A pool question
Hello. A question related to pools. Background: a big application in which it is preferable to enforce different roles for different databases and tables. This implies that there are different user names and passwords for different connections. As I understand, there are two options for connection pooling in a scheme like this: A. Create different resources for the different roles, each having the user names and passwords defined as constants in the Tomcat configuration files. B. Group the different roles into a bigger scheme and use the option 'alternateUsernameAllowed' to obtain the connections with the specific user names and passwords. Both were tested to work. But I wonder: 1. The first option seems intuitively more efficient. But on the other hand, does each Resource define its own cleaner thread? I wouldn't want to overburden the setup with too many threads. 2. Are there any benchmarks on the option B? The plain FIFO seems rather inefficient if there are many different users/passwords. Any additional thoughts? - Jukka. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat6 j_security_check any parameter / sessions variable on failure?
Hello, Tech Stack: Tomcat: 6.0.35 Java: 1.6.0_18 OS: RHEL 5.3 I am using j_security_check (JNDIRealm - LDAP authentication). On failure I am sending the user to a common error.jsp in the application. On successful authentication of-course the page requested is displayed. The problem is that the error.jsp is called from the application as well if there are any errors/ exceptions in some functionality (I want to avoid writing any new error pages in my application). In the error.jsp, is there any way to know that the failure is because of j_security_check and not from anywhere else i.e does tomcat add any separate sessions parameter after unsuccessful j_security_check authentication which I can use for displaying proper error message? Thanks, Tanmoy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat(7.0.35) vulnerability or issues
Dear All, We are upgrading the tomcat from version 6.0.18 to 7.0.35 Operating System Version : HP-UX 11.31 Please inform us if there are any known issues or any vulnerability on latest tomcat version of 7.0.35. Thanks and Regards Deepak Kumar Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments.
RE: Question regarding JNDIRealm - tomcat 6.0.35
We are not using openldap but eDirectory. Unfortunately we do not have access to the ldap configurations...only information we have is that after about 2 mins of idle connection, ldap drops the same from its side. Bit if we see in app server side using netstat, we can still see the same connection. Regarding the connection,you are right in terms of the number of times tomcat tries to connect..it is 2what I meant when tomcat keeps on trying is that tomcat tries to use the same 'BROKEN' connection to connect to the LDAP without creating a new connection for 4-5 mins. By the wayThe below code worked successfully. @Override public void start() throws org.apache.catalina.LifecycleException { super.start(); if (context != null) { close(context); } -Original Message- From: Cédric Couralet [mailto:cedric.coura...@gmail.com] Sent: Wednesday, February 20, 2013 3:15 PM To: Tomcat Users List Subject: Re: Question regarding JNDIRealm - tomcat 6.0.35 2013/2/20 Tanmoy Chatterjee tanmoy.chatter...@nxp.com: Thanks Cédric, I will try this and let you know. Once Ldap closes the connection from it's end, tomcat indeed keeps on trying and finally establishes a new connectionbut the time spent in retrying is too high (more than 4-5 minutes) and in that time...user cannot loginthe login page just sort of hangs in the browser. I'd say this is more a problem with openldap. Do you know why tomcat hangs to recreate the connection when openldap closes it? Do you have anything in openldap configuration which could explain this. We are at the moment migrating our old ldap server to openldap and this could be a real issue for us. Just a note, from what I see, Tomcat does not keep on trying. A first attempt is made on the context then if an exception is thrown, it is caught and tomcat call the open method again (wich tries first the connectionURL and then the alternateUrl if problem). So only two attempts if I'm not wrong. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat7 tomcat6 session replication
On 25/02/2013 04:24, Son Nguyen Xuan wrote: I want to know how can I have the session replication working between tomcat6 tomcat7 under JRE7 That is not supported. It might work in some circumstances. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat7 tomcat6 session replication
thanks for your answer It might work in some circumstances. do you mean it will work with some modification?? do you have any suggestion for those modification? thank you very much 2013/2/25 Mark Thomas ma...@apache.org On 25/02/2013 04:24, Son Nguyen Xuan wrote: I want to know how can I have the session replication working between tomcat6 tomcat7 under JRE7 That is not supported. It might work in some circumstances. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- === SON NGUYEN XUAN ┏━━━┓International Ichiba, Mall Group ┃楽●天┃Ichiba Service Department Operation Department, RAKUTEN Inc ┗━━━┛Shinagawa Seaside Rakuten Tower ┼┼─ ─ADDR─ 4-12-3 Higashishinagawa, Shinagawa-ku, Tokyo 140-0002 ──MAIL─ son.ngu...@mail.rakuten.com TEL:050-5817-3844 (73844) [image: 樂天市場購物網] [image: Rakuten BELANJA ONLINE] [image: Rakuten.com.my Online Shopping] ===
Re: Question regarding JNDIRealm - tomcat 6.0.35
Tanmoy Chatterjee wrote: We are not using openldap but eDirectory. Unfortunately we do not have access to the ldap configurations...only information we have is that after about 2 mins of idle connection, ldap drops the same from its side. Bit if we see in app server side using netstat, we can still see the same connection. Just a comment on what you say above : When Tomcat opens a connection, it is really the JVM under which Tomcat runs which does that, or in some cases some native code library. And this JVM / native library uses the OS TCP/IP stack to do that. What you see with netstat is the status of connections at the OS level. In other words, if netstat says that a connection is established, then that is what it is, and any code in Tomcat will see it that way, and has no way to see it otherwise. So, on the face of it, there seems to be a contradiction between you saying on the one hand that the LDAP server closes the connection, and on the other hand that netstat shows the connection still being active. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question regarding JNDIRealm - tomcat 6.0.35
As I said, we do not have much visibility / access on the LDAP side to do a deep dive. Neither am I a networking expert but some more info on what actually happens (application - netstat log) when I say...tomcat(or JVM as you say) keeps on trying the 'broken' connection.. tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (51.70/14/0) tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (49.55/14/0) tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (47.39/14/0) tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (45.23/14/0) tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (43.08/14/0) tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (40.93/14/0) tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (38.77/14/0) tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (36.61/14/0) tcp0 81 :::1.2.3.4:59356 :::4.3.2.1:636ESTABLISHED 5009 587231913 on (34.45/14/0) This keeps on going till the point a new connection is established as below... tcp0 0 :::1.2.3.4:56309 :::4.3.2.1:636ESTABLISHED 5009 587536364 off (0.00/0/0) 1.2.3.4 - app ip 4.3.2.1 - ldap ip You can see the timer part changing. Do you get any idea as to what exactly might be happening? -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, February 25, 2013 10:34 AM To: Tomcat Users List Subject: Re: Question regarding JNDIRealm - tomcat 6.0.35 Tanmoy Chatterjee wrote: We are not using openldap but eDirectory. Unfortunately we do not have access to the ldap configurations...only information we have is that after about 2 mins of idle connection, ldap drops the same from its side. Bit if we see in app server side using netstat, we can still see the same connection. Just a comment on what you say above : When Tomcat opens a connection, it is really the JVM under which Tomcat runs which does that, or in some cases some native code library. And this JVM / native library uses the OS TCP/IP stack to do that. What you see with netstat is the status of connections at the OS level. In other words, if netstat says that a connection is established, then that is what it is, and any code in Tomcat will see it that way, and has no way to see it otherwise. So, on the face of it, there seems to be a contradiction between you saying on the one hand that the LDAP server closes the connection, and on the other hand that netstat shows the connection still being active. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does windows authentication works on Tomcat under Linux.
Denis wrote: Hello, I want to use Tomcat's Windows Authentication http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries feature to have a reliable domain user name via HTTPServletRequest.getRemoteUser() within my servlet. Questions: 1) Is Tomcat's Windows authentication supposed to work in my env? * Application Server: apache-tomcat-7.0.21 * JDK version: 1.6.0_26 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga) 2) Any additional setup required to be able to access domain username via HTTPServletRequest.getRemoteUser() within my servlet? Hi. I do not know either if the above is supposed to work also under Linux as a platform. It is not very clear in the Tomcat docs, and I have asked a couple of times on the list without getting much of an answer. (Probably because few people know). Now just in case it doesn't work, the following works fine under Linux as well as under Windows : Jespa , at www.ioplex.com You can download it and test it for 60 days free, and the final license costs are very moderate. (I have no commercial interest in that, I just use it happily). For Jespa, the answers to your questions are : 1) yes, it will work 2) apart from the setup of Jespa itself, no additional setup or change in the app is required. The setup of Jespa does require the intervention of a sysadmin at the site though, because it requires creating a Windows machine account for Jespa. See the doc, also available for download. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does windows authentication works on Tomcat under Linux.
On 25/02/2013 10:48, André Warnier wrote: Denis wrote: Hello, I want to use Tomcat's Windows Authentication http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries feature to have a reliable domain user name via HTTPServletRequest.getRemoteUser() within my servlet. Questions: 1) Is Tomcat's Windows authentication supposed to work in my env? * Application Server: apache-tomcat-7.0.21 * JDK version: 1.6.0_26 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga) 2) Any additional setup required to be able to access domain username via HTTPServletRequest.getRemoteUser() within my servlet? Hi. I do not know either if the above is supposed to work also under Linux as a platform. It is not very clear in the Tomcat docs, and I have asked a couple of times on the list without getting much of an answer. (Probably because few people know). It should work but I haven't tested it. I suggest opening an enhancement request for the docs to be updated to include a known working Linux config. I should be able to take a look at doing that once I get back from ApacheCon next week. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does windows authentication works on Tomcat under Linux.
It will be helpful for those who don't have time to try-and-fail. On 2/25/2013 2:10 PM, Mark Thomas wrote: On 25/02/2013 10:48, André Warnier wrote: Denis wrote: Hello, I want to use Tomcat's Windows Authentication http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries feature to have a reliable domain user name via HTTPServletRequest.getRemoteUser() within my servlet. Questions: 1) Is Tomcat's Windows authentication supposed to work in my env? * Application Server: apache-tomcat-7.0.21 * JDK version: 1.6.0_26 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga) 2) Any additional setup required to be able to access domain username via HTTPServletRequest.getRemoteUser() within my servlet? Hi. I do not know either if the above is supposed to work also under Linux as a platform. It is not very clear in the Tomcat docs, and I have asked a couple of times on the list without getting much of an answer. (Probably because few people know). It should work but I haven't tested it. I suggest opening an enhancement request for the docs to be updated to include a known working Linux config. I should be able to take a look at doing that once I get back from ApacheCon next week. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat(7.0.35) vulnerability or issues
dkumar, On 25.2.2013 10:02, dku...@ccilindia.co.in wrote: We are upgrading the tomcat from version 6.0.18 to 7.0.35 Operating System Version : HP-UX 11.31 Please inform us if there are any known issues or any vulnerability on latest tomcat version of 7.0.35. 1. Good you are upgrading, 6.0.18 is almost 5 years old. 2. Latest Apache Tomcat version is 7.0.37, not 7.0.35. 3. Vulnerabilities that might affect Tomcat, but can't be fixed in Tomcat are listed here: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat 4. Other that that, there are no other unaddessed known vulnerabilities in Tomcat 7.0.37, AFAIK. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
André, On 25.2.2013 10:34, André Warnier wrote: So, on the face of it, there seems to be a contradiction between you saying on the one hand that the LDAP server closes the connection, and on the other hand that netstat shows the connection still being active. TCP connection is established until one of the endpoints terminates it. If one endpoint die before it terminates the connection, or if there is a NAT in between which timeouts the connection due to inactivity, that may result in one endpoint seeing that TCP connection as ESTABLISHED, while other endpoint not seeing the connection at all (or seeing it as closed). Related info here: http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/#overview -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
Ognjen Blagojevic wrote: André, On 25.2.2013 10:34, André Warnier wrote: So, on the face of it, there seems to be a contradiction between you saying on the one hand that the LDAP server closes the connection, and on the other hand that netstat shows the connection still being active. TCP connection is established until one of the endpoints terminates it. If one endpoint die before it terminates the connection, or if there is a NAT in between which timeouts the connection due to inactivity, that may result in one endpoint seeing that TCP connection as ESTABLISHED, while other endpoint not seeing the connection at all (or seeing it as closed). Related info here: http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/#overview Yes, but as soon as Tomcat would try to write to (or read from) that connection, it would immediately get an error, no ? So to say that in the meantime tomcat keeps on trying one of these connections doesn't seem to fit, or ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Webapp reload corrupts Tomcat
On Feb 24, 2013, at 9:27 PM, Kirill Ilyukhin wrote: On 25.02.2013 2:10, Daniel Mikusa wrote: On Feb 24, 2013, at 11:48 AM, Kirill Ilyukhin wrote: On Feb 22, 2013, at 22:32 , Daniel Mikusa dmik...@vmware.com wrote: On Feb 22, 2013, at 12:09 AM, Kirill Ilyukhin wrote: Hi! I have 5 servers with the following configuration: Windows Server 2008 R2 64-bit, Oracle JDK 1.7.0_11-b21 64-bit, Tomcat 7.0.35 running as a service. A few webapps are running perfectly well under the Tomcat until one of them is reloaded. Reload of a webapp (either by pressing [reload] on manager page or by changing web.xml file) makes Tomcat extremely unstable. The first (pre-production) server sporadically fails with absolutely no traces in log files or Windows event logs: These three symptoms can often mean different things. For example, if it's not accepting connections then you can't really get a 404 error. Can you be more specific about when you see them and the status of your Tomcat server when you see them. Some troubleshooting thoughts... does not accept connections, 1.) Is the process still running? Did the JVM crash? Is there a crash file? hs_err_pod.log? 2.) Is the socket still listening? Have you changed any firewall rules? 3.) Try telnet port. What happens? 4.) Try connecting to Tomcat with jconsole or jvisualvm? Can you? If so look at the connector mbean. What is its state? 5.) Take some thread dumps. responds with HTTP 404 or Assuming the URL that you entered is valid, this sounds like your application may have failed to reload. Can you turn up the log level in your application to see what it is doing? does not respond at all. Assuming that you mean it accepts your connection and request, but never processes and returns a response. In this case, take some thread dumps after you have sent the response. That should show you what is going on inside the JVM. Here is more details. All these was perfectly working on JDK 1.6 and Tomcat 7 a few builds earlier. A webapp is serving real-time data with updates. Open the page in a browser, it downloads an HTML (a static file), then a bunch of CSS and Javascripts (also static files), and starts fetching the data and updates (from a servlet) - this makes an indefinite sequence of HTTP requests. When I open the page after the webapp is reloaded, some of this requests (including the static files) fail with either 404 code or no response or not accepted connection. Requests are being failed quite randomly. If I reload the page, also a lot of fails, but slightly different - e.g. I might get the file which was 404 earlier. The data requests also fail randomly, some of them are successful, which means that the webapp is loaded. So, answering to the questions above: the process is definitely running, socket is definitely listening, telneting Tomcat gives random results, JConsole shows nothing uncommon. Can you attach the access log that shows these requests? I do not have the access logs at my disposal to attach them. From what I remember, the access logs were clean - no 404 codes, every request is responded. In other words if you look from the server side (logs, JConsole, Windows logs) , everything is fine. Also, a couple more follow up questions… 1.) When this occurs does it only occur for the application that you reload? or does it happen for all the apps that you have deployed to the Tomcat server? It happens to all the webapps on the server, even pre-installed ones (manager and ROOT). 2.) Is this application specific, in other words does this only occur when you reload one particular application? or does reloading any application on the Tomcat server cause the problem? It is random. One of the application, when reloaded, causes the problem almost for sure. Others can also cause the problem, but less frequently. 3.) Can you replicate this problem in a testing environment? No, I can not. Other 4 (production) servers also become unstable but in a different manner - a lot of HTTP 500 responses (logs are also clean). It would be very odd to see nothing in the logs after a 500 error. Have you looked at all of the log files, in particular localhost--MM-DD.log? That file should contain a stack trace after a 500 error. Also, what do the see in your browser when you get the 500 error? The default error page should print the stack trace for the 500 error. That is what I am talking about - quite odd behaviour. Nothing in log files, no body with HTTP 500 response in a browser. Plus on some of these servers I have a lot (less than HTTP 500 responses though) of NPEs: - SEVERE: Exception Processing /path/here java.lang.NullPointerException at org.apache.catalina.core.StandardWrapper.servletSecurityAnnotationScan(StandardWrapper.java:1216) at
Re: A pool question
On Feb 25, 2013, at 3:52 AM, Jukka Ruohonen wrote: Hello. A question related to pools. Background: a big application in which it is preferable to enforce different roles for different databases and tables. This implies that there are different user names and passwords for different connections. As I understand, there are two options for connection pooling in a scheme like this: A. Create different resources for the different roles, each having the user names and passwords defined as constants in the Tomcat configuration files. This would see to work best if you have a small and static number of user / password combinations. How you define small is up to you though, and would partly depend on the resources available in your environment. B. Group the different roles into a bigger scheme and use the option 'alternateUsernameAllowed' to obtain the connections with the specific user names and passwords. This would seem to be a simpler approach if you have a large number of different logins or a dynamic number of possibilities. For example, if each user that logs in has their own DB credentials. Both were tested to work. But I wonder: 1. The first option seems intuitively more efficient. But on the other hand, does each Resource define its own cleaner thread? I wouldn't want to overburden the setup with too many threads. Personally, what would worry me the most about this setup is configuring and tuning each of the pools. Since they are all going to the same DB, I wouldn't want to overload the system with too many connection, but at the same time there has to be enough in each pool to service the needs of the application. Plus getting this right, would seem to get trickier as you add more pools into the mix. 2. Are there any benchmarks on the option B? The plain FIFO seems rather inefficient if there are many different users/passwords. You might be better off rolling your own benchmarks here. It'll take a little time, but you can see how it performs given your specific definitions of many different users/passwords. Dan Any additional thoughts? - Jukka. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
André, On 25.2.2013 14:53, André Warnier wrote: Yes, but as soon as Tomcat would try to write to (or read from) that connection, it would immediately get an error, no ? So to say that in the meantime tomcat keeps on trying one of these connections doesn't seem to fit, or ? In regular situation if LDAP server receives a packet that does not match to any established connection, and that packet is not SYN, it would respond with RST packet, causing Connection reset on Tomcat side. However, if there is no connection reset from LDAP server, that might imply that packets are being dropped. If LDAP server (or any device in between) simply drops TCP packets after the connection is dropped, Tomcat server will try to send the same data packet over and over again. The delay between two retries will be exponentialy incresed, until it reaches certain limit (e.g. 64s), when Tomcat server would finaly send the RST packet itself and give up. That would explain several minutes delay. I think that Wireshark or tcpdump would help to diagnose what is really going on on the network level. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Maven plugin 2.1
Hi, The Apache Tomcat is pleased to announce the release of the 2.1 version. This plugin can used to run your war project inside an embeded Apache Tomcat and to deploy your project to a running Apache Tomcat instance. Documentation available: http://tomcat.apache.org/maven-plugin-2.1/index.html Release Notes - Apache Tomcat Maven Plugin - Version 2.1 ** Bug * [MTOMCAT-61] - maven tomcat:run ignores the useSeperateTomcatClassloaded when using serverXml property * [MTOMCAT-119] - tomcat7:run-war fails because it expects META-INF\context.xml * [MTOMCAT-128] - The plugin ignores and/or parses web.xml incorrectally when using tomcatWebXml option * [MTOMCAT-173] - Direct dependencies are not added to classpath * [MTOMCAT-175] - warDirectory property has wrong standard value in release version 2.0 * [MTOMCAT-179] - Null pointer dereference in RunMojo * [MTOMCAT-180] - Allow hostName and alias to be configured for tomcat6:run etc * [MTOMCAT-182] - Typo in Tomcat6 AbstractRunWarMojo MOJO * [MTOMCAT-185] - change phase for tomcat6/7:run to process-classes * [MTOMCAT-186] - Closing executable JAR does not call ServletContextListener.contextDestroyed() * [MTOMCAT-194] - Odd error message in switching from Codehaus to Maven Tomcat6 plugin * [MTOMCAT-197] - tomcat7:undeploy goal not ignoring non-war projects * [MTOMCAT-198] - Fix base classes for redeploy and redeploy-only goals * [MTOMCAT-206] - Runtime dependencies within multi module projects are not loaded. ** Improvement * [MTOMCAT-99] - Make redeploy goal consistent with deploy goals * [MTOMCAT-188] - Allow for the creation of a war that is both executable and deployable * [MTOMCAT-190] - Client Certificate settings for connector * [MTOMCAT-191] - Return the redeploy goal to the Maven plugin * [MTOMCAT-192] - Website text cleanup * [MTOMCAT-199] - Text cleanup of goal definitions * [MTOMCAT-200] - Tomcat7:redeploy * [MTOMCAT-208] - JaCoCo instrumentation errors when running StandaloneWarMojo ** New Feature * [MTOMCAT-163] - No undeploy goal ** Question * [MTOMCAT-187] - Scan resources executing run goal Have Fun, -- The Apache Tomcat Team. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Nessus scan claims vulnerability in Tomcat 6
Hi there, I have been confronted with a Nessus scan result which claims vulnerability to exploit TLS CRIME. Plugin 62565 allegedly has found this and the report states: The remote service has one of two configurations that are known to be required for the CRIME attack: - SSL / TLS compression is enabled. - TLS advertises the SPDY protocol earlier than version 4. ... CVE-2012-4929 CVE-2012-4930 We have in server.xml: Connector SSLCertificateFile=/path SSLCipherSuite=*** protocol=HTTP/1.1 connectionTimeout=2 SSLCertificateKeyFile=/path secure=true scheme=https maxThreads=500 port=4712 maxSavePostSize=0 server=*** SSLProtocol=TLSv1 maxPostSize=2048 URIEncoding=UTF-8 SSLEnabled=true / (paths and some other info replaced by dummies) XML attribute compression is not present which according to the docs means off. I cannot find indication that SPDY does even exist in Tomcat 6. I also could not find anything in the list of vulnerabilities at http://tomcat.apache.org/security-6.html nor could I by searching for combinations of tomcat with the issue numbers given above. Now, what to make of this? To me it seems only compression could be the culprit but is there any other way to enable compression for HTTPS than to include compression? Or does the TLS negotiation ignore setting compression? I could not find indication of any option to control compression in the Javadocs http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/package-summary.html Kind regards robert -- remember.guy do |as, often| as.you_can - without end http://blog.rubybestpractices.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JAVA_OPTS catalina.bat vs tomcat7w.exe
If I've asked this question before, my apologies. What is the difference between setting Java_OPTS in catalina.bat vs using the tomcat7w.exe with -D options in the Java Tab if you installed Tomcat as a windows service? Leo
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: JAVA_OPTS catalina.bat vs tomcat7w.exe What is the difference between setting Java_OPTS in catalina.bat vs using the tomcat7w.exe with -D options in the Java Tab if you installed Tomcat as a windows service? The latter is useful, the former isn't. Services do not use environment variables. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: JAVA_OPTS catalina.bat vs tomcat7w.exe What is the difference between setting Java_OPTS in catalina.bat vs using the tomcat7w.exe with -D options in the Java Tab if you installed Tomcat as a windows service? The latter is useful, the former isn't. Services do not use environment variables. - Chuck If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to set the options, are these wrong? Java Options: -Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37 -Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37 -Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed -Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties -Djava.opts=-XX:PermSize=128m -XX:MaxPermSize=384m Initial memory pool: 256MB Maximum memory pool: 512MB - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
-Original Message- From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to set the options, are these wrong? Java Options: -Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37 -Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37 -Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed -Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat- 7.0.37\conf\logging.properties -Djava.opts=-XX:PermSize=128m -XX:MaxPermSize=384m Wrong.. Just remove -Djava.opts= Should be: -Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37 -Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37 -Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed -Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties -XX:PermSize=128m -XX:MaxPermSize=384m - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to set the options, are these wrong? -Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37 -Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37 -Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed -Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties -XX:PermSize=128m -XX:MaxPermSize=384m Initial memory pool: 256MB Maximum memory pool: 512MB The settings are not unreasonable, but whether or not they're appropriate for your environment, only someone familiar with that environment can say. Since you have JMX enabled without authentication, the server is open to abuse from pretty much anyone who can reach it. Proper heap settings are entirely dependent on the webapps being run. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JAVA_OPTS catalina.bat vs tomcat7w.exe
On Mon, Feb 25, 2013 at 2:42 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false Since you have JMX enabled without authentication, the server is open to abuse from pretty much anyone who can reach it. Chuck, I have similar settings, and so far, so good (no abuse/attack), and I recently re-added jmx settings in tomcat7w.exe for my app...just to routinely check performance and/or memory-used by the app, while running on production server. can you please clarify 'the server is open to abuse from pretty much anyone who can reach it'? can you refer to me a blog or an article that discusses app abuse via jmx? i have hardware firewall in place and the jmx port is not open/available at the hardware firewall level. I usually login remotely to production server, and open Java visual VM to check status of the app (via JMX). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
-Original Message- From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Subject: Re: JAVA_OPTS catalina.bat vs tomcat7w.exe Chuck, I have similar settings, and so far, so good (no abuse/attack), and I recently re-added jmx settings in tomcat7w.exe for my app...just to routinely check performance and/or memory-used by the app, while running on production server. can you please clarify 'the server is open to abuse from pretty much anyone who can reach it'? can you refer to me a blog or an article that discusses app abuse via jmx? http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JAVA_OPTS catalina.bat vs tomcat7w.exe
On Mon, Feb 25, 2013 at 3:08 PM, Howard W. Smith, Jr. smithh032...@gmail.com wrote: can you please clarify 'the server is open to abuse from pretty much anyone who can reach it'? can you refer to me a blog or an article that discusses app abuse via jmx? i have hardware firewall in place and the jmx port is not open/available at the hardware firewall level. I usually login remotely to production server, and open Java visual VM to check status of the app (via JMX). I just searched google for: tomcat jmx abuse attack and I see a lot of search results mentioning 'jboss', but found a document (that mentions tomcat, too) [1] that I could skim/read for now. Thanks. [1] [PDF] *Abusing* Jbosshttps://www.google.com/url?sa=trct=jq=esrc=ssource=webcd=7cad=rjaved=0CGwQFjAGurl=https%3A%2F%2Fwww.trustwave.com%2Fdownloads%2Fspiderlabs%2FTrustwave-SpiderLabs-Abusing-Jboss-Papathanasiou.pdfei=7sQrUafYJsHvqAHwrYHQBQusg=AFQjCNFMm__avVjkVr5Rl6NQrfCbXOQmMgsig2=aJBWyp4u7G8Rfq4eIgaRZAbvm=bv.42768644,d.b2I
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Subject: Re: JAVA_OPTS catalina.bat vs tomcat7w.exe can you please clarify 'the server is open to abuse from pretty much anyone who can reach it'? The key phrase is anyone who can reach it. If everyone within your firewall is fully trusted, then don't worry about it. If not everyone is fully trusted, then your current settings allow those persons to make arbitrary changes to the configuration of Tomcat and your webapps with rather limited tracking of who did what. The MBeans exposed by the JMX interface are not just viewable, they are modifiable by anyone with access. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
On Feb 25, 2013 5:41 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Subject: Re: JAVA_OPTS catalina.bat vs tomcat7w.exe can you please clarify 'the server is open to abuse from pretty much anyone who can reach it'? The key phrase is anyone who can reach it. If everyone within your firewall is fully trusted, then don't worry about it. If not everyone is fully trusted, then your current settings allow those persons to make arbitrary changes to the configuration of Tomcat and your webapps with rather limited tracking of who did what. The MBeans exposed by the JMX interface are not just viewable, they are modifiable by anyone with access. - Chuck Understood, thanks. THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nessus scan claims vulnerability in Tomcat 6
On 25/02/2013 08:42, Robert Klemme wrote: Hi there, I have been confronted with a Nessus scan result which claims vulnerability to exploit TLS CRIME. Plugin 62565 allegedly has found this and the report states: The remote service has one of two configurations that are known to be required for the CRIME attack: - SSL / TLS compression is enabled. It is this one. - TLS advertises the SPDY protocol earlier than version 4. There is no spdy support in any released Tomcat version. We have in server.xml: Connector SSLCertificateFile=/path SSLCipherSuite=*** protocol=HTTP/1.1 connectionTimeout=2 SSLCertificateKeyFile=/path secure=true scheme=https maxThreads=500 port=4712 maxSavePostSize=0 server=*** SSLProtocol=TLSv1 maxPostSize=2048 URIEncoding=UTF-8 SSLEnabled=true / That is the APR/native HTTPS connector. Now, what to make of this? To me it seems only compression could be the culprit but is there any other way to enable compression for HTTPS than to include compression? Or does the TLS negotiation ignore setting compression? I could not find indication of any option to control compression in the Javadocs http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/package-summary.html You won't. My recollection is that Java does not support compression. APR/native does. An option was recently added. See: https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 There is no 6.0.x release with the necessary options yet. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat wont allow me to create files
Hi Ben, I didnt mention that but I did check that write permissions were on. Currently I dont have a log4j configuration. I am just trying to get it to work. On Mon, Feb 25, 2013 at 8:39 PM, Ben Stringer b...@burbong.com wrote: On 26/02/2013, at 12:14 PM, Elias Kopsiaftis yemi...@gmail.com wrote: I am running a webapp on Tomcat 7 and I am using log4j for logging. However, log4j cannot create a log file and Im getting a permission denied error in the catalina.out file. I am runnning on linux, and made sure that the current working directory(which I got by printing it from within the application), /var/lib/tomcat7, and all its subdirectories were in the tomcat7 group, which should give the web app permissions to create files, but its not working. any suggestions? Hi Elias, That directory will also need group write permission set. Best way to work through this problem is to sudo to the userid that will be running tomcat, then try and create a file in that directory from the shell. If it is the group write that is missing, this command will add it: chmod g+w /var/lib/tomcat7 But that is not where you should be writing logs. /var/log is a conventional place to keep logs. What is your log4j configuration? Cheers, Ben - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat-7.0.35-windows-x86 ON 64 bit UNIX
Hi, I have downloaded apache-tomcat-7.0.35-windows-x86.zip and runiing it on 64 bit UNIX machine and it is working fine. Is it OK to run x86 setup on 64 bit UNIX machine? Please reply. Server version: Apache Tomcat/7.0.35 Server built: Jan 10 2013 10:52:49 Server number: 7.0.35.0 OS Name:HP-UX OS Version: B.11.31 Architecture: IA64N JVM Version:1.7.0.04-jinteg_2012_11_21_09_34-b00 JVM Vendor: Hewlett-Packard Company Thanks and Regards Deepak Kumar Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments.