Re: Cannot redirect to html
I’ve got a file, containg html and locating in relative directory. When i return it in a jsp page using out.write(file>), then everything is ok. But when i return it using response.sendRedirect(file>), i’ve got a 404 error. What seems to be a problem? Please, help. Unless you provide: - the URL used to access the JSP - the full path to that JSP on the file system - the relative path you are trying to use no-one here is going to be able to help you. Mark Mark. You are absolutely right. No one can help because the problem is my misunderstanding the jsp code. Now i found out what was the root of the problem. Thank you for your time. basil. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 6.0.35 with java 7 ssl proxy request body failed
On 26 November 2012 18:22, Mark Thomas wrote: > Johanes Soetanto wrote: > >>Hi all, >> >>I am wondering whether there is a known issue with running Tomcat >>6.0.35 with Java 7 ? > > None I can think of. > >>I see lots of "(502)Unknown error 502: proxy: pass request body >>failed.." error in our Apache log after running our Tomcat with Java >>7. Once I change back Tomcat to use Java 6, I see no error at all. > > Time to get tcpdump / wireshark installed and look at what is going on on > port 8443. > hmn, i have been looking a way to capture the communication with wireshark, but still haven't found a way to do it, do you know a way to do it? I can see some communication using tcpdump, but i don't think i can see the packet, or am i missing something? > Mark > Other than that I found out that I can avoid "pass request body error" if I enable APR and use the same certificate. If I disable APR and use JSSE implementation (keystore), it always give me an error at random point. So I am not sure whether this is problem with Tomcat / Java 7 / the SSL certificate itself. My APR https connection is set like I am not sure whether I should cc you Matt, I see you reply to me and users@tomcat.apache.org, when I click reply it automatically set your email address in "to" field. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nagios plugin script for use with JMXProxy
On 11/27/2012 3:14 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 11/27/12 6:02 PM, Mark Eggers wrote: On 11/27/2012 2:37 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I have developed a Perl script that can be used with Nagios to check on a Tomcat instance via the manager's JMXProxyServlet. Someone asked me to publish it, which I'm happy to do. I'm just wondering what the best thing to do is. I see several options: 1. Submit a patch to the Tomcat source 2. Drop the file into the Tomcat wiki 3. Stick the file on Apache's related-projects stash -- I have forgotten the address at this point :( 4. Host it on my own website Tomcat's source doesn't include a "contrib" directory or anything like that, so probably #1 isn't the best option, but I figured I'd mention it in case someone wants to tell me a better place in the Tomcat source I could put it. I'm not sure the wiki is the best place for things like scripts. At least it will be available and versioned-with-history: anyone can make modifications to it and everyone benefits. Does anyone have any suggestions as to which way I should go? Thanks, - -chris Chris, First of all, thank you for this. I've been toying with a similar idea (and plugging the entire mess into the Icenga remoting script), but I've not had the chance. Right now, I think the Wiki might be a good place. Maybe under the "Troubleshooting" section? I don't know, there doesn't seem to be a good monitoring section in the How To area of the Wiki. Maybe you could start one? I've actually been working on one: http://wiki.apache.org/tomcat/FAQ/Monitoring The fact that you have forgotten the related projects' stash URL is a good indication that most people don't know of it, or have forgotten it, or are otherwise unaware of it. I know I am. So unless the location gets broadcast pretty strongly, then your good work will go off to the dusty bin of unvisited URLs. +1 Your blog is great as well, I just don't know how much extra access and traffic you're looking for . . . Heh. My website gets a trickle of hits per day, and those are probably just spiders. I'll link to it from the aforementioned wiki page. We can always move it somewhere else. Let me know if it will work for you in Icinga. - -chris First glance at the code - looks nice, and it looks like it will play with Icenga. If I have time in the next few days I'll try to add and configure it. Unfortunately, I have to move on December 1st, and I've yet to find a place to move to. That takes first priority (although I could always participate from various open wifi spots :-| ) And your Wiki start is nice - much nicer than the blank page I've got going for clustering. Maybe in a few weeks. . . . . life takes priority so only a penny's worth this time. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat ssl vulnerability CVE-2009-3555
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hermes,
On 11/26/12 3:36 PM, Hermes Flying wrote:
> Hi, I am running Tomcat 5.35 and I got a report that it is
> vulnerable to SSL client renegotiation DoS.
>
> You notein your docs that this is not a Tomcat issue per se, but
> JSSE issue. Please note that allowUnsafeLegacyRenegotiation is set
> to false. Looking into the source code I see the following:
>
> public void handshake(Socket sock) throws IOException {
>
> ((SSLSocket)sock).startHandshake();
>
> if(!allowUnsafeLegacyRenegotiation) { // disable all ciphers,
> avoiding any subsequent handshake
> ((SSLSocket)sock).setEnabledCipherSuites(new String[0]); } }
>
> Also looking into Tomcat6/7 source code I see that the only
> difference is to check for existence of
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV in JSSE.
>
> But other than that the logic is the same. So I can only assume
> that upgrading to Tomcat 6 would not solve my problem. Since I have
> verified via debugging also that allowUnsafeLegacyRenegotiation is
> indeed false, why do I get reports on SSL client renegotiation
> vulnerability?
Many vulnerability scanners blindly check version numbers and then
just regurgitate information found in CVE reports. It's much easier
than actually probing for the actual vulnerability, and it generates
huge numbers of false positives.
It's very possible that your server is actually not vulnerable but
that you version number has been flagged as /potentially/ vulnerable.
What tool/service are you using to scan for vulnerabilities?
> I see in your notes (http://tomcat.apache.org/security-5.html)
> that: Requires JRE that supports RFC 5746. For Oracle JRE that is
> known to be 6u22 or later.
Allowing "safe" renegotiation requires this. Disabling unsafe
renegotiation does not require 6u22 or later -- because of the trick
of disabling all ciphers once the initial SSL handshake has been
completed.
> But as I understand the code, even if JRE does not support the RFC
> you still disable the handshake with your "hack" to set no enable
> ciphers
+1
> Is this a Java/JSSE problem? What can I do? Can you please help
> me?
I think you might want to put this into the "prove the vulnerability
exists" pile and go back to the tool/service for verification.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlC1TLAACgkQ9CaO5/Lv0PB+vgCggfXX4KmAy+1NE+D2KFYMqDpo
g6cAoKuv7u1RMVcyAIOIWTyLiNO19l/A
=dUeN
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nagios plugin script for use with JMXProxy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 11/27/12 6:02 PM, Mark Eggers wrote: > First of all, thank you for this. I've been toying with a similar > idea (and plugging the entire mess into the Icenga remoting > script), but I've not had the chance. http://wiki.apache.org/tomcat/tools/check_jmxproxy.pl - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1S2YACgkQ9CaO5/Lv0PApxgCdEGSz9HnFuRMkOGDyYNSHe5wK D0oAn3CLBlAGPP5Bygc7+8CglVQbvJQv =hS7X -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nagios plugin script for use with JMXProxy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 11/27/12 6:02 PM, Mark Eggers wrote: > On 11/27/2012 2:37 PM, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> All, >> >> I have developed a Perl script that can be used with Nagios to >> check on a Tomcat instance via the manager's JMXProxyServlet. >> Someone asked me to publish it, which I'm happy to do. I'm just >> wondering what the best thing to do is. >> >> I see several options: >> >> 1. Submit a patch to the Tomcat source 2. Drop the file into the >> Tomcat wiki 3. Stick the file on Apache's related-projects stash >> -- I have forgotten the address at this point :( 4. Host it on my >> own website >> >> Tomcat's source doesn't include a "contrib" directory or anything >> like that, so probably #1 isn't the best option, but I figured >> I'd mention it in case someone wants to tell me a better place in >> the Tomcat source I could put it. >> >> I'm not sure the wiki is the best place for things like scripts. >> At least it will be available and versioned-with-history: anyone >> can make modifications to it and everyone benefits. >> >> Does anyone have any suggestions as to which way I should go? >> >> Thanks, - -chris > > Chris, > > First of all, thank you for this. I've been toying with a similar > idea (and plugging the entire mess into the Icenga remoting > script), but I've not had the chance. > > Right now, I think the Wiki might be a good place. Maybe under the > "Troubleshooting" section? I don't know, there doesn't seem to be a > good monitoring section in the How To area of the Wiki. > > Maybe you could start one? I've actually been working on one: http://wiki.apache.org/tomcat/FAQ/Monitoring > The fact that you have forgotten the related projects' stash URL is > a good indication that most people don't know of it, or have > forgotten it, or are otherwise unaware of it. I know I am. So > unless the location gets broadcast pretty strongly, then your good > work will go off to the dusty bin of unvisited URLs. +1 > Your blog is great as well, I just don't know how much extra access > and traffic you're looking for . . . Heh. My website gets a trickle of hits per day, and those are probably just spiders. I'll link to it from the aforementioned wiki page. We can always move it somewhere else. Let me know if it will work for you in Icinga. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1SWcACgkQ9CaO5/Lv0PDDBQCaA5U/y7OzqmNCRNoiydF1gXrh mIgAoLPMTVn0YimoKMPgPT1AMAqoz3Lx =Dfn0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: malware found the tomcat 6.0.29
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 11/27/12 4:23 AM, Mark Thomas wrote: > On 27/11/2012 07:21, Mohan Kumar G wrote: >> >> We have found the malware installed on the tomcat version 6.0.29 >> on two of the servers.The both servers have a war file >> (Tomcatmanagxesaxsas.war) that installed several java script >> files to the Tomcat webserver that allow for remote access over >> the web. OD-VA-W-AG-87 had an additional war file (Jeroy.war) >> that appears to also be a java script remote file browser. > > Could you send copies of those WAR files to > secur...@tomcat.apache.org please. > >> Even though , we followed all the security settings needed for >> the tomcat container. > > You are running a 2 year old version of Tomcat 6.0.x with multiple > known security vulnerabilities. There are several vulnerabilities > that could have provided an attacker with the necessary foothold to > start an attack. +1 There are also plenty of ways that the attacker could have gotten access to the system through other means, and then installed the WAR file for an easier return. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1RuMACgkQ9CaO5/Lv0PDvGwCeMY+/GIdMNWP4JvUx0g7cRUkx 6PUAnAnGXMEiNYJudgm4JeewjgEAEtxh =31JE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nagios plugin script for use with JMXProxy
On 11/27/2012 2:37 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I have developed a Perl script that can be used with Nagios to check on a Tomcat instance via the manager's JMXProxyServlet. Someone asked me to publish it, which I'm happy to do. I'm just wondering what the best thing to do is. I see several options: 1. Submit a patch to the Tomcat source 2. Drop the file into the Tomcat wiki 3. Stick the file on Apache's related-projects stash -- I have forgotten the address at this point :( 4. Host it on my own website Tomcat's source doesn't include a "contrib" directory or anything like that, so probably #1 isn't the best option, but I figured I'd mention it in case someone wants to tell me a better place in the Tomcat source I could put it. I'm not sure the wiki is the best place for things like scripts. At least it will be available and versioned-with-history: anyone can make modifications to it and everyone benefits. Does anyone have any suggestions as to which way I should go? Thanks, - -chris Chris, First of all, thank you for this. I've been toying with a similar idea (and plugging the entire mess into the Icenga remoting script), but I've not had the chance. Right now, I think the Wiki might be a good place. Maybe under the "Troubleshooting" section? I don't know, there doesn't seem to be a good monitoring section in the How To area of the Wiki. Maybe you could start one? The fact that you have forgotten the related projects' stash URL is a good indication that most people don't know of it, or have forgotten it, or are otherwise unaware of it. I know I am. So unless the location gets broadcast pretty strongly, then your good work will go off to the dusty bin of unvisited URLs. Your blog is great as well, I just don't know how much extra access and traffic you're looking for . . . . . . . just my two cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the Tomcat Native Library can only connect over ipv6 But not over ipv4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harm-Jan, On 11/27/12 3:32 PM, Zorro wrote: > Op 27-11-2012 20:00, Christopher Schultz schreef: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> Harm-Jan, >> >> On 11/26/12 3:16 PM, Zorro wrote: >>> I have now this in my server.xml: For IPv4: >> port="80" protocol="HTTP/1.1" connectionTimeout="2" >>> redirectPort="8443" address="0.0.0.0" /> For IPv6: >> port="80" protocol="HTTP/1.1" connectionTimeout="2" >>> redirectPort="8443" address="::0" /> >>> >>> With this setup I can connect to port 80 over Ipv4 And IPv6 to >>> my Linux box. >> So, a recap: >> >> * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" >> is specified >> >> * APR connector binds only to IPv6 interface is IPv6 is >> available, otherwise only IPv4 >> >> * Linux vs. Windows is not relevant >> >> Do I have that all right? Or does Linux work as expected (bind to >> both interfaces) and Windows does not? >> >> Ideally, this should work everywhere: >> >> >> >> ... and listen on both 0.0.0.0:80 and :::80 >> >> The only configuration shown by Zorro has two connectors and says >> that works on Windows. >> >>> On a Windows Vista PC I have also installed Tomcat 7.0.32 and >>> the Windows installation set downloaded from tomcat.apache.org >>> uses per default the Native Library. I have not changed >>> anything in the configuration yet and on that PC a telnet >>> 127.0.0.1 80 is ok while a IPv6 telnet ::1 80 fails. >> You mean using the above configuration? >> >> So, you have 2 connectors on Windows and one of them doesn't work >> at all? Please stop Tomcat, delete all log files, confirm your >> (2-connector) configuration, start Tomcat, then re-post your >> configuration and the complete catalina.out log file, >> plus versions of everything all at once. >> >> Better yet, if you could provide a matrix of configurations that >> *do* work versus *don't* work, that would be great, too. I'm >> specifically interested in knowing if this is a generic APR >> problem, or only APR-on-Windows. Jeffrey Janner has had problems >> on Windows (which may be a win32 TCP/IP stack problem) but if it >> doesn't work on Linux, either, then perhaps it really is a bug >> with APR or tcnative. >> >>> Maybe its worth it to include it in the documentation of the >>> native library. >> Maybe it's worth filing a bug report. If I can get you to >> cough-up full details, it will make it much easier. >> >> - -chris > > Chris, > > This is what I observed. Tomcat 7.0.32 > > 1. Linux (Fedora 14, gcc 4.5.1, OpenJDK IcedTea6 1.9.10 java > version 1.6.0_20) > > One connector for port 80 defined without the address attribute: > > * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" > is specified * APR connector binds only to IPv6 interface if IPv6 > is available, otherwise only IPv4 > > - > > 2. Windows Vista (java version 1.7.0_09) > > One connector for port 80 defined without the address attribute: > > * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" > is specified * APR connector binds only to IPv4 interface (not to > IPv6). What about when specifying two connectors, one for IPV4 and one for IPv6? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1RTMACgkQ9CaO5/Lv0PACPgCcDxAOM3Cya0+gF2btkUXXFHcA 9P8AoI5VNewZO4wN7x1JwfbTql2QhOSQ =6SMB -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James,
On 11/27/12 3:56 PM, James Lampert wrote:
> Christopher Schultz wrote:
>
>> Maybe use DMPJVM? Sorry for the through-Google link [PDF]:
>
> THANKS! Never heard of such a thing until you brought it to my
> attention, and it's enough of an eye-opener that I would have
> gladly forgiven even a through-LMGTFY link.
>
> DMPJVM looks like it may be just the thing. I don't want to risk
> unnecessarily disrupting anybody right now, but later this
> afternoon, I'm going to run some test shutdowns.
If you get it figured out, please amend the wiki to include
instructions for AS/400. I don't have an AS/400 system handy, so I
can't do it myself. I'd probably go mad in the process, anyway ;)
I found some instructions for iSeries on the SAP website
(http://www.stechno.net/sap-notes.html?view=sapnote&id=710154) but I
wasn't going to copy-and-paste that or even link to it unless it
actually made some kind of sense.
> Among the responses I got on java40...@midrange.com, one fellow
> user remarked that he'd been seeing the same phenomenon, and
> another had this comment:
>> Tomcat won't shut down while there are non-daemon threads
>> running.
>
> Still another turned me on to WRKJVMJOB (yet another command I'd
> never heard of). Applying option 11 of that ("Display Threads") to
> the QP0ZSPWT job (the only active QP0ZSPWT in the system, evidently
> slaved to the CATALINA job), I get: Thread Name
> Status 515Fmain TIMW 5162JIT
> Compilatio > THDW 5164JVMTI event re > THDW 5165
> Signal Dispatc > THDW 5167Gc Slave Thread THDW 5168
> i5/OS informat > JVAW 516AMemoryPoolMXBe > THDW 516B
> Attach API wai > SEMW 516CGC Daemon THDW 516D
> Finalizer thread THDW 5172ContainerBackg > THDW 5173
> http-bio-8080- > TIMW 5174http-bio-8080- > THDW 5175
> http-bio-443-A > TIMW 5176http-bio-443-A > THDW 5177
> ajp-bio-8009-A > TIMW 5178ajp-bio-8009-A > THDW 51BB
> http-bio-443-e > THDW 51BChttp-bio-443-e > THDW 51BD
> http-bio-443-e > THDW 51BEhttp-bio-443-e > THDW 51BF
> http-bio-8080- > THDW 51C0http-bio-8080- > THDW 51C1
> http-bio-8080- > THDW 51C4http-bio-443-e > THDW 51DD
> http-bio-443-e > THDW 51DEhttp-bio-443-e > THDW 51DF
> http-bio-443-e > THDW 51E0http-bio-443-e > THDW 51E1
> http-bio-443-e > THDW 51E8Java2D Disposer THDW 51F6
> http-bio-8080- > THDW 51F7http-bio-8080- > THDW 51F8
> http-bio-8080- > THDW 51F9http-bio-8080- > THDW 51FA
> http-bio-8080- > THDW 51FChttp-bio-8080- > THDW 520B
> http-bio-8080- > THDW (funny, a few seconds ago, it didn't have
> nearly that many threads; evidently it is indeed currently in use).
> I note that option 12 appears to be plumbed into DMPJVM.
That certainly looks like a thread list at least. Now you just need to
try to get the stack trace of each of those threads.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlC1RPQACgkQ9CaO5/Lv0PDZ8QCgkpIOtziAQN6EmyIP0st/uJmx
5C8AmwZyyt+UlH8/+93MddR5VJqO26Dr
=VXVF
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Nagios plugin script for use with JMXProxy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I have developed a Perl script that can be used with Nagios to check on a Tomcat instance via the manager's JMXProxyServlet. Someone asked me to publish it, which I'm happy to do. I'm just wondering what the best thing to do is. I see several options: 1. Submit a patch to the Tomcat source 2. Drop the file into the Tomcat wiki 3. Stick the file on Apache's related-projects stash -- I have forgotten the address at this point :( 4. Host it on my own website Tomcat's source doesn't include a "contrib" directory or anything like that, so probably #1 isn't the best option, but I figured I'd mention it in case someone wants to tell me a better place in the Tomcat source I could put it. I'm not sure the wiki is the best place for things like scripts. At least it will be available and versioned-with-history: anyone can make modifications to it and everyone benefits. Does anyone have any suggestions as to which way I should go? Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1QJ4ACgkQ9CaO5/Lv0PCYywCcDbmVij4T6CqZXks7gdCeeqBM YUYAnRoQNJeDqnMn/AA/6J3YiEoa4pad =nakK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: > On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa wrote: >> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: >> >>> I have a self signed server certificate - and the user certs have no >>> association/connection to the server cert. >> >> I apologize, but I'm not exactly sure what you are trying to configure with >> the certs and the crl file. Can you take a step back from the problem and >> give us some higher level details on what you are trying to achieve with >> this configuration? >> >> Dan > > OK, I'm am emulating the production enviroment for the application my > development team works on. The production environment is on goverment > facilitiies and equipment. Users authenticate with a Common Access > Card (CAC) & PIN. Our current environment has a locally developed PIN > check, which is insufficient going forward. Rather than developing > code to do all of the work, it seems most appropriate to simply > utilize the abilities built into tomcat to do that before our > application even gets accessed. > > The development server I stood up is a virtual server, running CentOS > 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to > generate a self-signed certificate, rather than getting an actual SSL > cert from an outside source since this is a closed development system. > > With that in mind, we are working to implement Certificate > Authentication & Validation within Tomcat. I've got the environment > configured to prompt for the certificate and through the > browser/client enviroment the PIN prompt is triggered without issue as > long as the crlFile parameter isn't set in the connector. That was > easy. > > My problem comes when I attempt to implement Certificate Revocation > List checking. The Government has a root certificate and about 20-30 > different intermediate certificate authorities that could have issued > the user certificate. I have loaded the root and intermediate > government certificate into my local truststore and am loading it > properly (based on the fact that the user certificates are recognized > and accepted). > > I have downloaded all the root certificate CRL data and each > individual CA's CRL data. Through the openssl commands, I converted > them to PEM and then copied them all into one file massive CRL. I > have also, for testing, created a file with the root CRL data and the > CRL data for the CA which issued my Certificate. > > When I run the complete CRL, I run out of memory (271 MB CRL). When I > run just the root & my CA, it doesn't run out of memory, but it also > doesn't trigger the PIN prompt (I assume the crl check happens before > the PIN is checked?), and just displays "Page cannot be displayed." > > I know my certificate is OK - when I use it to access other sites that > require that certificate, it works fine. > > Does that give you a clear(er) picture? :) Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the Tomcat Native Library can only connect over ipv6 But not over ipv4
Zorro wrote: Op 27-11-2012 20:00, Christopher Schultz schreef: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harm-Jan, On 11/26/12 3:16 PM, Zorro wrote: I have now this in my server.xml: For IPv4: For IPv6: With this setup I can connect to port 80 over Ipv4 And IPv6 to my Linux box. So, a recap: * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" is specified * APR connector binds only to IPv6 interface is IPv6 is available, otherwise only IPv4 * Linux vs. Windows is not relevant Do I have that all right? Or does Linux work as expected (bind to both interfaces) and Windows does not? Ideally, this should work everywhere: ... and listen on both 0.0.0.0:80 and :::80 The only configuration shown by Zorro has two connectors and says that works on Windows. On a Windows Vista PC I have also installed Tomcat 7.0.32 and the Windows installation set downloaded from tomcat.apache.org uses per default the Native Library. I have not changed anything in the configuration yet and on that PC a telnet 127.0.0.1 80 is ok while a IPv6 telnet ::1 80 fails. You mean using the above configuration? So, you have 2 connectors on Windows and one of them doesn't work at all? Please stop Tomcat, delete all log files, confirm your (2-connector) configuration, start Tomcat, then re-post your configuration and the complete catalina.out log file, plus versions of everything all at once. Better yet, if you could provide a matrix of configurations that *do* work versus *don't* work, that would be great, too. I'm specifically interested in knowing if this is a generic APR problem, or only APR-on-Windows. Jeffrey Janner has had problems on Windows (which may be a win32 TCP/IP stack problem) but if it doesn't work on Linux, either, then perhaps it really is a bug with APR or tcnative. Maybe its worth it to include it in the documentation of the native library. Maybe it's worth filing a bug report. If I can get you to cough-up full details, it will make it much easier. - -chris Chris, This is what I observed. Tomcat 7.0.32 1. Linux (Fedora 14, gcc 4.5.1, OpenJDK IcedTea6 1.9.10 java version 1.6.0_20) One connector for port 80 defined without the address attribute: * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" is specified * APR connector binds only to IPv6 interface if IPv6 is available, otherwise only IPv4 - 2. Windows Vista (java version 1.7.0_09) One connector for port 80 defined without the address attribute: * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" is specified * APR connector binds only to IPv4 interface (not to IPv6). In all 4 cases above, you can quickly check exactly what is bound to what, by using the "netstat" command after you have started Tomcat. The options of netstat vary somewhat depending on the OS. Under Linux, I'd try : ps -ef | grep tomcat (to find out its PID) netstat --tcp -pan | grep LISTEN | grep (tomcat's PID) Under Windows : netstat -aon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)
Christopher Schultz wrote:
Maybe use DMPJVM? Sorry for the through-Google link [PDF]:
THANKS! Never heard of such a thing until you brought it to my
attention, and it's enough of an eye-opener that I would have gladly
forgiven even a through-LMGTFY link.
DMPJVM looks like it may be just the thing. I don't want to risk
unnecessarily disrupting anybody right now, but later this afternoon,
I'm going to run some test shutdowns.
Among the responses I got on java40...@midrange.com, one fellow user
remarked that he'd been seeing the same phenomenon, and another had this
comment:
Tomcat won't shut down while there are non-daemon threads running.
Still another turned me on to WRKJVMJOB (yet another command I'd never
heard of). Applying option 11 of that ("Display Threads") to the
QP0ZSPWT job (the only active QP0ZSPWT in the system, evidently slaved
to the CATALINA job), I get:
Thread Name Status
515Fmain TIMW
5162JIT Compilatio > THDW
5164JVMTI event re > THDW
5165Signal Dispatc > THDW
5167Gc Slave Thread THDW
5168i5/OS informat > JVAW
516AMemoryPoolMXBe > THDW
516BAttach API wai > SEMW
516CGC Daemon THDW
516DFinalizer thread THDW
5172ContainerBackg > THDW
5173http-bio-8080- > TIMW
5174http-bio-8080- > THDW
5175http-bio-443-A > TIMW
5176http-bio-443-A > THDW
5177ajp-bio-8009-A > TIMW
5178ajp-bio-8009-A > THDW
51BBhttp-bio-443-e > THDW
51BChttp-bio-443-e > THDW
51BDhttp-bio-443-e > THDW
51BEhttp-bio-443-e > THDW
51BFhttp-bio-8080- > THDW
51C0http-bio-8080- > THDW
51C1http-bio-8080- > THDW
51C4http-bio-443-e > THDW
51DDhttp-bio-443-e > THDW
51DEhttp-bio-443-e > THDW
51DFhttp-bio-443-e > THDW
51E0http-bio-443-e > THDW
51E1http-bio-443-e > THDW
51E8Java2D Disposer THDW
51F6http-bio-8080- > THDW
51F7http-bio-8080- > THDW
51F8http-bio-8080- > THDW
51F9http-bio-8080- > THDW
51FAhttp-bio-8080- > THDW
51FChttp-bio-8080- > THDW
520Bhttp-bio-8080- > THDW
(funny, a few seconds ago, it didn't have nearly that many threads;
evidently it is indeed currently in use). I note that option 12 appears
to be plumbed into DMPJVM.
--
JHHL
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using the Tomcat Native Library can only connect over ipv6 But not over ipv4
> -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, November 27, 2012 1:01 PM > To: Tomcat Users List > Subject: Re: Using the Tomcat Native Library can only connect over ipv6 > But not over ipv4 > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Harm-Jan, > > On 11/26/12 3:16 PM, Zorro wrote: > > I have now this in my server.xml: For IPv4: > protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" > > address="0.0.0.0" /> For IPv6: > protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" > > address="::0" /> > > > > With this setup I can connect to port 80 over Ipv4 And IPv6 to my > > Linux box. > > So, a recap: > > * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" is > specified > > * APR connector binds only to IPv6 interface is IPv6 is available, > otherwise only IPv4 > > * Linux vs. Windows is not relevant > > Do I have that all right? Or does Linux work as expected (bind to both > interfaces) and Windows does not? > > Ideally, this should work everywhere: > > > > ... and listen on both 0.0.0.0:80 and :::80 > > The only configuration shown by Zorro has two connectors and says that > works on Windows. > > > On a Windows Vista PC I have also installed Tomcat 7.0.32 and the > > Windows installation set downloaded from tomcat.apache.org uses per > > default the Native Library. I have not changed anything in the > > configuration yet and on that PC a telnet 127.0.0.1 80 is ok while a > > IPv6 telnet ::1 80 fails. > > You mean using the above configuration? > > So, you have 2 connectors on Windows and one of them doesn't work at > all? Please stop Tomcat, delete all log files, confirm your > (2-connector) configuration, start Tomcat, then re-post your > configuration and the complete catalina.out log file, plus > versions of everything all at once. > > Better yet, if you could provide a matrix of configurations that *do* > work versus *don't* work, that would be great, too. I'm specifically > interested in knowing if this is a generic APR problem, or only APR-on- > Windows. Jeffrey Janner has had problems on Windows (which may be a > win32 TCP/IP stack problem) but if it doesn't work on Linux, either, > then perhaps it really is a bug with APR or tcnative. > > > Maybe its worth it to include it in the documentation of the native > > library. > > Maybe it's worth filing a bug report. If I can get you to cough-up full > details, it will make it much easier. > > - -chris Chris, I want to say that it might have been a Windows stack limitation, at least up until the Windows 7 stack (which is Server 2008 R2). Earlier versions didn't support dual-bind, but I can't be positive. I have one of those server and can check it when I have a freer moment in a few days. I'll report back to this thread. Jeff
RE: Tomcat with multiple domains
> -Original Message- > From: Paul van Hoven [mailto:paul.van.ho...@googlemail.com] > Sent: Tuesday, November 27, 2012 2:13 PM > To: Tomcat Users List > Subject: Re: Tomcat with multiple domains > > Thanks for the answer. I followed the tutorial you propose ( > http://wiki.apache.org/tomcat/TomcatDevelopmentVirtualHosts ). But it > is still not working. Here is my new configuration > > > server.xml > appBase="/opt/apache-tomcat-7.0.32/2nddomain.com" unpackWARs="true" > autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> > 2nddomain.com > www.2nddomain.com > > > The directory > /opt/apache-tomcat-7.0.32/2nddomain.com > contains a ROOT.war file. > > I edited the /etc/hosts file and added the following entries: > 88.84.140.88 www.2nddomain.com:8080 > 88.84.140.88 www.1rstdomain.com:8080 > > Then I restarted the system and the tomcat server. Entering > www.2nddomain.com:8080 sends me to 1rstdomain.com. I noticed that the > file "/opt/apache-tomcat-7.0.32/2nddomain.com/ROOT.war" remains > untouched by tomcat, at least nothing is extracted from the war file. > > So what else am I missing here? Make sure that the new definition is nested inside the tags. You also do not need the first line. The name= parameter takes care of that mapping for you. In general, the nesting works this way: www.host1.com host2.com There are a myriad other tag sets that could be included in there and it's very important that they be nested properly to work properly. Also, since you are using the /etc/hosts file instead of the DNS system, the client (browser) also has those entries in its hosts file. And, as Konstantin pointed out, you don't put the port number in the /etc/hosts file. If you are using DNS for the clients, make sure that it has entries for both hosts, pointing to the same IP address. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the Tomcat Native Library can only connect over ipv6 But not over ipv4
Op 27-11-2012 20:00, Christopher Schultz schreef: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harm-Jan, On 11/26/12 3:16 PM, Zorro wrote: I have now this in my server.xml: For IPv4: For IPv6: With this setup I can connect to port 80 over Ipv4 And IPv6 to my Linux box. So, a recap: * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" is specified * APR connector binds only to IPv6 interface is IPv6 is available, otherwise only IPv4 * Linux vs. Windows is not relevant Do I have that all right? Or does Linux work as expected (bind to both interfaces) and Windows does not? Ideally, this should work everywhere: ... and listen on both 0.0.0.0:80 and :::80 The only configuration shown by Zorro has two connectors and says that works on Windows. On a Windows Vista PC I have also installed Tomcat 7.0.32 and the Windows installation set downloaded from tomcat.apache.org uses per default the Native Library. I have not changed anything in the configuration yet and on that PC a telnet 127.0.0.1 80 is ok while a IPv6 telnet ::1 80 fails. You mean using the above configuration? So, you have 2 connectors on Windows and one of them doesn't work at all? Please stop Tomcat, delete all log files, confirm your (2-connector) configuration, start Tomcat, then re-post your configuration and the complete catalina.out log file, plus versions of everything all at once. Better yet, if you could provide a matrix of configurations that *do* work versus *don't* work, that would be great, too. I'm specifically interested in knowing if this is a generic APR problem, or only APR-on-Windows. Jeffrey Janner has had problems on Windows (which may be a win32 TCP/IP stack problem) but if it doesn't work on Linux, either, then perhaps it really is a bug with APR or tcnative. Maybe its worth it to include it in the documentation of the native library. Maybe it's worth filing a bug report. If I can get you to cough-up full details, it will make it much easier. - -chris Chris, This is what I observed. Tomcat 7.0.32 1. Linux (Fedora 14, gcc 4.5.1, OpenJDK IcedTea6 1.9.10 java version 1.6.0_20) One connector for port 80 defined without the address attribute: * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" is specified * APR connector binds only to IPv6 interface if IPv6 is available, otherwise only IPv4 - 2. Windows Vista (java version 1.7.0_09) One connector for port 80 defined without the address attribute: * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" is specified * APR connector binds only to IPv4 interface (not to IPv6). Regards, Harm-Jan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat with multiple domains
2012/11/28 Paul van Hoven : > > I edited the /etc/hosts file and added the following entries: > 88.84.140.88www.2nddomain.com:8080 > 88.84.140.88www.1rstdomain.com:8080 Domain Name Service resolves host names. A port number is not part of a host name. The above two lines are invalid. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat with multiple domains
Thanks for the answer. I followed the tutorial you propose ( http://wiki.apache.org/tomcat/TomcatDevelopmentVirtualHosts ). But it is still not working. Here is my new configuration server.xml 2nddomain.com www.2nddomain.com The directory /opt/apache-tomcat-7.0.32/2nddomain.com contains a ROOT.war file. I edited the /etc/hosts file and added the following entries: 88.84.140.88www.2nddomain.com:8080 88.84.140.88www.1rstdomain.com:8080 Then I restarted the system and the tomcat server. Entering www.2nddomain.com:8080 sends me to 1rstdomain.com. I noticed that the file "/opt/apache-tomcat-7.0.32/2nddomain.com/ROOT.war" remains untouched by tomcat, at least nothing is extracted from the war file. So what else am I missing here? 2012/11/22 Caldarale, Charles R : >> From: Paul van Hoven [mailto:paul.van.ho...@googlemail.com] >> Subject: Tomcat with multiple domains > >> I found the following tutorial (very old) on the web: >> http://onjava.com/pub/a/onjava/2006/08/30/publishing-multiple-sites-using-single-tomcat.html > > Probably best to completely ignore anything that old. > >> I payed attention to the offical Tomcat documentation in regard of this: >> http://tomcat.apache.org/tomcat-7.0-doc/virtual-hosting-howto.html > > That's good to look at, as is this: > http://wiki.apache.org/tomcat/HowTo#How_do_I_set_up_Tomcat_virtual_hosts_in_a_development_environment.3F > > The steps apply to production as well as development. > >> In my $CATALINA_HOME (which is /opt/apache-tomcat-7.0.32) I created >> the folder "my2ndDomain" > > This is only speculation (too lazy to look at the code right now), but domain > names are defined to be case-insensitive, and typically presented only in > lower case. What happens if you change my2ndDomain to my2nddomain everywhere? > >> > > The above is really, really bad. You shouldn't be putting elements > in server.xml, and besides, the contents of that one are gibberish. What did > you expect to achieve with it? > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James, On 11/27/12 1:13 PM, James Lampert wrote: > Konstantin Kolinko wrote: > >> 2. Shutdown command is sent to port 8005. (8009 is a port used by >> AJP protocol connector). > > Thanks. That at least clears up a misconception on my part. > Researching it cleared up another misconception on my part: that > the Catalina job directly owns the ports. Actually, the ports are > owned by a QP0ZSPWT job (that is itself probably owned by the > Catalina job.) > > Once I know how to get a thread dump on an AS/400 (the link didn't > cover that; I've got a question out to the Java-400 list at > Midrange.com about that) Maybe use DMPJVM? Sorry for the through-Google link [PDF]: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CFsQFjAI&url=http%3A%2F%2Fpublib.boulder.ibm.com%2Fhtml%2Fas400%2Fv4r5%2Fic2924%2Finfo%2Fjava%2Frzaha%2Frzaha.pdf&ei=RQ-1UI-4OdO-0QGJtICADA&usg=AFQjCNE2Ai3Hltz7kngTIjlv7t3OjmF3Zg&cad=rja - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1EAkACgkQ9CaO5/Lv0PD23gCgp78aBQBPaXX8NuHhAqDHnyBq 1IcAnRxXIFHDm0goWOZCutw4z2BoNEqP =XYDi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the Tomcat Native Library can only connect over ipv6 But not over ipv4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harm-Jan, On 11/26/12 3:16 PM, Zorro wrote: > I have now this in my server.xml: For IPv4: protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" > address="0.0.0.0" /> For IPv6: protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" > address="::0" /> > > With this setup I can connect to port 80 over Ipv4 And IPv6 to my > Linux box. So, a recap: * NIO/BIO connector binds to both IPv4 and IPv6 when no "address" is specified * APR connector binds only to IPv6 interface is IPv6 is available, otherwise only IPv4 * Linux vs. Windows is not relevant Do I have that all right? Or does Linux work as expected (bind to both interfaces) and Windows does not? Ideally, this should work everywhere: ... and listen on both 0.0.0.0:80 and :::80 The only configuration shown by Zorro has two connectors and says that works on Windows. > On a Windows Vista PC I have also installed Tomcat 7.0.32 and the > Windows installation set downloaded from tomcat.apache.org uses > per default the Native Library. I have not changed anything in the > configuration yet and on that PC a telnet 127.0.0.1 80 is ok while > a IPv6 telnet ::1 80 fails. You mean using the above configuration? So, you have 2 connectors on Windows and one of them doesn't work at all? Please stop Tomcat, delete all log files, confirm your (2-connector) configuration, start Tomcat, then re-post your configuration and the complete catalina.out log file, plus versions of everything all at once. Better yet, if you could provide a matrix of configurations that *do* work versus *don't* work, that would be great, too. I'm specifically interested in knowing if this is a generic APR problem, or only APR-on-Windows. Jeffrey Janner has had problems on Windows (which may be a win32 TCP/IP stack problem) but if it doesn't work on Linux, either, then perhaps it really is a bug with APR or tcnative. > Maybe its worth it to include it in the documentation of the > native library. Maybe it's worth filing a bug report. If I can get you to cough-up full details, it will make it much easier. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1DdMACgkQ9CaO5/Lv0PB7/QCfVuX1sz1f8TWFRFf0amCTTkAz HCAAn1sWzO1daDKAemV3b2zI2YAemboE =n8bC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the Tomcat Native Library can only connect over ipv6 But not over ipv4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/26/12 3:14 PM, André Warnier wrote: > Also, I don't know if this is really relevant here, but I seem to > remember a parameter or attribute somewhere named > "preferIPv4Stack"/"preferIPv6Stack". That is for configuring the Java networking stack, so I suspect it has no effect on the APR/native networking configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1C4YACgkQ9CaO5/Lv0PBGqQCgkLYyMUySFopTHuxDW68n61o2 hmAAoKDJ6ZoDTBYhttP5DrCa4iJzkdMv =UzLU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)
Konstantin Kolinko wrote: 2. Shutdown command is sent to port 8005. (8009 is a port used by AJP protocol connector). Thanks. That at least clears up a misconception on my part. Researching it cleared up another misconception on my part: that the Catalina job directly owns the ports. Actually, the ports are owned by a QP0ZSPWT job (that is itself probably owned by the Catalina job.) Once I know how to get a thread dump on an AS/400 (the link didn't cover that; I've got a question out to the Java-400 list at Midrange.com about that), I'll try another shutdown/restart on our box, and see what happens to port 8005 and the QP0ZSPWT job. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Tue, Nov 27, 2012 at 12:56:38PM -0500, Will Nordmeyer wrote: > My problem comes when I attempt to implement Certificate Revocation > List checking. The Government has a root certificate and about 20-30 > different intermediate certificate authorities that could have issued > the user certificate. I have loaded the root and intermediate > government certificate into my local truststore and am loading it > properly (based on the fact that the user certificates are recognized > and accepted). > > I have downloaded all the root certificate CRL data and each > individual CA's CRL data. Through the openssl commands, I converted > them to PEM and then copied them all into one file massive CRL. I > have also, for testing, created a file with the root CRL data and the > CRL data for the CA which issued my Certificate. > > When I run the complete CRL, I run out of memory (271 MB CRL). When I > run just the root & my CA, it doesn't run out of memory, but it also > doesn't trigger the PIN prompt (I assume the crl check happens before > the PIN is checked?), and just displays "Page cannot be displayed." Just brainstorming: I wonder if there's some way to move that enormous CRL to an OCSP responder (which could manage its memory any way it likes) and just have Tomcat ask "is this one revoked?" I don't know if there's any way to get Tomcat to do that. I searched for "open source OCSP responder" and found some, so it shouldn't be too costly to put up your own if you have availability concerns. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu I don't do "doorbusters". pgpLNCz9kvV07.pgp Description: PGP signature
Re: tomcat6 with crl doesn't load
On Tue, Nov 27, 2012 at 12:48 PM, Konstantin Kolinko wrote: > 2012/11/27 Will Nordmeyer : >> OK, I upped it to 1024G and it still crashed. >> >> I tried loading with a 70M file (the root CA, and the CA directly >> responsible for my cert). That seemed to load, but when I tried going >> to a probe application that I've got installed - to get memory data, >> etc. It prompts me for my cert, but then goes to "Internet Explorer >> cannot display the webpage." >> >> I have a self signed server certificate - and the user certs have no >> association/connection to the server cert. >> > > 1. What makes the file 70 Mb? How many bits of a key are there? > > 2. Top-posing is bad. > http://en.wikipedia.org/wiki/Posting_style > 1. The many many many many certificates that have been revoked by that Certificate Authority. See my other post - the client (government) has 1 root CA and about 20-30 intermediate CAs - each intermediate generates user certificates, and some are being revoked pretty much daily. If I load all the CAs, it is a 271 MB file. As far as posting Yeah, my bad... got lazy - wasn't paying attention when I started writing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)
2012/11/27 James Lampert : > Running Tomcat on various AS/400s (V6R1 or later OS), we've found that > shutdown.sh doesn't reliably shut down the server, and we frequently have to > shut it down forcibly (i.e., finding CATALINA on a WRKACTJOB, and giving it > a "4" with "OPTION(*IMMED)"). > > Port 8009 does appear to be open before we call shutdown.sh, and it does > appear to be closed after we call it. > > Any idea what the problem could be? Or where I should look for indications > of what it could be? > 1. catalina.sh and shutdown.sh should be able to kill a hung process, but only if you call them with "-force" and if you have CATALINA_PID variable defined in your configuration. Do you have CATALINA_PID configured? A clean shutdown might be impossible if Tomcat encounters an OutOfMemoryError. 2. Shutdown command is sent to port 8005. (8009 is a port used by AJP protocol connector). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa wrote: > On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: > >> I have a self signed server certificate - and the user certs have no >> association/connection to the server cert. > > I apologize, but I'm not exactly sure what you are trying to configure with > the certs and the crl file. Can you take a step back from the problem and > give us some higher level details on what you are trying to achieve with this > configuration? > > Dan OK, I'm am emulating the production enviroment for the application my development team works on. The production environment is on goverment facilitiies and equipment. Users authenticate with a Common Access Card (CAC) & PIN. Our current environment has a locally developed PIN check, which is insufficient going forward. Rather than developing code to do all of the work, it seems most appropriate to simply utilize the abilities built into tomcat to do that before our application even gets accessed. The development server I stood up is a virtual server, running CentOS 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to generate a self-signed certificate, rather than getting an actual SSL cert from an outside source since this is a closed development system. With that in mind, we are working to implement Certificate Authentication & Validation within Tomcat. I've got the environment configured to prompt for the certificate and through the browser/client enviroment the PIN prompt is triggered without issue as long as the crlFile parameter isn't set in the connector. That was easy. My problem comes when I attempt to implement Certificate Revocation List checking. The Government has a root certificate and about 20-30 different intermediate certificate authorities that could have issued the user certificate. I have loaded the root and intermediate government certificate into my local truststore and am loading it properly (based on the fact that the user certificates are recognized and accepted). I have downloaded all the root certificate CRL data and each individual CA's CRL data. Through the openssl commands, I converted them to PEM and then copied them all into one file massive CRL. I have also, for testing, created a file with the root CRL data and the CRL data for the CA which issued my Certificate. When I run the complete CRL, I run out of memory (271 MB CRL). When I run just the root & my CA, it doesn't run out of memory, but it also doesn't trigger the PIN prompt (I assume the crl check happens before the PIN is checked?), and just displays "Page cannot be displayed." I know my certificate is OK - when I use it to access other sites that require that certificate, it works fine. Does that give you a clear(er) picture? :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
2012/11/27 Will Nordmeyer : > OK, I upped it to 1024G and it still crashed. > > I tried loading with a 70M file (the root CA, and the CA directly > responsible for my cert). That seemed to load, but when I tried going > to a probe application that I've got installed - to get memory data, > etc. It prompts me for my cert, but then goes to "Internet Explorer > cannot display the webpage." > > I have a self signed server certificate - and the user certs have no > association/connection to the server cert. > 1. What makes the file 70 Mb? How many bits of a key are there? 2. Top-posing is bad. http://en.wikipedia.org/wiki/Posting_style Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: > OK, I upped it to 1024G and it still crashed. > > I tried loading with a 70M file (the root CA, and the CA directly > responsible for my cert). That seemed to load, but when I tried going > to a probe application that I've got installed - to get memory data, > etc. It prompts me for my cert, but then goes to "Internet Explorer > cannot display the webpage." You might want to try a profiler like YourKit or Eclipse Memory Analyzer (MAT). Should show you exactly what is consuming the memory in Tomcat and it will not require that you connect via HTTP. > I have a self signed server certificate - and the user certs have no > association/connection to the server cert. I apologize, but I'm not exactly sure what you are trying to configure with the certs and the crl file. Can you take a step back from the problem and give us some higher level details on what you are trying to achieve with this configuration? Dan > > > > On Tue, Nov 27, 2012 at 9:27 AM, Daniel Mikusa wrote: >> On Nov 27, 2012, at 9:17 AM, Will Nordmeyer wrote: >> >>> Dan, >>> >>> I tried that - first attempt jstack threw exceptions and I got >>> nothing. So I killed the tomcat, took the crlFile back out and ran, >>> got a nice jstack showing everything running smoothly. >>> >>> Shut tomcat down, put the crlFile line back and started up again. >>> This time, tomcat6 doesn't hang, but it throws an exception and >>> doesn't start... I keep running out of heap space. I wonder why it >>> suddenly decided to actually admit the problem instead of just going >>> out to lunch. >>> >>> Caused by: java.lang.OutOfMemoryError: Java heap space >>> at java.util.Arrays.copyOf(Arrays.java:2786) >>> at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:94) >>> at >>> sun.security.provider.X509Factory.getTotalBytes(X509Factory.java:658) >>> at >>> sun.security.provider.X509Factory.engineGenerateCRLs(X509Factory.java:500) >>> at >>> java.security.cert.CertificateFactory.generateCRLs(CertificateFactory.java:500) >>> >>> >>> I have JAVA_OPTS set so that I have a min of 512MB and a max of 512 MB >>> - without the CRL, it loads fine, so the Memory is available. >> >> Do you have more available memory on the system? I would try doubling the >> heap size to 1G and see if that helps. After Tomcat is up, you could attach >> a profiler to get the details about how much memory is being consumed. >> >> Dan >> >> >>> My problem is that the CRL file is 271 MB - I'm not sure how big that >>> translates to once Java starts loading it. >>> >>> --Will >>> On Mon, Nov 26, 2012 at 5:17 PM, Daniel Mikusa wrote: On Nov 26, 2012, at 3:35 PM, Will Nordmeyer wrote: If Tomcat appears to be hanging with this option enabled, I would suggest taking a thread dump and including it here. Could provide some clues as to what is happening. http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F Dan > > If I remove the crlFile reference in the server.xml, everything works > fine (except crl lookups of course). The system starts up, the app is > accessible, it prompts for the certificate... > > Any thoughts on why it would be failing like that would be appreciated. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Shutdown.sh doesn't. At least not reliably. (7.0.25)
If you take a thread dump you'll be able to see the state of both Tomcat's threads and your own application's threads to see where it's hanging. -Original Message- From: James Lampert [mailto:jam...@touchtonecorp.com] Sent: Tuesday, November 27, 2012 9:10 AM To: Tomcat Users List Subject: Shutdown.sh doesn't. At least not reliably. (7.0.25) Running Tomcat on various AS/400s (V6R1 or later OS), we've found that shutdown.sh doesn't reliably shut down the server, and we frequently have to shut it down forcibly (i.e., finding CATALINA on a WRKACTJOB, and giving it a "4" with "OPTION(*IMMED)"). Port 8009 does appear to be open before we call shutdown.sh, and it does appear to be closed after we call it. Any idea what the problem could be? Or where I should look for indications of what it could be? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Shutdown.sh doesn't. At least not reliably. (7.0.25)
> From: James Lampert [mailto:jam...@touchtonecorp.com] > Subject: Shutdown.sh doesn't. At least not reliably. (7.0.25) > Or where I should look for indications of what it could be? Can you take a thread dump of the Tomcat process after shutdown.sh has been used? http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F Can you try it on more recent Tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Shutdown.sh doesn't. At least not reliably. (7.0.25)
Running Tomcat on various AS/400s (V6R1 or later OS), we've found that shutdown.sh doesn't reliably shut down the server, and we frequently have to shut it down forcibly (i.e., finding CATALINA on a WRKACTJOB, and giving it a "4" with "OPTION(*IMMED)"). Port 8009 does appear to be open before we call shutdown.sh, and it does appear to be closed after we call it. Any idea what the problem could be? Or where I should look for indications of what it could be? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
OK, I upped it to 1024G and it still crashed. I tried loading with a 70M file (the root CA, and the CA directly responsible for my cert). That seemed to load, but when I tried going to a probe application that I've got installed - to get memory data, etc. It prompts me for my cert, but then goes to "Internet Explorer cannot display the webpage." I have a self signed server certificate - and the user certs have no association/connection to the server cert. On Tue, Nov 27, 2012 at 9:27 AM, Daniel Mikusa wrote: > On Nov 27, 2012, at 9:17 AM, Will Nordmeyer wrote: > >> Dan, >> >> I tried that - first attempt jstack threw exceptions and I got >> nothing. So I killed the tomcat, took the crlFile back out and ran, >> got a nice jstack showing everything running smoothly. >> >> Shut tomcat down, put the crlFile line back and started up again. >> This time, tomcat6 doesn't hang, but it throws an exception and >> doesn't start... I keep running out of heap space. I wonder why it >> suddenly decided to actually admit the problem instead of just going >> out to lunch. >> >> Caused by: java.lang.OutOfMemoryError: Java heap space >>at java.util.Arrays.copyOf(Arrays.java:2786) >>at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:94) >>at >> sun.security.provider.X509Factory.getTotalBytes(X509Factory.java:658) >>at >> sun.security.provider.X509Factory.engineGenerateCRLs(X509Factory.java:500) >>at >> java.security.cert.CertificateFactory.generateCRLs(CertificateFactory.java:500) >> >> >> I have JAVA_OPTS set so that I have a min of 512MB and a max of 512 MB >> - without the CRL, it loads fine, so the Memory is available. > > Do you have more available memory on the system? I would try doubling the > heap size to 1G and see if that helps. After Tomcat is up, you could attach > a profiler to get the details about how much memory is being consumed. > > Dan > > >> My problem is that the CRL file is 271 MB - I'm not sure how big that >> translates to once Java starts loading it. >> >> --Will >> On Mon, Nov 26, 2012 at 5:17 PM, Daniel Mikusa wrote: >>> On Nov 26, 2012, at 3:35 PM, Will Nordmeyer wrote: >>> If Tomcat appears to be hanging with this option enabled, I would suggest >>> taking a thread dump and including it here. Could provide some clues as to >>> what is happening. >>> >>> http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F >>> >>> Dan >>> >>> If I remove the crlFile reference in the server.xml, everything works fine (except crl lookups of course). The system starts up, the app is accessible, it prompts for the certificate... Any thoughts on why it would be failing like that would be appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Nov 27, 2012, at 9:17 AM, Will Nordmeyer wrote: > Dan, > > I tried that - first attempt jstack threw exceptions and I got > nothing. So I killed the tomcat, took the crlFile back out and ran, > got a nice jstack showing everything running smoothly. > > Shut tomcat down, put the crlFile line back and started up again. > This time, tomcat6 doesn't hang, but it throws an exception and > doesn't start... I keep running out of heap space. I wonder why it > suddenly decided to actually admit the problem instead of just going > out to lunch. > > Caused by: java.lang.OutOfMemoryError: Java heap space >at java.util.Arrays.copyOf(Arrays.java:2786) >at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:94) >at > sun.security.provider.X509Factory.getTotalBytes(X509Factory.java:658) >at > sun.security.provider.X509Factory.engineGenerateCRLs(X509Factory.java:500) >at > java.security.cert.CertificateFactory.generateCRLs(CertificateFactory.java:500) > > > I have JAVA_OPTS set so that I have a min of 512MB and a max of 512 MB > - without the CRL, it loads fine, so the Memory is available. Do you have more available memory on the system? I would try doubling the heap size to 1G and see if that helps. After Tomcat is up, you could attach a profiler to get the details about how much memory is being consumed. Dan > My problem is that the CRL file is 271 MB - I'm not sure how big that > translates to once Java starts loading it. > > --Will > On Mon, Nov 26, 2012 at 5:17 PM, Daniel Mikusa wrote: >> On Nov 26, 2012, at 3:35 PM, Will Nordmeyer wrote: >> If Tomcat appears to be hanging with this option enabled, I would suggest >> taking a thread dump and including it here. Could provide some clues as to >> what is happening. >> >> http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F >> >> Dan >> >> >>> >>> If I remove the crlFile reference in the server.xml, everything works >>> fine (except crl lookups of course). The system starts up, the app is >>> accessible, it prompts for the certificate... >>> >>> Any thoughts on why it would be failing like that would be appreciated. >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
Dan, I tried that - first attempt jstack threw exceptions and I got nothing. So I killed the tomcat, took the crlFile back out and ran, got a nice jstack showing everything running smoothly. Shut tomcat down, put the crlFile line back and started up again. This time, tomcat6 doesn't hang, but it throws an exception and doesn't start... I keep running out of heap space. I wonder why it suddenly decided to actually admit the problem instead of just going out to lunch. Caused by: java.lang.OutOfMemoryError: Java heap space at java.util.Arrays.copyOf(Arrays.java:2786) at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:94) at sun.security.provider.X509Factory.getTotalBytes(X509Factory.java:658) at sun.security.provider.X509Factory.engineGenerateCRLs(X509Factory.java:500) at java.security.cert.CertificateFactory.generateCRLs(CertificateFactory.java:500) I have JAVA_OPTS set so that I have a min of 512MB and a max of 512 MB - without the CRL, it loads fine, so the Memory is available. My problem is that the CRL file is 271 MB - I'm not sure how big that translates to once Java starts loading it. --Will On Mon, Nov 26, 2012 at 5:17 PM, Daniel Mikusa wrote: > On Nov 26, 2012, at 3:35 PM, Will Nordmeyer wrote: > If Tomcat appears to be hanging with this option enabled, I would suggest > taking a thread dump and including it here. Could provide some clues as to > what is happening. > > http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F > > Dan > > >> >> If I remove the crlFile reference in the server.xml, everything works >> fine (except crl lookups of course). The system starts up, the app is >> accessible, it prompts for the certificate... >> >> Any thoughts on why it would be failing like that would be appreciated. >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cannot redirect to html
On 27/11/2012 07:45, bas...@obninsk.com wrote: > Hi. > > I’ve got a file, containg html and locating in relative directory. > When i return it in a jsp page using out.write(), > then everything is ok. > But when i return it using response.sendRedirect( file>), i’ve got a 404 error. > > What seems to be a problem? > Please, help. Unless you provide: - the URL used to access the JSP - the full path to that JSP on the file system - the relative path you are trying to use no-one here is going to be able to help you. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: malware found the tomcat 6.0.29
On 27/11/2012 07:21, Mohan Kumar G wrote: > > We have found the malware installed on the tomcat version > 6.0.29 on two of the servers.The both servers have a war file > (Tomcatmanagxesaxsas.war) that installed several java script files to the > Tomcat webserver that allow for remote access over the web. OD-VA-W-AG-87 had > an additional war file (Jeroy.war) that appears to also be a java script > remote > file browser. Could you send copies of those WAR files to secur...@tomcat.apache.org please. > Even though , we followed all the security settings needed for > the tomcat container. You are running a 2 year old version of Tomcat 6.0.x with multiple known security vulnerabilities. There are several vulnerabilities that could have provided an attacker with the necessary foothold to start an attack. > The below steps are followed to secure the tomcat container: > > 1) Removed the default examples under CATALINA_HOME/webapps > like jsp-examples, servlet-examples, tomcat-docs, webdav What about the manager and host-manager applications (a favourite route for attackers if not correctly secured)? > 2) Make sure the default servlet is configured not to server > index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml That is pretty low on the list of things to do and only of use if you have directories with thousands of files (to prevent a DoS generating the listings). > 3) Context.xml : > > Good. > 4) server.xml : > > In the server.xml for all the connector , we have added > secure="true" Do you understand what that does? It does not magically make things more secure. > 5) Make sure all the > sample user and role entries are commented out in the > CATALINA_HOME/conf/tomcat-users.xml file They are by default. > Let us know if anything missing as part of security settings The following list is for 7.0.x but most applies to 6.0.x as well: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html An upgrade to at least the latest 6.0.x release is highly recommended. Also, check any functionality that allows a remote user to upload content to the server. Make absolutely sure there is no way they can upload files to the webapps directory. Some additional questions: - Anything interesting in the access log? - Do you know how the attack was mounted? - How did you detect the attack? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
websocket connection problem
hi all: I am using apache-tomcat-7.0.32, the use of websocket to make a chat, I encountered a problem, when three people at the same time online chat, when suddenly a man unplug cable out of chat, server is unable to determine the connection is disconnected, how the server know unplugged network line of human connection state? Can you help me? Thank you very much! Best Regards, Yin zhang ** This e-mail is confidential for WistronITS corp. It may be legally privileged. If you are not the Addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail.Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ***
