apache.catalina.connector.Connector.initInternal(Connector.java:909)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>  at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>  at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>  at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:596)
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>  at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
>  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
>  at java.lang.Thread.run(Thread.java:619)
> Caused by: java.security.UnrecoverableKeyException: Password verification
> failed
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
>  ... 28 more
> Nov 22, 2011 8:04:47 PM org.apache.catalina.core.StandardService
> initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8096]]
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8096]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
>  at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>  at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>  at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:596)
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>  at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
>  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
>  at java.lang.Thread.run(Thread.java:619)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:911)
>  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> ... 14 more
> Caused by: java.io.IOException: Keys

Re: Single war file - multiple hosts - can't get log4j to log to different files

2011-11-23 Thread Pid 
On 22/11/2011 22:35, Christopher Schultz wrote:
> Chris,
> 
> On 11/22/11 2:28 PM, chris derham wrote:
>> Java running on windows 2008 r2 against tomcat 7.0.19 java version
>> "1.6.0_24"
> 
> Thanks!
> 
>> I have a single war file, and would like to host multiple demo
>> sites of our app. So ideally users access demo1.company.com and
>> demo2.company.com. Completely isolated, but all running the same
>> war. Please correct me where ever my logic is wrong, but I figured
>> that I would
> 
>> 1) have a tomcat instance, containing config directory. This would
>> have catalina/demo1.company.com/ROOT.xml containing pertinent jndi
>> config.
> 
> Sounds good.
> 
>> 2) in server.xml add this
> 
>> > unpackWARs="false" autoDeploy="false"> > className="org.apache.catalina.valves.AccessLogValve" 
>> directory="logs" prefix="demo_access_log." suffix=".log" 
>> pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/> 
>> 
> 
> Well, that will give you an access log for the whole host. If that's
> what you want, that's what you got. If you want the webapps to have
> separate access logs, you'll have to configure the  in ROOT.xml
> (and whatever other webapps you deploy). Maybe something like
> "ROOT-access" as the "prefix" value.
> 
>> When I start the app, it works and the app works. However all
>> context's apps log to the same log file. What I want to know how to
>> make the different contexts under different hosts log to different
>> file. Our log4j file contains
> 
>> > class="org.apache.log4j.rolling.RollingFileAppender"> > name="Threshold" value="INFO" /> > value="${catalina.base}/logs/demo.log" />
> 
> So, this is a different issue. Above, you had an access log, which
> logs the hosts and URLs that they request, etc.
> 
> It appears that log4j is an application log, like for INFO and DEBUG
> and stuff like that, right?
> 
> Well, the obvious solution is to change the value of the "File"
> parameter in your log4j configuration. Try using something like
> "ROOT-demo.log" and a different value in the config file for the other
> copies that you deploy. Of course, that means that you can't actually
> use the same WAR file, or you need to figure out some way to load the
> log4j configuration file from another location.
> 
> If you write your own ServletContextListener to load the log4j
> configuration (that's what we do over here... it also shuts-down log4j
> when the webapp undeploys), then you ought to be able to use the JNDI
> context to find the location of a configuration file on a per-context
> basis. For instance, you could put your config files somewhere like
> /etc/mywebapp/ROOT.xml and /etc/mywebapp/non-root.xml and just change
> the name of the log file name.
> 
>  (which does stuff like log the
> 
>> I have searched around, and found some references to JNDI context
>> selectors for log4j, but I believe that this is to allow log4j
>> separation - not directly related to what I am trying to do.
> 
> I'm afraid I don't know a thing about JNDI context selectors and
> log4j. Sorry.
> 
>> I have tried to add a suitable web.xml environment entry, and then
>> add it to the log file name, e.g. 
>> ${catalina.base}/logs/${tomcatInstancePrefix}demo.log. Then in
>> ROOT.xml for each host I add
> 
>> > type="java.lang.String" override="false"/>
> 
>> and in web.xml I add
> 
>>  
>> tomcatInstancePrefix
> 
> 
> java.lang.String
>> 
> 
>> but that didn't work
> 
> Yeah, that doesn't work because it doesn't set a system property,
> which is what log4j requires for that kind of replacement.

You could just run separate instances of Tomcat.  It would be less
hassle & easier to manage.

Separate CATALINA_HOME & CATALINA_BASE, so you can use the same core
code & just create some separate instances.


p


-- 

[key:62590808]



signature.asc
Description: OpenPGP digital signature

Re: Securing Tomcat cluster communication

2011-11-23 Thread Filip Hanik - Dev Lists 

Yes, that way you could encrypt your data packets and not worry about the wire 
protocol.
the placement of the interceptor will be important, so that you don't encrypt 
packets you don't need to (like ping and failure detection)

Filip

On 11/23/2011 10:53 AM, Afkham Azeez wrote:

On Wed, Nov 23, 2011 at 8:48 PM, Filip Hanik - Dev Lists
wrote:
On 10/6/2011 8:31 AM, Afkham Azeez wrote:


I had a look at the Tribes code. Can somebody please explain how
Channel.SEND_OPTIONS_SECURE works?


not yet implemented :(


What is the proper way of implementing this if I was to do it? Implement an
interceptor which will handle encryption/decryption? This is for Axis2
clustering which uses Tribes, so we could use the Tribes API.




 From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an

encrypted
channel

How is this encrypted channel setup? How do we define the keys/keystores
etc?


On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez   wrote:

  Hi folks,

Is there a way to do authentication in Tribes when new members try to
join
a cluster so that unauthorized nodes cannot join in? Also, when
clustering
messages are sent back&   forth, how do we ensure security?

Thanks
Azeez




--**--**-
To unsubscribe, e-mail: 
users-unsubscribe@tomcat.**apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Single war file - multiple hosts - can't get log4j to log to different files

2011-11-23 Thread Pid 
On 23/11/2011 13:06, chris derham wrote:
> I just wanted to see everything
> in a single place - from what I have read this can't be done

Correct.  It could be done, but the apps would need to look outside of
their local host.


p



-- 

[key:62590808]



signature.asc
Description: OpenPGP digital signature

Re: Query related to detection of the Source IP Address in Load-balancing mode

2011-11-23 Thread Pid 
On 23/11/2011 06:37, Faseela K wrote:
> 
> Hi,
> 
> I have applications running on two tomcat servers which are in load balancing 
> mode.

OK so far.

> If I try to access the application from the first server,and if the request 
> is forwarded to the second server,
> the request.getRemoteAddr() on the second server still returns 
> "127.0.0.1"(instead of first server IP).

So server #1 connects to the load balancer?

On which server is the load balancer?


> If the client is outside the two loadbancing servers, I am getting the proper 
> client IP address.

Sounds like the application is working properly then.


> I am using tomcat 5.5.31 and mod_jk module for load balancing,and my platform 
> is solaris 10.
> Is there a way to get the actual client IP,rather than localhost,if the 
> client is on the same box as the tomcat server,and if the request is 
> forwarded to the second load balancing server?

If the client is on the same physical server as the Tomcat, then the
correct IP address *is* 127.0.0.1.

Your networking stack may well identify that it's a local operation &
bypass the time-consuming roundtrip through the network device, just
doing a shorter in-memory operation via the loopback address.


p



> 
> Thanks,
> Faseela
> 
> 


-- 

[key:62590808]



signature.asc
Description: OpenPGP digital signature

Re: Adding an additional static resource directory to a webapp via API

2011-11-23 Thread Pid 
On 23/11/2011 18:06, Benson Margulies wrote:
> I'm launching Tomcat 7 via the API.
> 
> One of the uses of this is that I can launch from Eclipse and
> 'live-edit' my static files, without tangling myself up in the Eclipse
> JEE facilities, which I have never succeeded in using very well.
> 
> Now, I want to meld some shared content into the webapp. In the maven
> build, I use the maven 'overlay' concept. For live development, I'm
> looking to do the same thing.
> 
> Essentially, I want to map in a directory of additional static
> resources into the Context. I see addResourceJarUrl, and I wonder what
> it does with a file:/ url, though the comment in the javadoc about
> META-INF/resources suggests that I'd need to conform to that directory
> structure. (and reading the code in BaseDirContext confirms this).
> 
> Is 'addAlias' the way to go here?

What is the shared content?  Static files?


p


> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-- 

[key:62590808]



signature.asc
Description: OpenPGP digital signature

Re: Maven Tomcat 7 plugin - changing war name

2011-11-23 Thread Will Glass-Husain 
Ahh, I didn't specify "target".  Shouldn''t it be assumed?  When  build the
war, it automatically goes there.

WILL

On Wed, Nov 23, 2011 at 3:33 AM, Hodchenkov, Paul <
paul.hodchen...@oxagile.com> wrote:

> Hi,
> warFile in tomcat7 plugin wokrs for me:
>
>
>org.apache.tomcat.maven
>tomcat7-maven-plugin
>2.0-SNAPSHOT
>
> target/app-qa.war
>/
>true
>
>
>
> -Original Message-
> From: Will Glass-Husain [mailto:wglasshus...@gmail.com]
> Sent: Tuesday, November 22, 2011 10:03 PM
> To: Tomcat Users List
> Subject: Maven Tomcat 7 plugin - changing war name
>
> Hi,
>
> I'm struggling to get the tomcat7 plugin to work.  I want to change the
> name of the war file.  When I call
>
> mvn tomcat7:deploy-only
>
> It looks for war file   XXX-YYY.war, where XXX is the artifactId and YYY is
> the version name.
>
> I'd rather use a different, simpler WAR file name "myapp".  It's used
> elsewhere in the site.  But neither of these two things changes the war
> name that the plugin is looking for.
>
> 
>simulate
> 
>
> ...
>
> 
>  org.apache.tomcat.maven
>  tomcat7-maven-plugin
>  2.0-SNAPSHOT
>  
>myapp.war
>/myapp
>  
> 
>
> Any suggestions?  Or is this just not yet implemented.
>
> WILL
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat 7 not working with javax.net.ssl.keyStorePassword property

2011-11-23 Thread Satish Mittal 
On Wed, Nov 23, 2011 at 11:14 PM, Konstantin Kolinko  wrote:

> 2011/11/23 Satish Mittal :
> >
> > This used to work in tomcat 5. However in tomcat 7, the same
> > webapp/keystore throws the following error:
>
> You must always mention the full version number. There are ~20
> different versions of Tomcat 7.0.x, and even more of 5.0.x/5.5.y
>
>
Sure, I should have told that earlier. I am migrating from tomcat 5.5.33 to
tomcat 7.0.22 .


> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
"The happiest of people don´t necessarily have the best of everything, they
just make the most of everything that comes along their way."

RE: Babysitting ThreadLocals

2011-11-23 Thread Caldarale, Charles R 
> From: Chema [mailto:demablo...@gmail.com] 
> Subject: Re: Babysitting ThreadLocals

> Do you mean that read operations (getters) in not-threadsafe objects
> are not an atomic operations and could retrieve "dirty" values cause
> sharing across threads?

Correct.  Not-thread-safe means just what it sounds like.

> So, singleton objects must be threadsafe to be a rea singleton ?

Depends on the object.  If you have written the class code to insure that 
ostensibly read-only operations do not mutate the object in any way, then you 
only need to provide synchronization when there's a risk of a non-read-only 
operation being active.  If you didn't write the code, you have no guarantee 
that non-thread-safe getter methods don't mutate the object internally during 
their processing.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Patching a jar in a wepabb

2011-11-23 Thread Konstantin Kolinko 
2011/11/23 Andrew Kujtan :
>
> As it stands,  I think I'm just going to have to extract the class files
> from each of the patch jars and insert the structure into my
> WEB-INF/classes folder, as my understanding is that they are ahead of
> the lib folder in the classpath. Is this a viable alternative should all
> other avenues fail?

Yes, WEB-INF/classes are guaranteed to have precedence over WEB-INF/lib/*.jar.
IIRC that is mentioned in the Servlet spec, so I would recommend this way.

Yes, the order among jars is arbitrary and cannot be guaranteed.

There exists VirtualWebappLoader class that can be used to inject
additional jars into webapp, but note that is an advanced tool and it
is specific to Tomcat.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Babysitting ThreadLocals

2011-11-23 Thread Konstantin Kolinko 
2011/11/23 Christopher Schultz :
> On 11/23/11 11:29 AM, Caldarale, Charles R wrote:
>>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>>> Subject: Babysitting ThreadLocals
>>
>>> Removing the ThreadLocal after every request of course means that
>>> the use of ThreadLocal is entirely useless.
>>
>>> Should I stop worrying about the overhead of creating a
>>> SimpleDateFormat?
>>
>> Given that the cost of generating and writing a log entry is going
>> to vastly outweigh any object creation or synchronization impact,
>> then, yes, you should stop worrying.
>
> External reality checks are always useful. ;)

The -MM-dd value changes only ~365 times a year. You do not need
to regenerate it every second.

Tomcat does some clever things when it needs to generate timestamp for
logging purposes (e.g. in org.apache.juli.OneLineFormatter), but that
looks like an overkill for your use case.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Babysitting ThreadLocals

2011-11-23 Thread Chema 
>> The string of the date format is constant. However the SimpleDateFormat
> class is not threadsafe, so you will hit intermittant issues when sharing
> across threads

Do you mean that read operations (getters) in not-threadsafe objects
are not an atomic operations and could retrieve "dirty" values cause
sharing
across threads?

So, singleton objects must be threadsafe to be a rea singleton ?

Maybe my doubts are very basic but I didn't know about these issues ...

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Patching a jar in a wepabb

2011-11-23 Thread Andrew Kujtan 
That's possible, but I'd like to avoid having to play with the jars, I
need to retain the ability to revert any changes made to the base
install, I.e. If patch3 breaks it I want to go back to patch2. Being
able to just remove the patch jar from the folder is much simpler than
having to rebuild an entire new jar with only patches 1 and 2 included.
Same thing if a new patch comes along.

-Original Message-
From: Yuan [mailto:weiquan.y...@gmail.com] 
Sent: Wednesday, November 23, 2011 12:58 PM
To: Tomcat Users List
Cc: 
Subject: Re: Patching a jar in a wepabb

Can u compile all patches into one jar file?



On 2011-11-23, at 12:41 PM, "Andrew Kujtan"  wrote:

> Hello Tomcat-users,
>
>
>
> I'm running Tomcat 7.0.20. My webapp uses several 3rd party jars  
> located
> in WEB-INF/lib and I need to apply a series of patches to one of the
> jars.  The patches are jar files that only have the modified class  
> files
> in it, so to apply it I need to add them to the classpath before the
> third party jar. I.e.
>
> Load patch3.jar, then patch2.jar, then patch1.jar, then 3rdparty.jar
>
>
>
> Reading the class loading docs it doesn't look like there is any
> guarantee as to the order they are loaded or any way to specify the
> order, is this correct?
>
>
>
> If not, is there some other built in mechanism to do this? or am I
> barking down the wrong tree altogether?
>
>
>
> As it stands,  I think I'm just going to have to extract the class  
> files
> from each of the patch jars and insert the structure into my
> WEB-INF/classes folder, as my understanding is that they are ahead of
> the lib folder in the classpath. Is this a viable alternative should  
> all
> other avenues fail?
>
>
>
> Regards,
>
> Andrew Kujtan
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Adding an additional static resource directory to a webapp via API

2011-11-23 Thread Benson Margulies 
I'm launching Tomcat 7 via the API.

One of the uses of this is that I can launch from Eclipse and
'live-edit' my static files, without tangling myself up in the Eclipse
JEE facilities, which I have never succeeded in using very well.

Now, I want to meld some shared content into the webapp. In the maven
build, I use the maven 'overlay' concept. For live development, I'm
looking to do the same thing.

Essentially, I want to map in a directory of additional static
resources into the Context. I see addResourceJarUrl, and I wonder what
it does with a file:/ url, though the comment in the javadoc about
META-INF/resources suggests that I'd need to conform to that directory
structure. (and reading the code in BaseDirContext confirms this).

Is 'addAlias' the way to go here?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Patching a jar in a wepabb

2011-11-23 Thread Yuan 

Can u compile all patches into one jar file?



On 2011-11-23, at 12:41 PM, "Andrew Kujtan"  wrote:


Hello Tomcat-users,



I'm running Tomcat 7.0.20. My webapp uses several 3rd party jars  
located

in WEB-INF/lib and I need to apply a series of patches to one of the
jars.  The patches are jar files that only have the modified class  
files

in it, so to apply it I need to add them to the classpath before the
third party jar. I.e.

Load patch3.jar, then patch2.jar, then patch1.jar, then 3rdparty.jar



Reading the class loading docs it doesn't look like there is any
guarantee as to the order they are loaded or any way to specify the
order, is this correct?



If not, is there some other built in mechanism to do this? or am I
barking down the wrong tree altogether?



As it stands,  I think I'm just going to have to extract the class  
files

from each of the patch jars and insert the structure into my
WEB-INF/classes folder, as my understanding is that they are ahead of
the lib folder in the classpath. Is this a viable alternative should  
all

other avenues fail?



Regards,

Andrew Kujtan



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat cluster communication

2011-11-23 Thread Afkham Azeez 
On Wed, Nov 23, 2011 at 8:48 PM, Filip Hanik - Dev Lists  wrote:

> On 10/6/2011 8:31 AM, Afkham Azeez wrote:
>
>> I had a look at the Tribes code. Can somebody please explain how
>> Channel.SEND_OPTIONS_SECURE works?
>>
> not yet implemented :(
>

What is the proper way of implementing this if I was to do it? Implement an
interceptor which will handle encryption/decryption? This is for Axis2
clustering which uses Tribes, so we could use the Tribes API.



>
>> > From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an
>> encrypted
>> channel
>>
>> How is this encrypted channel setup? How do we define the keys/keystores
>> etc?
>>
>>
>> On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez  wrote:
>>
>>  Hi folks,
>>> Is there a way to do authentication in Tribes when new members try to
>>> join
>>> a cluster so that unauthorized nodes cannot join in? Also, when
>>> clustering
>>> messages are sent back&  forth, how do we ensure security?
>>>
>>> Thanks
>>> Azeez
>>>
>>>
>>>
>>
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
*Afkham Azeez*
Director of Architecture; WSO2, Inc.; http://wso2.com,
*Member; Apache Software Foundation;
**http://www.apache.org/*
*
*
*email: **az...@wso2.com* * cell: +94 77 3320919
blog: **http://blog.afkham.org* *
twitter: **http://twitter.com/afkham_azeez*
*
linked-in: **http://lk.linkedin.com/in/afkhamazeez*
*
*
*Lean . Enterprise . Middleware*
*
*

Re: Tomcat 7 not working with javax.net.ssl.keyStorePassword property

2011-11-23 Thread Konstantin Kolinko 
2011/11/23 Satish Mittal :
>
> This used to work in tomcat 5. However in tomcat 7, the same
> webapp/keystore throws the following error:

You must always mention the full version number. There are ~20
different versions of Tomcat 7.0.x, and even more of 5.0.x/5.5.y

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Patching a jar in a wepabb

2011-11-23 Thread Andrew Kujtan 
Hello Tomcat-users,

 

I'm running Tomcat 7.0.20. My webapp uses several 3rd party jars located
in WEB-INF/lib and I need to apply a series of patches to one of the
jars.  The patches are jar files that only have the modified class files
in it, so to apply it I need to add them to the classpath before the
third party jar. I.e.

Load patch3.jar, then patch2.jar, then patch1.jar, then 3rdparty.jar 

 

Reading the class loading docs it doesn't look like there is any
guarantee as to the order they are loaded or any way to specify the
order, is this correct?

 

If not, is there some other built in mechanism to do this? or am I
barking down the wrong tree altogether?

 

As it stands,  I think I'm just going to have to extract the class files
from each of the patch jars and insert the structure into my
WEB-INF/classes folder, as my understanding is that they are ahead of
the lib folder in the classpath. Is this a viable alternative should all
other avenues fail?

 

Regards,

Andrew Kujtan

Re: can only see ROOT webapp

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Shadowdancer,

On 11/23/11 12:11 PM, shadowdancer351 wrote:
> I am using Tomcat 4 on Linux. (I have no choice on using a newer
> version - this is company software)

:(

You might try to convince someone to start testing on Tomcat 7. You
might find that if you haven't had to do any special configuration for
Tomcat 4, your webapp may run very happily on Tomcat 7.

> I can see any html page i put in the ROOT directory, but I can't
> see any of the built-in webapps by typing in the URL 
> http://myhost:8080/manager/index.html (yes that index.html file
> exists in that directory). It won't work for "tomcat-docs" or
> "examples" either. I tried putting in my own webapp and I couldn't
> see that either. I've added the context definition to the
> server.xml file and restarted tomcat. Is there anything else I
> should do?

Post your server.xml (minus any sensitive info like passwords) and
give us a quick explanation of what you've got in the
CATALINA_BASE/webapps directory.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NLRAACgkQ9CaO5/Lv0PAjfACglFpQXbSDJ+siSJmWG3H0YWqR
sjQAn1/bUU488lVaJ9GlmFiJUZcS+5Fl
=qdJR
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

can only see ROOT webapp

2011-11-23 Thread shadowdancer351 

I am using Tomcat 4 on Linux. (I have no choice on using a newer version -
this is company software)

I can see any html page i put in the ROOT directory, but I can't see any of
the built-in webapps by typing in the URL
http://myhost:8080/manager/index.html (yes that index.html file exists in
that directory). It won't work for "tomcat-docs" or "examples" either. I
tried putting in my own webapp and I couldn't see that either. I've added
the context definition to the server.xml file and restarted tomcat. Is there
anything else I should do?


-- 
View this message in context: 
http://old.nabble.com/can-only-see-ROOT-webapp-tp32874333p32874333.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Babysitting ThreadLocals

2011-11-23 Thread Filippo Machi 
Ciao Christopher, i heard Joda has a thread safe date
parser/fotmatter..remember to check it doesn't use threadlocals too :)
Hth
Fil
Il giorno 23/nov/2011 17.57, "Christopher Schultz" <
ch...@christopherschultz.net> ha scritto:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Chris,
>
> On 11/23/11 11:46 AM, chris derham wrote:
> > If you do this, and fine that creating these objects is taking more
> > time, then perhaps one method would be to use a weak object
> > reference to the thread local. That way you would get the best of
> > both worlds - no memory leak and reduced creation of
> > SimpleDateFormat.
>
> I hadn't thought of using a WeakReference. I wonder how often the GC
> would kill the reference between requests, though. We only get one
> maybe every 10 seconds or so right now, so it's possible that we'd
> have the memory churn associated with creating a new object for every
> request anyway.
>
> > However most people coding probably won't know what a ThreadLocal
> > class is/does, let alone a Weak memory reference. IMO it would be
> > easier just to code the easy way
>
> Yeah, this is definitely over-engineered at this point, especially
> given that it's not actually working the way it should (that is, we've
> got a memory leak).
>
> I think I'll look into the commons-lang date formatter to see if
> there's any reason to use it instead of SimpleDateFormat. If it
> performs reasonably under load (that is, doesn't have much in the way
> of synchronization and creates fewer objects than "new
> SimpleDateFormat") then I'll probably go with that... we already have
> a dependency on that library, anyway.
>
> Thanks,
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7NJd4ACgkQ9CaO5/Lv0PBcwQCfaZ3OcDMwkgXRc6HIkNMF2ddM
> oHcAoLqaYghNBDFm3zIMS2mJSneRo3Fa
> =yw3K
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Babysitting ThreadLocals

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chris,

On 11/23/11 11:46 AM, chris derham wrote:
> If you do this, and fine that creating these objects is taking more
> time, then perhaps one method would be to use a weak object
> reference to the thread local. That way you would get the best of
> both worlds - no memory leak and reduced creation of
> SimpleDateFormat.

I hadn't thought of using a WeakReference. I wonder how often the GC
would kill the reference between requests, though. We only get one
maybe every 10 seconds or so right now, so it's possible that we'd
have the memory churn associated with creating a new object for every
request anyway.

> However most people coding probably won't know what a ThreadLocal 
> class is/does, let alone a Weak memory reference. IMO it would be 
> easier just to code the easy way

Yeah, this is definitely over-engineered at this point, especially
given that it's not actually working the way it should (that is, we've
got a memory leak).

I think I'll look into the commons-lang date formatter to see if
there's any reason to use it instead of SimpleDateFormat. If it
performs reasonably under load (that is, doesn't have much in the way
of synchronization and creates fewer objects than "new
SimpleDateFormat") then I'll probably go with that... we already have
a dependency on that library, anyway.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NJd4ACgkQ9CaO5/Lv0PBcwQCfaZ3OcDMwkgXRc6HIkNMF2ddM
oHcAoLqaYghNBDFm3zIMS2mJSneRo3Fa
=yw3K
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Babysitting ThreadLocals

2011-11-23 Thread chris derham 
>
> A silly question:
>
> why do you use a ThreadLocal to store a constant value for entire
> application? why not a static variable or store into web application
> context , by example ?
>
> The string of the date format is constant. However the SimpleDateFormat
class is not threadsafe, so you will hit intermittant issues when sharing
across threads.

 > So, my question is whether or not there is a good way to clean-out the
> > ThreadLocals from our webapp?
>
> It would be much simpler code to read/write/maintain if you just create
new ones each time - as Charles says. Then profile the app, and only if the
creation of simpleDateFormat objects is slowing the app, then try to
optimise.

If you do this, and fine that creating these objects is taking more time,
then perhaps one method would be to use a weak object reference to the
thread local. That way you would get the best of both worlds - no memory
leak and reduced creation of SimpleDateFormat. However most people coding
probably won't know what a ThreadLocal class is/does, let alone a Weak
memory reference. IMO it would be easier just to code the easy way

Chris

Re: Babysitting ThreadLocals

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chuck,

On 11/23/11 11:29 AM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
>> Subject: Babysitting ThreadLocals
> 
>> Removing the ThreadLocal after every request of course means that
>> the use of ThreadLocal is entirely useless.
> 
>> Should I stop worrying about the overhead of creating a 
>> SimpleDateFormat?
> 
> Given that the cost of generating and writing a log entry is going
> to vastly outweigh any object creation or synchronization impact,
> then, yes, you should stop worrying.

External reality checks are always useful. ;)

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NI3MACgkQ9CaO5/Lv0PA0SwCgo3kT2d2I0QoWGpPE3cl3C7It
9isAniS9prBskorh9J5dDxGrutjKXCla
=/h/K
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Babysitting ThreadLocals

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chema,

On 11/23/11 11:31 AM, Chema wrote:
> A silly question:
> 
> why do you use a ThreadLocal to store a constant value for entire 
> application? why not a static variable or store into web
> application context , by example ?

It's not a silly question in general, but I did specifically mention
that SimpleDateFormat is not threadsafe. Therefore, I cannot use a
constant value for the entire application.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NI00ACgkQ9CaO5/Lv0PAYhwCgk05bTrh/cg8hBQKOecah/q8n
7NMAoKFGB7yKDc1afLT6wxt8/Y+N7l5Z
=pY5r
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Babysitting ThreadLocals

2011-11-23 Thread Daniel Mikusa 
On Wed, 2011-11-23 at 07:48 -0800, Christopher Schultz wrote:

> Should I look for a threadsafe implementation of
> SimpleDateFormat (maybe in commons-lang or something)? 

I haven't used this, but it seems to be a drop in replacement for
SimpleDateFormat.

https://commons.apache.org/lang/api-2.5/org/apache/commons/lang/time/FastDateFormat.html


Dan

Re: Tomcat Manager WebApp authentication

2011-11-23 Thread Mark Montague 

On November 21, 2011 14:49 , Mark Montague  wrote:
I need Tomcat 6 to use the authentication performed by the front-end 
webserver without breaking the roles required by the Tomcat Manager 
webapp.


I'm replying to myself to document what I did in case it helps other 
people.  Feedback and criticism are welcome, since I'm new to both 
Tomcat and Java.  André's suggestion, to move authorization into Apache 
HTTPD along with authentication and then delete the servlet's security 
constraints, is much simpler and more practical than the method I 
describe here.


In a default installation of Tomcat 6, the Tomcat Manager web 
application is configured to use the UserDatabaseRealm for 
authentication and authorization.  When authentication is moved to the 
front-end web server by setting the tomcatAuthentication="false" 
attribute for the connector, authorization breaks because the servlet 
request object now contains principals of class CoyotePrincipal, which 
do not contain role information, instead of principals of class 
GenericPrincipal, which do contain role information.


My solution (which appears to work, although it is inefficient) is to 
create a new realm named CoyoteUserDatabaseRealm that extends 
UserDatabaseRealm.  CoyoteUserDatabaseRealm overrides the hasrole() 
method in order to convert the principal of class CoyotePrincipal into a 
principal of class GenericPrincipal and then invoking the hasRole() 
method of UserDatabaseRealm.


Instructions for a Unix-based system:

# Download, unpack, and build the Tomcat source code into the directory
# apache-tomcat-6.0.33-src

# Copy and save CoyoteUserDatabaseRealm.java from this email (below).
mkdir -p org/apache/catalina/realm/
# Copy and save org/apache/catalina/realm/mbeans-descriptors.xml from 
this email (below).


# Compile the class and move it into place.
javac -sourcepath ./apache-tomcat-6.0.33-src/java 
CoyoteUserDatabaseRealm.java

mv CoyoteUserDatabaseRealm.class org/apache/catalina/realm/

# Create a .jar file:
jar cf coyote-realm.jar org/

# Install the jar file:
cp coyote-realm.jar $CATALINA_HOME/lib
chcon system_u:object_r:usr_t:s0 $CATALINA_HOME/lib/coyote-realm.jar  # 
for SELinux users only


# Edit $CATALINA_HOME/conf/server.xml
# Change the lines

# to


# restart Tomcat so the changes take effect:
service tomcat6 restart


I hope this helps.

--
  Mark Montague
  m...@catseye.org


 start file CoyoteUserDatabaeRealm.java --

package org.apache.catalina.realm;


import java.security.Principal;

import org.apache.catalina.Role;
import org.apache.catalina.User;
import org.apache.catalina.UserDatabase;
import org.apache.catalina.Realm;
import org.apache.catalina.realm.UserDatabaseRealm;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;
import org.apache.catalina.util.StringManager;
import org.apache.catalina.connector.CoyotePrincipal;


public class CoyoteUserDatabaseRealm
extends UserDatabaseRealm
implements Realm
{

protected final String info =
"org.apache.catalina.realm.CoyoteUserDatabaseRealm/1.0";

protected static final String name = "CoyoteUserDatabaseRealm";

private static StringManager sm =
StringManager.getManager(Constants.Package);


public String getInfo() {
return info;
}


protected String getName() {
return name;
}


public boolean hasRole(Principal principal, String role) {

if (principal instanceof CoyotePrincipal) {
// Look up this user in the UserDatabaseRealm.  The new
// principal will contain UserDatabaseRealm role info.
Principal p = super.getPrincipal(principal.getName());
if (p != null) {
principal = p;
}
}
return super.hasRole(principal, role);

}

}


 end file CoyoteUserDatabaeRealm.java 


 start file org/apache/catalina/realm/mbeans-descriptors.xml -



  


  


 end file org/apache/catalina/realm/mbeans-descriptors.xml ---




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Babysitting ThreadLocals

2011-11-23 Thread Chema 
A silly question:

why do you use a ThreadLocal to store a constant value for entire
application? why not a static variable or store into web application
context , by example ?

Thanks

2011/11/23 Christopher Schultz :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> All,
>
> I've got a servlet that needs to log every request (potentially big
> requests) to files on the disk. In order to do that in a
> reasonably-tidy way, we write each file into a directory with the
> current date in the path, something like this:
>
> .../logs/2011-11-23/request-XYX.log
>
> To do this, we have a SimpleDateFormat object that we use to ensure we
> target the right directory. Since SimpleDateFormat isn't threadsafe,
> we have two choices: synchronize or use ThreadLocal. We have opted for
> the latter: ThreadLocal.
>
> Our servlet defines the ThreadLocal to be protected (because this is a
> base class for several servlets that all do similar things) and
> transient (because we just don't need it to be serialized) and
> override the initialValue method, like this:
>
>    protected transient ThreadLocal dayFormat = new
> ThreadLocal() {
>        public SimpleDateFormat initialValue()
>        {
>            return new SimpleDateFormat("-MM-dd");
>        }
>    };
>
> In the servlet's destroy method, we dutifully call dayFormat.remove().
> Tomcat complains that we are leaving sloppy ThreadLocals around on
> shutdown. Duh: Servlet.destroy is called by a single thread and won't
> actually remove the ThreadLocal in any meaningful way.
>
> So, my question is whether or not there is a good way to clean-out the
> ThreadLocals from our webapp?
>
> Given the declaration above, we are creating a new class which will be
> loaded by our webapp's ClassLoader and therefore pinning that
> ClassLoader in memory definitely causing a memory leak across reploy
> cycles.
>
> One way to avoid this would be to have a library at the server-level
> that only contains this simple ThreadLocat
> definition, but that seems like kind of an awkward solution.
>
> Removing the ThreadLocal after every request of course means that the
> use of ThreadLocal is entirely useless.
>
> Should I stop worrying about the overhead of creating a
> SimpleDateFormat? Should I look for a threadsafe implementation of
> SimpleDateFormat (maybe in commons-lang or something)? Should I
> synchronize access to the object?
>
> Any suggestions would be very helpful.
>
> Thanks,
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7NFcAACgkQ9CaO5/Lv0PDIoACgrc5nNYGXUxjJ+hz1kWpiIL6J
> SpYAoJQ6dcxCi4WmPX+1BJs9b3c+UQB5
> =3bj2
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Babysitting ThreadLocals

2011-11-23 Thread Caldarale, Charles R 
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Babysitting ThreadLocals

> Removing the ThreadLocal after every request of course means 
> that the use of ThreadLocal is entirely useless.

> Should I stop worrying about the overhead of creating a
> SimpleDateFormat?

Given that the cost of generating and writing a log entry is going to vastly 
outweigh any object creation or synchronization impact, then, yes, you should 
stop worrying.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

Re: Tomcat 7 not working with javax.net.ssl.keyStorePassword property

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Satish,

On 11/23/11 12:30 AM, Satish Mittal wrote:
> On Wed, Nov 23, 2011 at 2:32 AM, Caldarale, Charles R < 
> chuck.caldar...@unisys.com> wrote:
> 
>>> This used to work in tomcat 5.
>> 
>> Interesting. Where is this documented to work?
> 
> As per the tomcat documentation, Tomcat can use two different 
> implementations of SSL:
> 
> - the JSSE implementation provided as part of the Java runtime
> (since 1.4) - the APR implementation, which uses the OpenSSL engine
> by default.
> 
> In my installation, I use JSSE implementation. The 
> javax.net.ssl.keyStorePassword property is supported by JSSE.

Not in the way that you expect. When Java accesses the system
keystore, this system property will be used. When Tomcat accesses the
Tomcat-specific keystore, only the Tomcat keystore will be used and it
must be configured using Tomcat's configuration.

Honestly, I'm surprised that this worked in Tomcat 5. It's possible
that there has been a regression, but I'd like to see it working,
first. Can you provide steps-to-reproduce in both Tomcat 5 (5.what?)
and Tomcat 6/7? The procedures should be the same (other than using
different TC versions) but the outcomes should be different if this is
a regression. Start with a stock TC install (from the ZIP/tgz archive)
and tell us how to configure everything, including creating the
keystore and key(s), importing certificates, etc.

> If you go to tomcat documentation at 
> http://tomcat.apache.org/tomcat-5.5-doc/config/http.html#SSL_Support,
> you would find that multiple JSSE properties (related to
> trustStore) are supported by Tomcat as a mechanism to pass the
> value instead of specifying them explicitly in server.xml. I know
> that for keyStorePassword, it is not documented. However since this
> mechanism was working in tomcat 5, I want to check whether anyone
> else has observed this change in tomcat 7.

See above. If this is a regression, it can be fixed.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NHSEACgkQ9CaO5/Lv0PDqMwCgw60f34yVfKukGuUDIlbdYF7H
TDgAnjRB57yNNldaNcZlKigrH9PTW7/t
=Xdbu
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Single war file - multiple hosts - can't get log4j to log to different files

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chris,

On 11/23/11 8:06 AM, chris derham wrote:
>>> We thought this would allow us to monitor all contexts with a 
>>> single probe install, but it only seems to show a single
>>> localhost context. I assume that the hosts are separated, and
>>> that the context="priviliged" setting can allow a web app to
>>> access other webapps in the same context, but not across
>>> hosts.
>> 
>> So... what setting is that?
>> 
> I meant the crossContext="true" setting. I have searched around,
> and can see that both tomcat's manager and probe are not able to
> monitor virtual hosts other than the one that they reside in. So I
> will just have to deploy manager and/or probe for each virtual
> host. I just wanted to see everything in a single place - from what
> I have read this can't be done

If you are lazy/memory conscious/can tolerate the setup, you could put
all webapps under a single virtual host (the default, most likely)
with aliases (if you even require them) and that would solve the
management problem.

>> 1. Move your .war files from out of the webapps directory (and
>> subdirs) 2. Update the paths in ROOT.xml and probe.xml to point
>> to the new location 3. Remove the "local" and "demos"
>> directories
>> 
> Thanks for the pointer. What I ended up doing was moving all wars
> to /notWebapps. Then I unpacked them, and set the
> relevant context.xml's docbase to point to the exploded directory.
> Seems to work well now

Seems like a reasonable course of action. "notWebapps". I like that. :)

>>> The only idea I have left if nobody can see an obvious flaw in
>>> our logic is to write some custom code to initialise log4j. We
>>> would just need to pick up the context, or a jndi variable and
>>> then prefix the log file name with this. Guess it can't be that
>>> hard - just figured that somebody would have hit this before.
>> 
>> I think that's your best bet.
>> 
> Yes it was surprisingly easy. We created a subclass of springs 
> Log4jConfigListener, and then prefix the file parameter of any
> file appenders. We set the web.xml value to blank, which is
> ignored, and then when required we can override it in context.xml.
> Thanks for the pointer

You might want to put a comment in the web.xml where you have no value
explaining where the value is *really* located. You'll save some
sysasmin several hours of screaming in the future.

>> I'm not sure that using JMX is going to make your life any
>> easier.
> 
> I thought that via some internal to tomcat mechanism, I would be
> able to detect which context I was in, and thus be able to use that
> to drive the prefix for the log file, rather than having to have a
> specific web.xml setting that each context overrides.

You should be able to detect the context name during startup.
Actually, you can get the path from ServletContext.getContextPath. So,
if you have a ServletContextListener, you can do this:

event.getServletContext().getContextPath()

Of course, that gets you a string that you might need to massage (like
changing "" into "ROOT", removing slashes, etc.).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NG1MACgkQ9CaO5/Lv0PCLdwCfQMZWqd0wDtwTXxiZgYyqtPTE
lowAn1tZMiEh1Qb4/NRpMeqKwXK18Glo
=wsFf
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat cluster communication

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Afkham,

On 10/6/11 10:17 AM, Afkham Azeez wrote:
> Is there a way to do authentication in Tribes when new members try
> to join a cluster so that unauthorized nodes cannot join in? Also,
> when clustering messages are sent back & forth, how do we ensure
> security?

You could use stunnel between all your boxes, but I'm not sure how
that works with multicast. That would handle your authentication
issues (use ssh authentication) as well as encryption of data across
untrusted network segments.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NGf0ACgkQ9CaO5/Lv0PB5+gCfZLJVWQIXX3tTWdLYvh8UVaUn
VGUAn3kSVyErbrnSlDHb2ILz+HaA2F9g
=ovVG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to get the tomcat internal log out?

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Konstantin,

On 11/21/11 7:00 AM, Konstantin Kolinko wrote:
> 2011/11/21 Kurt :
>> Hello all:
>> 
>> I compile tomcat 5.5.30 and import it to eclipse as a project, to
>> research how the tomcat load class , I need to view the running
>> log ,after reading through this
>> post(http://tomcat.apache.org/tomcat-5.5-doc/logging.html) and 
>> adding below log4j.properties to the direcotry 'common/classes'
>> and log4j-1.26.jar to common/lib, logs turned out not to be
>> generated when I debug the tomcat starting from class Catalina.
>> No idea about it, I've tried many times.
>> 
>> log4j.rootLogger=DEBUG,R 
>> log4j.appender.R=org.apache.log4j.RollingFileAppender 
>> log4j.appender.R.File=k:\\logs\\tomcat.log 
>> log4j.appender.R.MaxFileSize=10MB 
>> log4j.appender.R.MaxBackupIndex=10 
>> log4j.appender.R.layout=org.apache.log4j.PatternLayout 
>> log4j.appender.R.layout.ConversionPattern=%p%t%c-%m%n 
>> log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG,
>>
>> 
R
>> log4j.logger.org.apache.catalina.core=DEBUG, R 
>> log4j.logger.org.apache.catalina.session=DEBUG, R
>> 
>> And the program parameter I use is 'start', vm parameter is 
>> '-Dcatalina.home="I:\My 
>> Documents\program\java\projects\eclipse\mye9.0\TOMCAT_5_5_30\mybuild-5.5.30"'
>>
>> 
Any ideas? Thanks
>> 

0. Is there a reason why the OP is trying to use Tomcat 5.5 instead of
Tomcat 7?

> 1. Is there a reason why you are trying to use log4j? That is not 
> default configuration for Tomcat logging. The default one is JULI. 
> (Though you have to remove log4.jar from Tomcat if you want JULI to
> work).

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NGXYACgkQ9CaO5/Lv0PCN/ACgucGIyR8+8qLjAcejpyuDzxN6
r+cAoJCeXdgeK5cEhUFyCfAybjll4XUy
=734m
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat http connector

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Asha,

On 11/23/11 5:53 AM, Asha K S wrote:
> Thank you all for helping me in this regard. Can you please point
> me to documentation which helps me configure https between Apache
> and Tomcat.

Read the documentation for "Tomcat Connectors" on the Tomcat web site.

> Also in AJPv13 extensions proposal 
> (http://tomcat.apache.org/connectors-doc/ajp/ajpv13ext.html) one
> add on suggests "Basic authorisation system, where a shared secret
> key is present in web server and servlet engine" do we know if this
> is still under consideration.

This document seems to be horribly out of date. Read the documentation
for the features that have actually been implemented:

http://tomcat.apache.org/connectors-doc/reference/workers.html


Specifically, look for "secret".

Note that this is not /not/ *NOT* encryption. It's merely a pre-shared
code that gets inserted into the request for validation. It merely
prevents random people from making unexpected requests to your ajp
service.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NGSQACgkQ9CaO5/Lv0PAkvACfWXifNd5Hb/uLyXHsPoHQRcnl
mSUAnRpb8JtVGK6EZmdcLdCb6hiXL8C3
=s0jN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to get the tomcat internal log out?

2011-11-23 Thread Kurt 

Hello Konstantin:

   I tried to invoke Bootstrap,but got an error saying  "Can't load  
server.xml from  
I:\workspace\mye10\TOMCAT_5_5_30\conf\server.xml",server.xml does exist  
and when I invoke Catalina ,everything is ok, that is ,web app deployed  
into webapps/Root can run normally. Is there any material to guide a  
newbie on how to compile,run tomcat 5 of your compiled version, config  
logging thing etc?

   Thanks and nice day.

Kurt

在 Mon, 21 Nov 2011 20:00:51 +0800,Konstantin Kolinko  
 写道:



2011/11/21 Kurt :

Hello all:

 I compile tomcat 5.5.30 and import it to eclipse as a project, to  
research
how the tomcat load class , I need to view the running log ,after  
reading
through this post(http://tomcat.apache.org/tomcat-5.5-doc/logging.html)  
and

adding below log4j.properties to the direcotry 'common/classes' and
log4j-1.26.jar to common/lib, logs turned out not to be generated when I
debug the tomcat starting from class Catalina. No idea about it, I've  
tried

many times.

log4j.rootLogger=DEBUG,R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=k:\\logs\\tomcat.log
log4j.appender.R.MaxFileSize=10MB
log4j.appender.R.MaxBackupIndex=10
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%p%t%c-%m%n
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG,
R
log4j.logger.org.apache.catalina.core=DEBUG, R
log4j.logger.org.apache.catalina.session=DEBUG, R

And the program parameter I use is 'start', vm parameter is
'-Dcatalina.home="I:\My
Documents\program\java\projects\eclipse\mye9.0\TOMCAT_5_5_30\mybuild-5.5.30"'
Any ideas? Thanks



1. Is there a reason why you are trying to use log4j? That is not
default configuration for Tomcat logging. The default one is JULI.
(Though you have to remove log4.jar from Tomcat if you want JULI to  
work).


2. Why are you trying to start Catalina? The entry point is
"org.apache.catalina.startup.Bootstrap".

3. You need to use -Djava.util.logging.manager= and
-Djava.util.logging.config.file=
vm options to configure JULI, like catalina.sh/catalina.bat does it.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




--
使用 Opera 革命性的电子邮件客户程序: http://www.opera.com/mail/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Babysitting ThreadLocals

2011-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I've got a servlet that needs to log every request (potentially big
requests) to files on the disk. In order to do that in a
reasonably-tidy way, we write each file into a directory with the
current date in the path, something like this:

.../logs/2011-11-23/request-XYX.log

To do this, we have a SimpleDateFormat object that we use to ensure we
target the right directory. Since SimpleDateFormat isn't threadsafe,
we have two choices: synchronize or use ThreadLocal. We have opted for
the latter: ThreadLocal.

Our servlet defines the ThreadLocal to be protected (because this is a
base class for several servlets that all do similar things) and
transient (because we just don't need it to be serialized) and
override the initialValue method, like this:

protected transient ThreadLocal dayFormat = new
ThreadLocal() {
public SimpleDateFormat initialValue()
{
return new SimpleDateFormat("-MM-dd");
}
};

In the servlet's destroy method, we dutifully call dayFormat.remove().
Tomcat complains that we are leaving sloppy ThreadLocals around on
shutdown. Duh: Servlet.destroy is called by a single thread and won't
actually remove the ThreadLocal in any meaningful way.

So, my question is whether or not there is a good way to clean-out the
ThreadLocals from our webapp?

Given the declaration above, we are creating a new class which will be
loaded by our webapp's ClassLoader and therefore pinning that
ClassLoader in memory definitely causing a memory leak across reploy
cycles.

One way to avoid this would be to have a library at the server-level
that only contains this simple ThreadLocat
definition, but that seems like kind of an awkward solution.

Removing the ThreadLocal after every request of course means that the
use of ThreadLocal is entirely useless.

Should I stop worrying about the overhead of creating a
SimpleDateFormat? Should I look for a threadsafe implementation of
SimpleDateFormat (maybe in commons-lang or something)? Should I
synchronize access to the object?

Any suggestions would be very helpful.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7NFcAACgkQ9CaO5/Lv0PDIoACgrc5nNYGXUxjJ+hz1kWpiIL6J
SpYAoJQ6dcxCi4WmPX+1BJs9b3c+UQB5
=3bj2
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat cluster communication

2011-11-23 Thread Filip Hanik - Dev Lists 

On 10/6/2011 8:31 AM, Afkham Azeez wrote:

I had a look at the Tribes code. Can somebody please explain how
Channel.SEND_OPTIONS_SECURE works?

not yet implemented :(


> From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an encrypted
channel

How is this encrypted channel setup? How do we define the keys/keystores
etc?


On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez  wrote:


Hi folks,
Is there a way to do authentication in Tribes when new members try to join
a cluster so that unauthorized nodes cannot join in? Also, when clustering
messages are sent back&  forth, how do we ensure security?

Thanks
Azeez







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Single war file - multiple hosts - can't get log4j to log to different files

2011-11-23 Thread chris derham 
> > We thought this would allow us to monitor all contexts with a
> > single probe install, but it only seems to show a single localhost
> > context. I assume that the hosts are separated, and that the
> > context="priviliged" setting can allow a web app to access other
> > webapps in the same context, but not across hosts.
>
> So... what setting is that?
>
> I meant the crossContext="true" setting. I have searched around, and can
see that both tomcat's manager and probe are not able to monitor virtual
hosts other than the one that they reside in. So I will just have to deploy
manager and/or probe for each virtual host. I just wanted to see everything
in a single place - from what I have read this can't be done


> 1. Move your .war files from out of the webapps directory (and subdirs)
> 2. Update the paths in ROOT.xml and probe.xml to point to the new
>   location
> 3. Remove the "local" and "demos" directories
>
> Thanks for the pointer. What I ended up doing was moving all wars to
/notWebapps. Then I unpacked them, and set the relevant
context.xml's docbase to point to the exploded directory. Seems to work
well now

> The only idea I have left if nobody can see an obvious flaw in our
> > logic is to write some custom code to initialise log4j. We would
> > just need to pick up the context, or a jndi variable and then
> > prefix the log file name with this. Guess it can't be that hard -
> > just figured that somebody would have hit this before.
>
> I think that's your best bet.
>
> Yes it was surprisingly easy. We created a subclass of springs
Log4jConfigListener, and then prefix the file parameter of any file
appenders. We set the web.xml value to blank, which is ignored, and then
when required we can override it in context.xml. Thanks for the pointer

> I recall that Mark Thomas mentioned something in a recent response
> > about looking for some code in tomcat source where it allowed
> > different contexts to register with JMX using different ports. I
> > looked and can't find it - always hard to google for something if
> > you don't know the term. Can anyone provide a pointer to if there
> > is an existing variable containing a context id, or path, or name
> > or something unique that we could use to prefix the log file - or
> > is it just easier to setup our own context parameter?
>
> I'm not sure that using JMX is going to make your life any easier.
>

I thought that via some internal to tomcat mechanism, I would be able to
detect which context I was in, and thus be able to use that to drive the
prefix for the log file, rather than having to have a specific web.xml
setting that each context overrides.

Thanks for you quick and detailed reply

Chris

RE: Directory contents listing of Aliases Directory

2011-11-23 Thread Asha K S 
HI Markus,

Thanks a lot for the reply. But I already have listings set to true and still 
facing issues with directory listing of the directory set in Aliases. 

Thanks,
Asha

-Original Message-
From: Markus Schönhaber [mailto:tomcat-us...@list-post.mks-mail.de] 
Sent: Wednesday, November 23, 2011 5:53 PM
To: users@tomcat.apache.org
Subject: Re: Directory contents listing of Aliases Directory

23.11.2011 12:53, Asha K S:

> Currently when I set Aliases attribute for Context ,Tomcat serves resources 
> from Aliases directory but I am unable to get the directory listing for the 
> Aliases Directory.Can you please let me know if anyone has tried this or if 
> there is any other way to do it.
> 
> I have set my aliases="/mytest=C:\mytest" and if I access 
> http://localhost:8080/mytest/test.jsp but if i just give 
> http://localhost:8080/mytest i am unable to get the directory listing for 
> mytest directory.



-- 
Regards
  mks


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat http connector

2011-11-23 Thread André Warnier 

It is easier to follow the conversation if questions/responses follow in a 
logical order.
In other words, please do not "top-post".


Asha K S wrote:

Hi,

Thank you all for helping me in this regard. Can you please point me to 
documentation which helps me configure https between Apache and Tomcat.
Also in AJPv13 extensions proposal 
(http://tomcat.apache.org/connectors-doc/ajp/ajpv13ext.html) one add on suggests 
"Basic authorisation system, where a shared secret key is present in web server and 
servlet engine" do we know if this is still under consideration.



As far as I know, this exists already, at least with mod_jk.
Look at the documentation for the mod_jk connector , and at the AJP  
documentation in Tomcat.

I don't know about mod_proxy_ajp.



Thanks,
Asha

-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Wednesday, November 23, 2011 3:19 AM

To: Tomcat Users List
Subject: Re: tomcat http connector

Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Asha,

On 11/22/11 2:15 AM, Asha K S wrote:

Is there any performance comparison document available already
between http and AJP

It should be easy to test in your own environment.

If you are using AJP through another web server, the overhead of the
server itself is obviously non-zero.

If you're asking about connecting httpd and Tomcat via HTTP or AJP,
then you'll have to do your own testing. I'm not sure there are any
current performance comparisons out there.

If you are using HTTPS in to Tomcat (that is, terminating SSL at
httpd, then using HTTPS between httpd and Tomcat) then you definitely
want to use the APR (aka "native") connector as it's crypto
implementation is much faster than the Java one.



Addendum : but if you do the above, and you are looking for performance, then you should 
at least think of what it means :


browser (1) <-- HTTPS A --> (2) Apache (3) <-- HTTPS B --> (4) Tomcat

(1) encryption (by the browser)
(2) decryption (by Apache)
(3) encryption (by Apache)
(4) decryption (by Tomcat)

encryption/decryption is a CPU-intensive process, so you will want to do it only where it 
is necessary.  If the link between Apache and Tomcat is "safe" (in other words, they are 
both on the same host, or the link is a safe internal network), then you probably do not 
want to use HTTPS there.
Even if the link between Apache and Tomcat is unencrypted HTTP (or AJP), you can still 
pass information from Apache to Tomcat about the browser/Apache HTTPS connection, if you 
need to.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Directory contents listing of Aliases Directory

2011-11-23 Thread Markus Schönhaber 
23.11.2011 12:53, Asha K S:

> Currently when I set Aliases attribute for Context ,Tomcat serves resources 
> from Aliases directory but I am unable to get the directory listing for the 
> Aliases Directory.Can you please let me know if anyone has tried this or if 
> there is any other way to do it.
> 
> I have set my aliases="/mytest=C:\mytest" and if I access 
> http://localhost:8080/mytest/test.jsp but if i just give 
> http://localhost:8080/mytest i am unable to get the directory listing for 
> mytest directory.



-- 
Regards
  mks


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Directory contents listing of Aliases Directory

2011-11-23 Thread Asha K S 
Hi,

Currently when I set Aliases attribute for Context ,Tomcat serves resources 
from Aliases directory but I am unable to get the directory listing for the 
Aliases Directory.Can you please let me know if anyone has tried this or if 
there is any other way to do it.

I have set my aliases="/mytest=C:\mytest" and if I access 
http://localhost:8080/mytest/test.jsp but if i just give 
http://localhost:8080/mytest i am unable to get the directory listing for 
mytest directory.

Thanks,
Asha

RE: Maven Tomcat 7 plugin - changing war name

2011-11-23 Thread Hodchenkov, Paul 
Hi,
warFile in tomcat7 plugin wokrs for me:


org.apache.tomcat.maven
tomcat7-maven-plugin
2.0-SNAPSHOT

target/app-qa.war
/
true



-Original Message-
From: Will Glass-Husain [mailto:wglasshus...@gmail.com] 
Sent: Tuesday, November 22, 2011 10:03 PM
To: Tomcat Users List
Subject: Maven Tomcat 7 plugin - changing war name

Hi,

I'm struggling to get the tomcat7 plugin to work.  I want to change the
name of the war file.  When I call

mvn tomcat7:deploy-only

It looks for war file   XXX-YYY.war, where XXX is the artifactId and YYY is
the version name.

I'd rather use a different, simpler WAR file name "myapp".  It's used
elsewhere in the site.  But neither of these two things changes the war
name that the plugin is looking for.


simulate


...


  org.apache.tomcat.maven
  tomcat7-maven-plugin
  2.0-SNAPSHOT
  
myapp.war
/myapp
  


Any suggestions?  Or is this just not yet implemented.

WILL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat http connector

2011-11-23 Thread Asha K S 
Hi,

Thank you all for helping me in this regard. Can you please point me to 
documentation which helps me configure https between Apache and Tomcat.
Also in AJPv13 extensions proposal 
(http://tomcat.apache.org/connectors-doc/ajp/ajpv13ext.html) one add on 
suggests "Basic authorisation system, where a shared secret key is present in 
web server and servlet engine" do we know if this is still under consideration.

Thanks,
Asha

-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Wednesday, November 23, 2011 3:19 AM
To: Tomcat Users List
Subject: Re: tomcat http connector

Christopher Schultz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Asha,
> 
> On 11/22/11 2:15 AM, Asha K S wrote:
>> Is there any performance comparison document available already
>> between http and AJP
> 
> It should be easy to test in your own environment.
> 
> If you are using AJP through another web server, the overhead of the
> server itself is obviously non-zero.
> 
> If you're asking about connecting httpd and Tomcat via HTTP or AJP,
> then you'll have to do your own testing. I'm not sure there are any
> current performance comparisons out there.
> 
> If you are using HTTPS in to Tomcat (that is, terminating SSL at
> httpd, then using HTTPS between httpd and Tomcat) then you definitely
> want to use the APR (aka "native") connector as it's crypto
> implementation is much faster than the Java one.
> 

Addendum : but if you do the above, and you are looking for performance, then 
you should 
at least think of what it means :

browser (1) <-- HTTPS A --> (2) Apache (3) <-- HTTPS B --> (4) Tomcat

(1) encryption (by the browser)
(2) decryption (by Apache)
(3) encryption (by Apache)
(4) decryption (by Tomcat)

encryption/decryption is a CPU-intensive process, so you will want to do it 
only where it 
is necessary.  If the link between Apache and Tomcat is "safe" (in other words, 
they are 
both on the same host, or the link is a safe internal network), then you 
probably do not 
want to use HTTPS there.
Even if the link between Apache and Tomcat is unencrypted HTTP (or AJP), you 
can still 
pass information from Apache to Tomcat about the browser/Apache HTTPS 
connection, if you 
need to.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Java 7

2011-11-23 Thread Ognjen Blagojevic 

André,

On 22.11.2011 20:31, André Warnier wrote:

The reason I'm asking is that for testing some unrelated Java software,
I am being asked to install Java 7 on a system on which currently
happily runs Tomcat 6.x with Java 6 (Oracle), and I'd like to know if I
would be setting myself up for some incompatibility issues there.


Tomcat seems to be running just fine with Java 7. However, keep in mind 
that you will also need to test your web applications for compatibility.


For instance, Nexus (Maven repository manager) won't work with Java 7 [1].

-Ognjen

[1] https://issues.sonatype.org/browse/NEXUS-4437

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Query related to detection of the Source IP Address in Load-balancing mode

2011-11-23 Thread André Warnier 

Faseela K wrote:

Hi,

I have applications running on two tomcat servers which are in load balancing 
mode.
If I try to access the application from the first server,and if the request is 
forwarded to the second server,
the request.getRemoteAddr() on the second server still returns 
"127.0.0.1"(instead of first server IP).
If the client is outside the two loadbancing servers, I am getting the proper 
client IP address.
I am using tomcat 5.5.31 and mod_jk module for load balancing,and my platform 
is solaris 10.
Is there a way to get the actual client IP,rather than localhost,if the client 
is on the same box as the tomcat server,and if the request is forwarded to the 
second load balancing server?


Hi.
I believe that your explanation is a bit confused, or confusing.
If you use a front-end server and mod_jk to do the load-balancing between 2 Tomcats, it is 
always the front-end which sends the request to one Tomcat.

It is not that one Tomcat passes a request to the other.

And there exists a parameter somewhere in the mod_jk setup, which controls whether the 
"remote client IP" address passed to Tomcat, is the one of the front-end server, or of the 
remote client.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat recycling

2011-11-23 Thread André Warnier 

Jan Vávra wrote:

Hello,
 thanks for a long response.
As I see everybody are againts my proposal. Ok.

Yes, some kind of restarting can be done via some scripts. In the best 
in a cluster environment...
Personally I don't trust /etc/init.d/tomcat scripts that comes in wg. 
SLES linux.

Sometimes this script didn't properly restart tomcat.
It could be due to a some untermintated thread, who knows...

I must look more closely into doc - how tomcat is starting and 
shutdowning if I'd like to do some tomcat recycling by own or modified 
scripts.



One additional comment :
Applications which run under Tomcat are Java applications.  Some of these applications may 
need a significant time to initialise themselves and be ready to answer requests.
If you "recycle" Tomcat (by which I understand that you mean "totally stop and restart the 
JVM which runs Tomcat"), there may be a considerable period of time (maybe several 
minutes) during which the server is totally unresponsive to client requests.

I don't know if that would be a good idea.

(This is not a negative comment on Java or Tomcat.  It is just that the philosophy is 
different.  Once the applications are initialised, they will perform just as fast, or 
faster, than applications written in other languages or running on other servers).


This being said, I generally agree with the other answers you received : it is generally a 
bad idea the "plaster over" bugs in applications by doing something like that, because it 
gives you a false impression of having resolved the issue, but you never know when the 
underlying problem is going to hit you again.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org