Re: Modify content in META-INF/context.xml
2013/12/18 Jeffrey Janner : > I think that at 6.x you need to do one of the following to the context.xml > file located in the configBase ($CATALINA_BASE/conf/[enginename]/[hostname]/): > 1. make the changes to the file there and reload the webapp > 2. make the changes in the META_INF file and copy it to the configBase, then > reload the webapp > 3. delete the file from the configBase, then redeploy the webapp. > > With 7.x (at least the latest version) you get the copyXML paramter in the > element which will give you more control over the process. > Jeff Hello Jeffrey: Thanks a lot. You're right in all the points I was testing all this options yesterday and I would like feedbak the results to the list , but you did it before than me Finally, my choice is the 3º option - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat unexpected shutdown
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 박원석, On 12/18/13, 9:47 PM, 박원석 wrote: > Thanks, your response > > I found the problem why tomcat unexpectly shutdown.it is not a > system.exit() method and kill command and shutdown port > > The problem is that the opertator using his own script to start > tomcat. > > the script is like this > > = #!/bin/bash > ./tomcat_path/bin/startup.sh tail -f > /tomcat_path/logs/catalina.2013-12-19.log > > = > > tomcat shutdown normally progress when the operator excuete a > script and close the terminal window that he excueted (terminal is > secureCRT, putty,x Xshell) > > "The Ctrl + c" input is not a shutdown condition, but close the > terminl unexpectly shutdown the tomcat. > > why this script cause the shutdown problem? When the terminal disconnects, you may be killing the process that way. You might want to consider looking at the "nohup" command to see if that will help. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSsmryAAoJEBzwKT+lPKRYTykQAKBafTOV1SOojwA5/708dpxC 64F9m7hCXYCxebhDW7SPJopBxfM/Bj0CdH/OSeyD+Uf9NLMMBQIPb5HkgxlwydgU yi/i6gjE+spAGhvrJFlfHmEGSUe0I8oOk5eCxodIhXK+6e7ip3njlGu5CWvPq+JA ETtytyIwdRc0H7fGJFMzmAWnkLmHhvhmXW12fdiHqFthOhe0iHFPMXFOw43iLTIp lyF6BWNNv4iGL3B3OaWZeIfP4+EQzkk5ZOGC9ArwlrvM+Rucs553FSaW8/2dZHH1 BVsULLECxeDFKksuz3UZIHQyAkyigIU4Ss/V4SzFHmwinM4nQJL/IMfN+tF/31vK c2f97AZtZgk5e6NA7Na6DrhdHOhAosHnhWpxmqNUYRu4UsM7Fdqmz790ZIK2fMRb NOgtwIHU7zXj7rfWo12l5qRtN7K/mstlCGni8hpQaBol/YO0VRF3xezmP6gzdIyw KfVrJJQsJN5YbjvLgs1ug1RABfxwoPeKOQLch7ynVuu4Z8FkifDdzVTS1XrGd54K cUVJVHhoSLzKYYqzKQgWc4YrXedn0mgHUpEiYXygtn1aHXv8HdjhTlWx0m4Ew5FZ iYDusNaGtiLAGeyLjbFVMSXq+60jwUq97WTX9MGpYVVd9OSiMNa+JsvKnPh5KMnM maamHYKb4RLyP4byOP8L =Rn1h -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat unexpected shutdown
Thanks, your response I found the problem why tomcat unexpectly shutdown.it is not a system.exit() method and kill command and shutdown port The problem is that the opertator using his own script to start tomcat. the script is like this = #!/bin/bash ./tomcat_path/bin/startup.sh tail -f /tomcat_path/logs/catalina.2013-12-19.log = tomcat shutdown normally progress when the operator excuete a script and close the terminal window that he excueted (terminal is secureCRT, putty,x Xshell) "The Ctrl + c" input is not a shutdown condition, but close the terminl unexpectly shutdown the tomcat. why this script cause the shutdown problem? thanks anyway 2013/12/17 Daniel Mikusa > On Dec 16, 2013, at 11:53 PM, 박원석 wrote: > > > Hello, I'm operating some services under this environment. > > > > OS : RHEL 6.2 > > JVM : 1.6.0_34 > > WEB : httpd 2.2.22 > > WAS : tomcat 6.0.35(EWS 2.0) > > > > > > but I'm wondering if there is a way to shutdown tomcat unexpectedly?? > > Perhaps the shutdown port? > > http://tomcat.apache.org/tomcat-6.0-doc/config/server.html#Attributes > > > > > Catalina.out logs seems to be shutdown normally, but nobody can shutdown > > tomcat process > > Are you sure nothing else could be calling the shutdown script? or > perhaps killing the pid? Running "kill " will start and orderly > shutdown as well. > > > > > I searched some similar this case, there is some way to find the app > source > > the"system.exit()" method > > > > but there is no System.exit() method. How Can I solve this problem? > > You can enable the security manager. This restricts calls to > System.exit() and other things. > > http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html > > Dan > > > > > > I attach Catalina.out log and App logs, it seems to normally shutdown > > tomcat process > > > > Catalina.out > > 2013. 11. 3 ?ㅼ?? 2:19:32 org.apache.coyote.http11.Http11AprProtocol pause > > ?~U蹂? Pausing Coyote HTTP/1.1 on http-8080 > > 2013. 11. 3 ?ㅼ?? 2:19:32 org.apache.coyote.ajp.AjpAprProtocol pause > > ?~U蹂? Pausing Coyote AJP/1.3 on ajp-8009 > > 2013. 11. 3 ?ㅼ?? 2:19:33 org.apache.catalina.core.StandardService stop > > ?~U蹂? Stopping service Catalina > > > = > > APP.log, it seems to normally undeploy the context. > > > > [2013-11-03 02:19:34,015][INFO][?:?] Closing > > org.springframework.web.context.support.XmlWebApplicationContext@61233fe3 > : > > display name [WebApplicationContext for namespace 'dispatcher-servlet']; > > startup date [Wed Oct 30 21:10:23 KST 2013]; parent: > > org.springframework.web.context.support.XmlWebApplicationContext@4d5fc672 > > [2013-11-03 02:19:34,015][INFO][?:?] Destroying singletons in > > > org.springframework.beans.factory.support.DefaultListableBeanFactory@4838ddcc > : > > defining beans []; parent: > > > org.springframework.beans.factory.support.DefaultListableBeanFactory@7f0eeb26 > > [2013-11-03 02:19:34,138][INFO][?:?] Close Application Context > > [2013-11-03 02:19:34,139][INFO][?:?] Closing > > org.springframework.web.context.support.XmlWebApplicationContext@4d5fc672 > : > > display name [Root WebApplicationContext]; startup date [Wed Oct 30 > > 21:10:12 KST 2013]; root of context hierarchy > > > === > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: [OT] Garbage Collectors
On 12/18/2013 6:11 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I was recently discussing garbage collectors with a friend (yes, an exciting conversation) and I was wondering what the folks in the Tomcat community were using for their garbage collection needs. I'd like to run an informal poll. Feel free to reply to just me directly if you'd like to protect your reputation or not clog the list or to the whole list if you'd prefer. I know there are lots of lurkers on the list who rarely post and I'd encourage them to reply as well even if they don't feel like they are running anything of any importance. So, here are my questions: 1. What JVM are you using? [X ] Sun/Oracle/OpenJDK Java 1.5 ... 2. What kind of web application are you running? [ ] A toy, a research project, or something with virtually no use [ ] A moderately busy web site (<1M requests/mo/server) [ ] A moderately busy web site (<10M requests/mo/server) [ ] A busy web site (10M - 100M requests/mo/server) [X ] A super-busy web site 6-8M requests per day (very simple ones, though) 3. What is your total heap size? 512M (I think) for the busiest instance, less for less busy instances 4. Are you explicitly specifying a Garbage Collector? If not, just say so and skip the rest of the questions. No. 5. What led you to use [GC X] instead of the JVM's default collector? 6. Did you do any actual performance testing to see if the switch from the default to [GC X] made any difference? 6. Have you spent a lot of time tuning [GC X]? 7. Did your tuning exercise yield any useful results? 8. Did your users notice any difference after you implemented [GC X], or just your own load-testing team? If you think there's anything else I should know about your experience with [GC X], please let me know. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSsiu1AAoJEBzwKT+lPKRYdAsQAKWytJHCv3Kj8p8vWoDsCgEO LZd6Yq/j8j5uID+UM4pq8FgRN03TmmjujOZaQ769ljZqtd9w+VFf2+zPbt7gPqGI SDFACw+VtQxEmVUDhE4H0tBfz7h7SZ8QOPTyScx384mDAvRzJKaeGPwrbJBogvaW cvyzNtgFDywpNTCjyKT3JLoUfjm+CjLryK6bo3+6I7I3ikhyHVsYZHuls5DG9LNf mYJ2KGOeYN332VcJWaCElLiK2HQrFY+BxfJ+f7mH6ztmq0iawulg8bApUo+vllwD r2Ble1kc0pgwMn4jOoRAP1R9IaFSsPX8a87T1uFtnRS0vdW4BRy6O5xE1wjFQPuq 52jcFf7i5ZiFYIXO1/vWw9FjZ2DBXnjMuEEdPf5laHNXKJIMCnulKOC6W48eS6Rq E7hRa7h+RQ0CVk9Pjp2NGdiPAeRL44LRDWaPWmTH7iXUcaWg2IxC3OXXyezP6aPE 7DrKhW9jjxbQG/H3GXzX9Sptee+osfPUaU6sOND8EYUYLojg6b6XLxfbjLpedrsh eHC1zksbc0WkZxhnXDSPZV4+4y0djC0X+tNX/DPCs/wPpXEqmqeGSXc7sbnXoLYf 49jGRa6pz8MR1da5D78lSCxm407+UNJzbJuGfHFzjYqxjQEULKJTug4Z7Hs0MGne XzAqLyKxfgW0/4P5QzD6 =EFcD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Garbage Collectors
On Wed, Dec 18, 2013 at 6:57 PM, Leon Rosenberg wrote: > On Thu, Dec 19, 2013 at 12:51 AM, Howard W. Smith, Jr. < > smithh032...@gmail.com> wrote: > > > On Wed, Dec 18, 2013 at 6:11 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > > > > 3. What is your total heap size? > > > > > > > -Xms4096m > > -Xmx4096m > > -XX:MaxPermSize=384m (will share this as well, just because) > > > > > > but I think I can change to -Xms/-Xmx1250m, because heap used seem to max > > out at (+/-)1024m. > > > > > Don't, GC works best if used heap is < half of allowed heap. So keep at > least 2G (You know that you can specify 4G instead of 4096M, right? :-)) Thanks Leon. I have been considering changing it to 2048M (or 2G, as you say). No, I didn't know I could specify '4G'. :)
Re: [OT] Garbage Collectors
On Thu, Dec 19, 2013 at 12:51 AM, Howard W. Smith, Jr. < smithh032...@gmail.com> wrote: > On Wed, Dec 18, 2013 at 6:11 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > > 3. What is your total heap size? > > > > -Xms4096m > -Xmx4096m > -XX:MaxPermSize=384m (will share this as well, just because) > > > but I think I can change to -Xms/-Xmx1250m, because heap used seem to max > out at (+/-)1024m. > > Don't, GC works best if used heap is < half of allowed heap. So keep at least 2G (You know that you can specify 4G instead of 4096M, right? :-)) Leon
Re: [OT] Garbage Collectors
Hello, On Thu, Dec 19, 2013 at 12:11 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > I was recently discussing garbage collectors with a friend (yes, an > exciting conversation) and I was wondering what the folks in the > Tomcat community were using for their garbage collection needs. > > I'd like to run an informal poll. Feel free to reply to just me > directly if you'd like to protect your reputation or not clog the list > or to the whole list if you'd prefer. > > I know there are lots of lurkers on the list who rarely post and I'd > encourage them to reply as well even if they don't feel like they are > running anything of any importance. > I have too many (or consult many) but I will take the most visited. > > So, here are my questions: > > 1. What JVM are you using? > >[ ] Sun/Oracle/OpenJDK Java 1.5 >[ ] IBM Java 1.5 >[ ] Sun/Oracle/OpenJDK Java 1.6 >[ ] IBM Java 1.6 >[x] Sun/Oracle/OpenJDK Java 1.7 >[ ] IBM Java 1.7 >[ ] Sun/Oracle/OpenJDK Java 1.8 >[ ] Something else - please specify: > > 2. What kind of web application are you running? > >[ ] A toy, a research project, or something with virtually no use >[ ] A moderately busy web site (<1M requests/mo/server) >[ ] A moderately busy web site (<10M requests/mo/server) >[ ] A busy web site (10M - 100M requests/mo/server) >[x] A super-busy web site > > 3. What is your total heap size? > 14 GB > > 4. Are you explicitly specifying a Garbage Collector? If not, just say > so and skip the rest of the questions. > CMS + Options > > 5. What led you to use [GC X] instead of the JVM's default collector? > GC pauses > > 6. Did you do any actual performance testing to see if the switch from > the default to [GC X] made any difference? > Yes > > 6. Have you spent a lot of time tuning [GC X]? > Yes :-) > > 7. Did your tuning exercise yield any useful results? > 45 sec pauses eliminated > > 8. Did your users notice any difference after you implemented [GC X], > or just your own load-testing team? > I assume so, we had servers taken out of the pool by lb due to connection timeouts. > > If you think there's anything else I should know about your experience > with [GC X], please let me know. > Well, it changes from version to version, so each new jdk version means start from beginning. Some of the options in Java 6 do not make sense in Java 7 and so on. But in general CMS is my personal choice for low-pause collector, I haven't yet seen working G1. > > Thanks, > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.15 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSsiu1AAoJEBzwKT+lPKRYdAsQAKWytJHCv3Kj8p8vWoDsCgEO > LZd6Yq/j8j5uID+UM4pq8FgRN03TmmjujOZaQ769ljZqtd9w+VFf2+zPbt7gPqGI > SDFACw+VtQxEmVUDhE4H0tBfz7h7SZ8QOPTyScx384mDAvRzJKaeGPwrbJBogvaW > cvyzNtgFDywpNTCjyKT3JLoUfjm+CjLryK6bo3+6I7I3ikhyHVsYZHuls5DG9LNf > mYJ2KGOeYN332VcJWaCElLiK2HQrFY+BxfJ+f7mH6ztmq0iawulg8bApUo+vllwD > r2Ble1kc0pgwMn4jOoRAP1R9IaFSsPX8a87T1uFtnRS0vdW4BRy6O5xE1wjFQPuq > 52jcFf7i5ZiFYIXO1/vWw9FjZ2DBXnjMuEEdPf5laHNXKJIMCnulKOC6W48eS6Rq > E7hRa7h+RQ0CVk9Pjp2NGdiPAeRL44LRDWaPWmTH7iXUcaWg2IxC3OXXyezP6aPE > 7DrKhW9jjxbQG/H3GXzX9Sptee+osfPUaU6sOND8EYUYLojg6b6XLxfbjLpedrsh > eHC1zksbc0WkZxhnXDSPZV4+4y0djC0X+tNX/DPCs/wPpXEqmqeGSXc7sbnXoLYf > 49jGRa6pz8MR1da5D78lSCxm407+UNJzbJuGfHFzjYqxjQEULKJTug4Z7Hs0MGne > XzAqLyKxfgW0/4P5QzD6 > =EFcD > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: [OT] Garbage Collectors
On Wed, Dec 18, 2013 at 6:11 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > 1. What JVM are you using? > > > Answer: [X] Sun/Oracle/OpenJDK Java 1.7 > > > 2. What kind of web application are you running? > > > Answer: [X] A moderately busy web site (<1M requests/mo/server) > 3. What is your total heap size? > -Xms4096m -Xmx4096m -XX:MaxPermSize=384m (will share this as well, just because) but I think I can change to -Xms/-Xmx1250m, because heap used seem to max out at (+/-)1024m. > > 4. Are you explicitly specifying a Garbage Collector? If not, just say > so and skip the rest of the questions. > -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled > > 5. What led you to use [GC X] instead of the JVM's default collector? > I've seen CMS recommended almost any/everywhere. > > 6. Did you do any actual performance testing to see if the switch from > the default to [GC X] made any difference? > No. > > 6. Have you spent a lot of time tuning [GC X]? > A little...over time. I primarily adjusted -Xms/-Xmx a few times. > > 7. Did your tuning exercise yield any useful results? > Yes. I don't experience OutOfMemory exceptions, and app runs just fine. > > 8. Did your users notice any difference after you implemented [GC X], > or just your own load-testing team? > No. My app has been configured to use CMS ever since the beginning of time/production. > > If you think there's anything else I should know about your experience > with [GC X], please let me know. > To answer #4, I searched google, and found this[1], and that helped me answer your question. :) I am sure that I can lower my -Xms/-Xmx4096m heap size, but with 32GB of RAM on the server, i'm not really pressed to do so. The server is used just for the app. [1] http://www.cubrid.org/blog/textyle/428187
[OT] Garbage Collectors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I was recently discussing garbage collectors with a friend (yes, an exciting conversation) and I was wondering what the folks in the Tomcat community were using for their garbage collection needs. I'd like to run an informal poll. Feel free to reply to just me directly if you'd like to protect your reputation or not clog the list or to the whole list if you'd prefer. I know there are lots of lurkers on the list who rarely post and I'd encourage them to reply as well even if they don't feel like they are running anything of any importance. So, here are my questions: 1. What JVM are you using? [ ] Sun/Oracle/OpenJDK Java 1.5 [ ] IBM Java 1.5 [ ] Sun/Oracle/OpenJDK Java 1.6 [ ] IBM Java 1.6 [ ] Sun/Oracle/OpenJDK Java 1.7 [ ] IBM Java 1.7 [ ] Sun/Oracle/OpenJDK Java 1.8 [ ] Something else - please specify: 2. What kind of web application are you running? [ ] A toy, a research project, or something with virtually no use [ ] A moderately busy web site (<1M requests/mo/server) [ ] A moderately busy web site (<10M requests/mo/server) [ ] A busy web site (10M - 100M requests/mo/server) [ ] A super-busy web site 3. What is your total heap size? 4. Are you explicitly specifying a Garbage Collector? If not, just say so and skip the rest of the questions. 5. What led you to use [GC X] instead of the JVM's default collector? 6. Did you do any actual performance testing to see if the switch from the default to [GC X] made any difference? 6. Have you spent a lot of time tuning [GC X]? 7. Did your tuning exercise yield any useful results? 8. Did your users notice any difference after you implemented [GC X], or just your own load-testing team? If you think there's anything else I should know about your experience with [GC X], please let me know. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSsiu1AAoJEBzwKT+lPKRYdAsQAKWytJHCv3Kj8p8vWoDsCgEO LZd6Yq/j8j5uID+UM4pq8FgRN03TmmjujOZaQ769ljZqtd9w+VFf2+zPbt7gPqGI SDFACw+VtQxEmVUDhE4H0tBfz7h7SZ8QOPTyScx384mDAvRzJKaeGPwrbJBogvaW cvyzNtgFDywpNTCjyKT3JLoUfjm+CjLryK6bo3+6I7I3ikhyHVsYZHuls5DG9LNf mYJ2KGOeYN332VcJWaCElLiK2HQrFY+BxfJ+f7mH6ztmq0iawulg8bApUo+vllwD r2Ble1kc0pgwMn4jOoRAP1R9IaFSsPX8a87T1uFtnRS0vdW4BRy6O5xE1wjFQPuq 52jcFf7i5ZiFYIXO1/vWw9FjZ2DBXnjMuEEdPf5laHNXKJIMCnulKOC6W48eS6Rq E7hRa7h+RQ0CVk9Pjp2NGdiPAeRL44LRDWaPWmTH7iXUcaWg2IxC3OXXyezP6aPE 7DrKhW9jjxbQG/H3GXzX9Sptee+osfPUaU6sOND8EYUYLojg6b6XLxfbjLpedrsh eHC1zksbc0WkZxhnXDSPZV4+4y0djC0X+tNX/DPCs/wPpXEqmqeGSXc7sbnXoLYf 49jGRa6pz8MR1da5D78lSCxm407+UNJzbJuGfHFzjYqxjQEULKJTug4Z7Hs0MGne XzAqLyKxfgW0/4P5QzD6 =EFcD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Some security-related questions / enhancements for the Windows Installer
Sorry for the spam... > -Original Message- > From: Konstantin Preißer [mailto:kpreis...@apache.org] > Sent: Wednesday, December 18, 2013 8:00 PM > To: 'Tomcat Users List' > Subject: RE: Some security-related questions / enhancements for the > Windows Installer > > > > -Original Message- > > From: Konstantin Preißer [mailto:kpreis...@apache.org] > > Sent: Wednesday, December 18, 2013 6:24 PM > > > > - the user group "Administrators" is the name in English. In other > > > locales, > it > > is > > > different (French : Administrateurs; German : Administratoren; Spanish: > > > Administratores, > > > etc.). That can be overcome, but also would complicate the installer. > > > > OK, but I'd think there is a way to use non-local names when modifying file > > ACLs (or at least get the localized name). > > It works e.g. with icacls.exe, but I haven't tried WinAPIs. > > I was able to grant the "NetworkService" user full access to the folder > "C:\testfolder" and subdirectories/files with any of the following commands > (on a german Windows Server 2012 R2): > 1) icacls testfolder /grant NetworkService:(OI)(CI)(F) > 2) icacls testfolder /grant *S-1-5-20:(OI)(CI)(F) > 3 icacls testfolder /grant Netzwerkdienst:(OI)(CI)(F) > > 1) uses the non-local name "NetworkService". > 2) uses the numeric SID for NetworkService as described at [1] which is > identical on each windows system. However, this SID is only available since > Windows Vista and Server 2008. Sorry, that was wrong - I misread the "Note Added in Windows Vista and Windows Server 2008" description, it belongs to another SID. The SID S-1-5-20 for the NetworkService (and related SIDs) also work in Windows Server 2003. > 3) uses a localized account name. > > > So I think localized account names shouldn't be an issue for the installer > (but > I'm nut sure running icacls.exe is the best way for an Installer to set file > permissions - I haven't checked how that works e.g. with WinAPIs). > > Note however, that using "Administrators" with icacls.exe didn't work for me > (the localized name "Administratoren" worked), but the numeric SID of > Administrators, S-1-5-32-544, did work. It also did not work for me with "Local Service", whereas "S-1-5-19" or "Lokaler Dienst" worked. > > [1] http://support.microsoft.com/kb/243330/en-us Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Some security-related questions / enhancements for the Windows Installer
> -Original Message- > From: Konstantin Preißer [mailto:kpreis...@apache.org] > Sent: Wednesday, December 18, 2013 6:24 PM > > - the user group "Administrators" is the name in English. In other > > locales, it > is > > different (French : Administrateurs; German : Administratoren; Spanish: > > Administratores, > > etc.). That can be overcome, but also would complicate the installer. > > OK, but I'd think there is a way to use non-local names when modifying file > ACLs (or at least get the localized name). It works e.g. with icacls.exe, but I haven't tried WinAPIs. I was able to grant the "NetworkService" user full access to the folder "C:\testfolder" and subdirectories/files with any of the following commands (on a german Windows Server 2012 R2): 1) icacls testfolder /grant NetworkService:(OI)(CI)(F) 2) icacls testfolder /grant *S-1-5-20:(OI)(CI)(F) 3 icacls testfolder /grant Netzwerkdienst:(OI)(CI)(F) 1) uses the non-local name "NetworkService". 2) uses the numeric SID for NetworkService as described at [1] which is identical on each windows system. However, this SID is only available since Windows Vista and Server 2008. 3) uses a localized account name. So I think localized account names shouldn't be an issue for the installer (but I'm nut sure running icacls.exe is the best way for an Installer to set file permissions - I haven't checked how that works e.g. with WinAPIs). Note however, that using "Administrators" with icacls.exe didn't work for me (the localized name "Administratoren" worked), but the numeric SID of Administrators, S-1-5-32-544, did work. [1] http://support.microsoft.com/kb/243330/en-us Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: EOFException in AjpNioProcessor
Jesse Barnum wrote: On Dec 18, 2013, at 12:27 PM, Jesse Barnum wrote: I'm seeing this error a lot in my log files. It happens when I am trying to read from the request InputStream. Should I be concerned about this, or is it just the equivalent of the user clicking 'stop' in their browser? SEVERE: An error occurred while handling request /WSMRegister/LicenseCheck/handshake java.io.EOFException Forgot to mention, I'm running version 7.0.35 on Ubuntu Linux on Amazon EC2. Well, it seems that you have the explanation right there. If "com.prosc.licensecheck.LicenseCheck.doPost" is your code, then that's where the problem is : you are trying to read from the request input stream, when there is no more data to read and you have already seen it's EOF. Why there is no more data to read is another question, and it could be that the client did something wrong. But the code in those classes who do the read, obviously is not coping well with that case. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: EOFException in AjpNioProcessor
Hi Jesse, > -Original Message- > From: Jesse Barnum [mailto:jsb_tom...@360works.com] > Sent: Wednesday, December 18, 2013 6:58 PM > To: Tomcat Users List > Subject: Re: EOFException in AjpNioProcessor > > On Dec 18, 2013, at 12:27 PM, Jesse Barnum > wrote: > > > I'm seeing this error a lot in my log files. It happens when I am trying to > > read > from the request InputStream. Should I be concerned about this, or is it just > the equivalent of the user clicking 'stop' in their browser? > > > >> SEVERE: An error occurred while handling request > /WSMRegister/LicenseCheck/handshake > >> java.io.EOFException > > Forgot to mention, I'm running version 7.0.35 on Ubuntu Linux on Amazon > EC2. I think this is the exception that occurs when the client (browser) closes the TCP connection (normal shutdown) without finishing to write the request body. This could happen if the user clicks the "cancel" button in their browser, so I don't think you need to be concerned about this exception itself, but you should catch it (or IOException) in your code so that Tomcat doesn't have to log this exception. Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: EOFException in AjpNioProcessor
On Dec 18, 2013, at 12:27 PM, Jesse Barnum wrote: > I'm seeing this error a lot in my log files. It happens when I am trying to > read from the request InputStream. Should I be concerned about this, or is it > just the equivalent of the user clicking 'stop' in their browser? > >> SEVERE: An error occurred while handling request >> /WSMRegister/LicenseCheck/handshake >> java.io.EOFException Forgot to mention, I'm running version 7.0.35 on Ubuntu Linux on Amazon EC2. --Jesse Barnum, President, 360Works http://www.360works.com Product updates and news on http://facebook.com/360Works (770) 234-9293 == Don't lose your data! http://360works.com/safetynet/ for FileMaker Server ==
Re: linking (limiting???)
Chris, You may have hit the nail on the head. While I have 4 working tomcat applications, I am a C/Java/SQL programmer and Unix admin person (ex IBM system BAL programmer). I am mostly a DBA and write Java bean code to provide better access to things in the DB (make sure rules are followed). My experience level with tomcat is not great but growing. Today I got it running as user tomcat (not root - thanks Mark), and am finishing up by making it come up right using systemd services (instead of rc.local as I have in the past). So I will try my best to answer your questions. I BELIEVE that the web browser uses port 80 only and that httpd passes things off to port 8080. (not sure). I have created symbolic links in /var/www/html so applications worked in the past, but you say this is wrong and it may very well be. I will try removing the links (after I get systemd startup working) and test again. Maybe this will fix all 3 link scenarios I tried (2 or more would be great). Results will be posted here - hoping by end of day. On Wednesday, December 18, 2013 12:25 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ray, On 12/17/13, 1:23 PM, Ray Holme wrote: > HTTP Status 404 - /appName/appName_tour/appNamev3.html type Status > report message /appName/appName_tour/appNamev3.html description The > requested resource is not available. Apache Tomcat/7.0.35 you're a few versions behind. Unless there is a particular reason to stick with 7.0.35, you might want to update to 7.0.latest. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSsdp0AAoJEBzwKT+lPKRYFrEP/2RB3svdpiLhEIw/eBbtuD4R zrbmE/m4rAXyeC0rh3WRQeRt6LJH1Q6QpI3dUz8SK/YIzNuHw1qp2c+LfSgPsQFT cJ4LdvUtMJEKLHfjbP0ghmKGsi2gqiMdLZ6L+JFV3cYwLCm9R5DUqKuTdPVnFoM8 sJ7v36tdaBM+UQs1l7/EuEXdRZDaOdIEenN34RnTJjfeu8TsWx4NxafUJEZ92HMJ E3FggG5vtEICR56MXM4VNkvk3Hj9pXSglm1QGNyHX2Ya96O8Hx6l04QRWRHZs5cU 4aQZnjilArmb/G4oH4eLl5PtUPUfpDxW9U0XKoIjRyHPtfyYLUlkogQboRMSIkkr uryjux/6BU2R/Xiu8g2A2UGYsexh9FZ0xwg43R7R9QPn/NxWFw87bH3VfU4Aj06C bI8trMKed9TN+weXgDIPTEfSh6gTQbI9KxYzAfs1C6kZYTzspuU/YUvYOKV/Mg6f Z8Knti0Cre90LMQaaNlou5Qxldlwn8vl+WVmo7tOjyEI1u1F9/mv3wRUdcfPJOJA F8CXVGFgKWqt6kBvRxecBqYZWype9Hdfk+JW5fEHQbMGcHzQBqZnIBAn8V4j56bg z8kTUto7JgGQPLB8A5XP6N1OCw2JsPJfbS5fcYkpxhru7UlQ6utmUTJxHRYiYzZ/ HYbL7TKjKZWMbC6a/jui =1IVL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: X-Frame-Options header
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/18/13, 10:55 AM, Mark Thomas wrote: > On 18/12/2013 15:48, Dariusz Gorczyca wrote: >> Recently a was working on X-Frame-Options and discovered that >> Tomcat 7 and 8 doesn't support that solution for Clickjacking >> security. One of the solution is to hide Tomcat behind Apache , >> but it can't be done. Is there anyone who knows if there are any >> plans to implement it eg. as a tag in server.xml file ? > > There are currently no plans to provide an option for that. You > can always write a simple filter. +1 If there is a particular reason for the server to handle this, it would seem reasonable to provide such a filter out of the box. I'm not convinced that the server itself is required, here. There are several Filters that are often recommended for various uses. We could potentially put the source for such filters into the Wiki, or examples webapp, or somewhere else where the community could have access to them even if they are not a part of the formal Tomcat server package. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSsdxzAAoJEBzwKT+lPKRYJa4QAJvDCan2k25A0n8UxQ/8FUnS GpL8CGa37Dk/5STcuz3JOsgYrslggEAj383W9swYz3Ta0T2GsyqNTq1/c8FWvbhp B0FVt5Aucthz0z0L1eMdKgm3dXIv6h9Wl04rDyTQjCWC9rx7vMKczfbBvr2OIPgM JV4sgOQ4aXhKPmd13GCkLujbi3HNjAGnwrleTIUkMElWVopPFc+LfGAPzO/DJLoF cqEQcj3BuCoC5hCieRmmTe6vqD3ZK4YlMYKGbYOdY3eDbdFq/rG6fcKj/rvt7nlm SdtmKymP6bbKDif6p1/bTtyZrpcJVDJ7bHgbLSX5v787cYg98jb/WTASHJGrN9fk LultCiq4uZVhSYNtJ8DuIiTW7t/rwzdW5ifFfRIhAigATsWwOfqnaXJK+hWNH9Bu euEbMb3k/F1g2ibJQNIwBAs3C6fkkgl6vibDLRJ3GMMEe2nnqyFaFzdtWREkR5RU P4f9H9C1pITKeTXFo//HMKQYsfM9rsIdySy/z2piULlVNPPRVbU2Ff5s3MhzPM+G GLbpqB81Y0ycN+MJ6d9/Xubjea2H/WL1zlfkthR776CQ46HuoBEOJty/a+LwNmdt 0et8qvxuxiEqyqtaHAgvOokeeOTFBZHJKWC1T6+JbYLW3Q2LnOuVFHWyPq0pgBvF nxAkKu4Kj2qMInd75jfW =Rmix -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting log file permissions upon creation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 12/17/13, 11:29 AM, Mark Eggers wrote: > There are not a lot of files that Tomcat creates. > > 1. log files, as we have been discussing 2. PID file - if enabled, > and that depends on where you write it 3. serialized sessions 4. > JSP files - generate a .java file and the corresponding class 5. > looks like some Maven stuff may get unpacked in the work directory Tomcat does not use Maven for anything, so I think #5 may be environment-specific. 6. For servlet-3.0-style uploads, Tomcat will write uploaded files temporarily to the disk (in the work/ directory?) once they exceed the configured maximum threshold. OP might want to read the man page for "sticky" which documents the "sticky bit" for directories. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSsdvyAAoJEBzwKT+lPKRYaHIQALs/8WfZJ1R7I21E0Ixdqj4c 70XVQ/9zsLZNODzX03W0cSHidb+DhJN3eQU+oRdyorDbPaqXQLYcs+XLjjA10SZp DZzt/Z9TVPh8ZnzfdHl9zpo/STR6s1pF64ZwXxG3MvLGA5PELkAAkXqCHE7y8cFk JD5022UZpkEIopqsen8hchXblqyPXpaV9JCc39SUhJGbhnJAi3kgJTzW1VjegD7+ kEAnhdKDCtkYrG9RW+xsvIDIpCeZFWkM6bvUuKHov5MNiIWh/M+wMj+BX9vWp4w7 Q+zVi37e7wgg5ndnWo4sg9QuCSnlMEmJjICflq2+JQ+Y7VkpCQV5J5jcIMlRULq0 zQqIGn0L3Q25TawPExVOu1kTn4PCOlK6P6nZq0h1bikyqXYXtyxxln638wk8MHkC ZkirM/cQCLqTiyFE3ydU9Kg8mHxAIsJuazbHVMJGSFVFZURlbFeH35nG0suwZjJI WYon/H4sDtTC0EMsfYH4NSoN9u/UgJbZYBJap66JDXGZogQBEMH9ubUqcUGIHLHG 8DUPi+q9aPaaNivDaoeD8zOLRbrTi6sfrAiZNHGtkRf3eaMEXJ35XBIWPhNXh6gl I8wUJFXTBDj69YZd1ZsINzucVU82G6/1756jGkA2fk8SrPTItiu6NdsMbypIK9cN tQU8bEpdRzNmEzNtJuY3 =jg3c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
EOFException in AjpNioProcessor
I'm seeing this error a lot in my log files. It happens when I am trying to read from the request InputStream. Should I be concerned about this, or is it just the equivalent of the user clicking 'stop' in their browser? > SEVERE: An error occurred while handling request > /WSMRegister/LicenseCheck/handshake > java.io.EOFException > at > org.apache.coyote.ajp.AjpNioProcessor.readSocket(AjpNioProcessor.java:358) > at > org.apache.coyote.ajp.AjpNioProcessor.read(AjpNioProcessor.java:314) > at > org.apache.coyote.ajp.AjpNioProcessor.readMessage(AjpNioProcessor.java:406) > at > org.apache.coyote.ajp.AjpNioProcessor.receive(AjpNioProcessor.java:375) > at > org.apache.coyote.ajp.AbstractAjpProcessor$SocketInputBuffer.doRead(AbstractAjpProcessor.java:1066) > at org.apache.coyote.Request.doRead(Request.java:422) > at > org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) > at org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:431) > at > org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:315) > at > org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:167) > at com.prosc.io.IOUtils.writeInputToOutput(IOUtils.java:49) > at com.prosc.io.IOUtils.inputStreamAsBytes(IOUtils.java:116) > at com.prosc.io.IOUtils.inputStreamAsString(IOUtils.java:136) > at com.prosc.io.IOUtils.inputStreamAsString(IOUtils.java:127) > at com.prosc.licensecheck.LicenseCheck.doPost(LicenseCheck.java:164) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at com.prosc.infrastructure.LogFilter.doFilter(LogFilter.java:22) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > com.prosc.infrastructure.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:38) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > at > org.apache.coyote.ajp.AjpNioProcessor.process(AjpNioProcessor.java:184) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1680) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:722) --Jesse Barnum, President, 360Works http://www.360works.com Product updates and news on http://facebook.com/360Works (770) 234-9293 == Don't lose your data! http://360works.com/safetynet/ for FileMaker Server ==
Re: linking (limiting???)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ray, On 12/17/13, 1:23 PM, Ray Holme wrote: > HTTP Status 404 - /appName/appName_tour/appNamev3.html type Status > report message /appName/appName_tour/appNamev3.html description The > requested resource is not available. Apache Tomcat/7.0.35 you're a few versions behind. Unless there is a particular reason to stick with 7.0.35, you might want to update to 7.0.latest. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSsdp0AAoJEBzwKT+lPKRYFrEP/2RB3svdpiLhEIw/eBbtuD4R zrbmE/m4rAXyeC0rh3WRQeRt6LJH1Q6QpI3dUz8SK/YIzNuHw1qp2c+LfSgPsQFT cJ4LdvUtMJEKLHfjbP0ghmKGsi2gqiMdLZ6L+JFV3cYwLCm9R5DUqKuTdPVnFoM8 sJ7v36tdaBM+UQs1l7/EuEXdRZDaOdIEenN34RnTJjfeu8TsWx4NxafUJEZ92HMJ E3FggG5vtEICR56MXM4VNkvk3Hj9pXSglm1QGNyHX2Ya96O8Hx6l04QRWRHZs5cU 4aQZnjilArmb/G4oH4eLl5PtUPUfpDxW9U0XKoIjRyHPtfyYLUlkogQboRMSIkkr uryjux/6BU2R/Xiu8g2A2UGYsexh9FZ0xwg43R7R9QPn/NxWFw87bH3VfU4Aj06C bI8trMKed9TN+weXgDIPTEfSh6gTQbI9KxYzAfs1C6kZYTzspuU/YUvYOKV/Mg6f Z8Knti0Cre90LMQaaNlou5Qxldlwn8vl+WVmo7tOjyEI1u1F9/mv3wRUdcfPJOJA F8CXVGFgKWqt6kBvRxecBqYZWype9Hdfk+JW5fEHQbMGcHzQBqZnIBAn8V4j56bg z8kTUto7JgGQPLB8A5XP6N1OCw2JsPJfbS5fcYkpxhru7UlQ6utmUTJxHRYiYzZ/ HYbL7TKjKZWMbC6a/jui =1IVL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Some security-related questions / enhancements for the Windows Installer
Hi André, thank you for your reply. > -Original Message- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Wednesday, December 18, 2013 4:28 PM > To: Tomcat Users List > Subject: Re: Some security-related questions / enhancements for the > Windows Installer > > Konstantin Preißer wrote: > > Hi, > > > > while I normally only use the .zip distributions of Tomcat, I just had a > > look at > the Windows Service Installer for Tomcat 8.0.0-RC9. > > > > There are some points related to security which I noticed that could be > improved: > > > > 1) When installing Tomcat with the Windows Service Installer, it installs by > default in "%ProgramFiles%\Apache Software Foundation\Tomcat 8.0". A > problem that I see here is that this directory is intended to be the place for > binaries of programs that every user which has an account on this Windows > installation should be able to use. However, by default, Tomcat places not > only binaries, but also data (conf, logs, webapps, work, temp) in this > directory (I think it's possible to run Tomcat with a different data > directory by > setting a different CATALINA_BASE env, but the Installer doesn't seem to do > this). > > > > This means e.g. if you have some passwords in your Tomcat config, every > other user on the server will be able to read them (or, webapp binaries > which you place in the webapps directory, etc.). > > Of course, a user which installs a program on the server should know how > to secure the data, but I think a Installer should make sure that by default, > everything is secure. > > > > So, in this case maybe it could display an option to automatically adjust > > file > permissions, and if it is selected, adjust the directory ACLs of the "Tomcat > 8" > directory to only allow full access for "NT AUTHORITY\SYSTEM" and > "BUILTIN\Administrators", but don't allow read access for ordinary users. > > (For Example, if you install Microsoft SQL Server 2012, it will place > > binaries > and data files into C:\Program Files\Microsoft SQL Server, but the setup > adjusts the permissions for the DATA directory so that ordinary users can't > access it.) > > > > > > 2) By default, the installer sets the Tomcat Service to run under the > LocalSystem account which as administrative privileges. > > > > Normally, Tomcat shouldn't run as root/Administrator user for security > reasons. I think an alternative would be to run as NetworkService which is a > user that exists by default and doesn't have administrative privileges (i.e. > it > has only normal user rights) [1]. > > AFAIK, this user can only be used for run services, but it cannot be used > with things like the "runas" command so every other user will not be able to > access data with NetworkUser privileges. (This is also done e.g. by VisualSVN > Server - it runs as NetworkService.) > > > > Note that in this case, if 1) is applied, the installer would need to > additionally give full access to the NetworkService for the "Tomcat 8" > directory. > > > > > > 3) When running the installer, it asks for the Server Shutdown port which > has a value of "8005" by default. However, when running Tomcat as a service, > the shutdown port is not needed as the daemon service wrapper > implements the logic to shutdown Tomcat. Shouldn't the shutdown port in > this case automatically set to "-1" to disable it, for security reasons? > Otherwise other users would be able to shutdown Tomcat by connecting to > the shutdown port. > > > > > > What do you think? > > > > > > [1] http://msdn.microsoft.com/en- > us/library/windows/desktop/ms684272%28v=vs.85%29.aspx > > > > > > Konstantin, > > while I am not saying that you are wrong in the principle, there are > nevertheless some > additional considerations : > - Tomcat installs as "LocalSystem", not as "Administrator". It is not really > the > same as > "Administrator". Yes, with "administrative privileges" I meant especially the file system. > - the LocalSystem account has extensive privileges on the local machine, but > it is not a > domain account and thus has no access to any (Windows) network > resources. Users cannot > login as "LocalSystem" nor switch to that account. Yes. What I meant was, that if Tomcat is running under the System account and Tomcat or one of its web applications had a security vulnerability that allowed a remote attacker to execute code on the local machine, they could access everything so the whole system is compromised. However, if Tomcat runs under NetworkService or LocalService, only the data where this user has access is compromised. > - the LocalService and NetworkService may indeed by better choices > nowadays, under recent > versions of Windows Server. But these accounts do not necessarily exist on > either older > Windows versions and/or on Windows workstations. Tomcat is free open- > source software, > which often gets installed on older Windows versions or developer > workstations, so this > would complicate the instal
Re: X-Frame-Options header
On 18/12/2013 15:48, Dariusz Gorczyca wrote: > Recently a was working on X-Frame-Options and discovered that Tomcat 7 and > 8 doesn't support that solution for Clickjacking security. One of the > solution is to hide Tomcat behind Apache , but it can't be done. Is there > anyone who knows if there are any plans to implement it eg. as a tag in > server.xml file ? There are currently no plans to provide an option for that. You can always write a simple filter. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Modify content in META-INF/context.xml
> -Original Message- > From: Jose María Zaragoza [mailto:demablo...@gmail.com] > Sent: Tuesday, December 17, 2013 4:33 AM > To: Tomcat Users List > Subject: Modify content in META-INF/context.xml > > Hello: > > I'm using Apache Tomcat 6.0.24 and I've deployed a web application that > defines its resources into META-INF/context.xml , especially > information about connection pool > > Sometimes I''ve to edit that file to change some data , i.e, database's > JDBC url > > I've seen that restart web application is not enough to apply these > changes , so I need to redeploy the web application ( I mean, unpack > WAR file, modify it , repack it again, copy to deploy folder ...) > > My question: > > Do you know other way to modify META-INF/context.xml and apply the > changes and don't have to redeploy the WAR file ? > > Restart the web application is not a problem, but restart Tomcat is > > Any ideas ? > > Thanks and regards I think that at 6.x you need to do one of the following to the context.xml file located in the configBase ($CATALINA_BASE/conf/[enginename]/[hostname]/): 1. make the changes to the file there and reload the webapp 2. make the changes in the META_INF file and copy it to the configBase, then reload the webapp 3. delete the file from the configBase, then redeploy the webapp. With 7.x (at least the latest version) you get the copyXML paramter in the element which will give you more control over the process. Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
X-Frame-Options header
Recently a was working on X-Frame-Options and discovered that Tomcat 7 and 8 doesn't support that solution for Clickjacking security. One of the solution is to hide Tomcat behind Apache , but it can't be done. Is there anyone who knows if there are any plans to implement it eg. as a tag in server.xml file ? Thanks for your attention
RE: Some security-related questions / enhancements for the Windows Installer
> -Original Message- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Wednesday, December 18, 2013 9:28 AM > To: Tomcat Users List > Subject: Re: Some security-related questions / enhancements for the > Windows Installer > > Konstantin Preißer wrote: > > Hi, > > > > while I normally only use the .zip distributions of Tomcat, I just > had a look at the Windows Service Installer for Tomcat 8.0.0-RC9. > > > > There are some points related to security which I noticed that could > be improved: > > > > 1) When installing Tomcat with the Windows Service Installer, it > installs by default in "%ProgramFiles%\Apache Software > Foundation\Tomcat 8.0". A problem that I see here is that this > directory is intended to be the place for binaries of programs that > every user which has an account on this Windows installation should be > able to use. However, by default, Tomcat places not only binaries, but > also data (conf, logs, webapps, work, temp) in this directory (I think > it's possible to run Tomcat with a different data directory by setting > a different CATALINA_BASE env, but the Installer doesn't seem to do > this). > > > > This means e.g. if you have some passwords in your Tomcat config, > every other user on the server will be able to read them (or, webapp > binaries which you place in the webapps directory, etc.). > > Of course, a user which installs a program on the server should know > how to secure the data, but I think a Installer should make sure that > by default, everything is secure. > > > > So, in this case maybe it could display an option to automatically > adjust file permissions, and if it is selected, adjust the directory > ACLs of the "Tomcat 8" directory to only allow full access for "NT > AUTHORITY\SYSTEM" and "BUILTIN\Administrators", but don't allow read > access for ordinary users. > > (For Example, if you install Microsoft SQL Server 2012, it will place > > binaries and data files into C:\Program Files\Microsoft SQL Server, > > but the setup adjusts the permissions for the DATA directory so that > > ordinary users can't access it.) > > > > > > 2) By default, the installer sets the Tomcat Service to run under the > LocalSystem account which as administrative privileges. > > > > Normally, Tomcat shouldn't run as root/Administrator user for > security reasons. I think an alternative would be to run as > NetworkService which is a user that exists by default and doesn't have > administrative privileges (i.e. it has only normal user rights) [1]. > > AFAIK, this user can only be used for run services, but it cannot be > > used with things like the "runas" command so every other user will > not > > be able to access data with NetworkUser privileges. (This is also > done > > e.g. by VisualSVN Server - it runs as NetworkService.) > > > > Note that in this case, if 1) is applied, the installer would need to > additionally give full access to the NetworkService for the "Tomcat 8" > directory. > > > > > > 3) When running the installer, it asks for the Server Shutdown port > which has a value of "8005" by default. However, when running Tomcat as > a service, the shutdown port is not needed as the daemon service > wrapper implements the logic to shutdown Tomcat. Shouldn't the shutdown > port in this case automatically set to "-1" to disable it, for security > reasons? Otherwise other users would be able to shutdown Tomcat by > connecting to the shutdown port. > > > > > > What do you think? > > > > > > [1] > > http://msdn.microsoft.com/en- > us/library/windows/desktop/ms684272%28v=v > > s.85%29.aspx > > > > > > Konstantin, > > while I am not saying that you are wrong in the principle, there are > nevertheless some additional considerations : > - Tomcat installs as "LocalSystem", not as "Administrator". It is not > really the same as "Administrator". > - the LocalSystem account has extensive privileges on the local > machine, but it is not a domain account and thus has no access to any > (Windows) network resources. Users cannot login as "LocalSystem" nor > switch to that account. > - the LocalService and NetworkService may indeed by better choices > nowadays, under recent versions of Windows Server. But these accounts > do not necessarily exist on either older Windows versions and/or on > Windows workstations. Tomcat is free open-source software, which often > gets installed on older Windows versions or developer workstations, so > this would complicate the installer, if nothing else. [Jeff Janner] All 3 are available at least as far back as Windows XP and Server 2000. If you are working on anything older than that, it's time to upgrade. Also, I'm pretty sure that they are all available on workstation as well as server. > - the user group "Administrators" is the name in English. In other > locales, it is different (French : Administrateurs; German : > Administratoren; Spanish: Administratores, etc.). That can be overcome, > but also would complicate the installer. > - in enviro
RE: Some security-related questions / enhancements for the Windows Installer
Konstantin - Interesting points. See comments in-line. Jeff > -Original Message- > From: Konstantin Preißer [mailto:kpreis...@apache.org] > Sent: Wednesday, December 18, 2013 8:18 AM > To: 'Tomcat Users List' > Subject: Some security-related questions / enhancements for the Windows > Installer > > Hi, > > while I normally only use the .zip distributions of Tomcat, I just had > a look at the Windows Service Installer for Tomcat 8.0.0-RC9. > > There are some points related to security which I noticed that could be > improved: > > 1) When installing Tomcat with the Windows Service Installer, it > installs by default in "%ProgramFiles%\Apache Software > Foundation\Tomcat 8.0". A problem that I see here is that this > directory is intended to be the place for binaries of programs that > every user which has an account on this Windows installation should be > able to use. However, by default, Tomcat places not only binaries, but > also data (conf, logs, webapps, work, temp) in this directory (I think > it's possible to run Tomcat with a different data directory by setting > a different CATALINA_BASE env, but the Installer doesn't seem to do > this). > > This means e.g. if you have some passwords in your Tomcat config, every > other user on the server will be able to read them (or, webapp binaries > which you place in the webapps directory, etc.). > Of course, a user which installs a program on the server should know > how to secure the data, but I think a Installer should make sure that > by default, everything is secure. > > So, in this case maybe it could display an option to automatically > adjust file permissions, and if it is selected, adjust the directory > ACLs of the "Tomcat 8" directory to only allow full access for "NT > AUTHORITY\SYSTEM" and "BUILTIN\Administrators", but don't allow read > access for ordinary users. > (For Example, if you install Microsoft SQL Server 2012, it will place > binaries and data files into C:\Program Files\Microsoft SQL Server, but > the setup adjusts the permissions for the DATA directory so that > ordinary users can't access it.) > [Jeff Janner] Not so much of a problem, since in normal usage, only admins should be allowed to login directly into the server, and the Program Files directly is not normally shared to the network. However, it never hurts to tighten the file system security. > > 2) By default, the installer sets the Tomcat Service to run under the > LocalSystem account which as administrative privileges. > > Normally, Tomcat shouldn't run as root/Administrator user for security > reasons. I think an alternative would be to run as NetworkService which > is a user that exists by default and doesn't have administrative > privileges (i.e. it has only normal user rights) [1]. > AFAIK, this user can only be used for run services, but it cannot be > used with things like the "runas" command so every other user will not > be able to access data with NetworkUser privileges. (This is also done > e.g. by VisualSVN Server - it runs as NetworkService.) > > Note that in this case, if 1) is applied, the installer would need to > additionally give full access to the NetworkService for the "Tomcat 8" > directory. > [Jeff Janner] I would argue for using NT AUTHORITY/LocalService instead. The NetworkService account is less secure as it grants access to other systems in the network using the computer's access credentials. The LocalService generally does not grant access to network resources (actually as "anonymous"), so it is the more secure user, and in general, Tomcat should not be accessing remote file systems anyway. > > 3) When running the installer, it asks for the Server Shutdown port > which has a value of "8005" by default. However, when running Tomcat as > a service, the shutdown port is not needed as the daemon service > wrapper implements the logic to shutdown Tomcat. Shouldn't the shutdown > port in this case automatically set to "-1" to disable it, for security > reasons? Otherwise other users would be able to shutdown Tomcat by > connecting to the shutdown port. > [Jeff Janner] +1 I do this on every install, but most newbies might not know to make the change. > > What do you think? > [Jeff Janner] There's a number of additional changes that could be implemented. For example: The Procrun directory gets created as whatever you put in the Service Name fields, but the display name get set to "Apache Tomcat %release% %service_name%". So, if you install a service name of "DEV" at release 7, and want to keep the name for the 8.0 install and run in parallel, you can't. The display names are OK, but the service name won't be unique and Procrun can't create a separate registry entry for the new version. Perhaps adding the release# to the service name for the Procrun install only would be helpful? Go ahead and sign the installer executable already. That warning on startup is annoying. > > [1] http://msdn.microsoft.com/en- > u
Re: Some security-related questions / enhancements for the Windows Installer
Konstantin Preißer wrote: Hi, while I normally only use the .zip distributions of Tomcat, I just had a look at the Windows Service Installer for Tomcat 8.0.0-RC9. There are some points related to security which I noticed that could be improved: 1) When installing Tomcat with the Windows Service Installer, it installs by default in "%ProgramFiles%\Apache Software Foundation\Tomcat 8.0". A problem that I see here is that this directory is intended to be the place for binaries of programs that every user which has an account on this Windows installation should be able to use. However, by default, Tomcat places not only binaries, but also data (conf, logs, webapps, work, temp) in this directory (I think it's possible to run Tomcat with a different data directory by setting a different CATALINA_BASE env, but the Installer doesn't seem to do this). This means e.g. if you have some passwords in your Tomcat config, every other user on the server will be able to read them (or, webapp binaries which you place in the webapps directory, etc.). Of course, a user which installs a program on the server should know how to secure the data, but I think a Installer should make sure that by default, everything is secure. So, in this case maybe it could display an option to automatically adjust file permissions, and if it is selected, adjust the directory ACLs of the "Tomcat 8" directory to only allow full access for "NT AUTHORITY\SYSTEM" and "BUILTIN\Administrators", but don't allow read access for ordinary users. (For Example, if you install Microsoft SQL Server 2012, it will place binaries and data files into C:\Program Files\Microsoft SQL Server, but the setup adjusts the permissions for the DATA directory so that ordinary users can't access it.) 2) By default, the installer sets the Tomcat Service to run under the LocalSystem account which as administrative privileges. Normally, Tomcat shouldn't run as root/Administrator user for security reasons. I think an alternative would be to run as NetworkService which is a user that exists by default and doesn't have administrative privileges (i.e. it has only normal user rights) [1]. AFAIK, this user can only be used for run services, but it cannot be used with things like the "runas" command so every other user will not be able to access data with NetworkUser privileges. (This is also done e.g. by VisualSVN Server - it runs as NetworkService.) Note that in this case, if 1) is applied, the installer would need to additionally give full access to the NetworkService for the "Tomcat 8" directory. 3) When running the installer, it asks for the Server Shutdown port which has a value of "8005" by default. However, when running Tomcat as a service, the shutdown port is not needed as the daemon service wrapper implements the logic to shutdown Tomcat. Shouldn't the shutdown port in this case automatically set to "-1" to disable it, for security reasons? Otherwise other users would be able to shutdown Tomcat by connecting to the shutdown port. What do you think? [1] http://msdn.microsoft.com/en-us/library/windows/desktop/ms684272%28v=vs.85%29.aspx Konstantin, while I am not saying that you are wrong in the principle, there are nevertheless some additional considerations : - Tomcat installs as "LocalSystem", not as "Administrator". It is not really the same as "Administrator". - the LocalSystem account has extensive privileges on the local machine, but it is not a domain account and thus has no access to any (Windows) network resources. Users cannot login as "LocalSystem" nor switch to that account. - the LocalService and NetworkService may indeed by better choices nowadays, under recent versions of Windows Server. But these accounts do not necessarily exist on either older Windows versions and/or on Windows workstations. Tomcat is free open-source software, which often gets installed on older Windows versions or developer workstations, so this would complicate the installer, if nothing else. - the user group "Administrators" is the name in English. In other locales, it is different (French : Administrateurs; German : Administratoren; Spanish: Administratores, etc.). That can be overcome, but also would complicate the installer. - in environments where access to the Tomcat directories may be sensitive, one would usually be talking about "server" computers. To have access to the "Program Files" directory of such a server, the user would need to be able to login locally to the server first (that directory is not normally "shared" in the network). I would argue that if normal users can do that, you have bigger security issues than access to the Tomcat conf directory. - the shutdown port, as far as I remember, is only accessible from "localhost". So in order to send a shutdown command, a user would first have to be logged-in on the server directly. See previous point. - the Tomcat webapps directory is also not normally a
Some security-related questions / enhancements for the Windows Installer
Hi, while I normally only use the .zip distributions of Tomcat, I just had a look at the Windows Service Installer for Tomcat 8.0.0-RC9. There are some points related to security which I noticed that could be improved: 1) When installing Tomcat with the Windows Service Installer, it installs by default in "%ProgramFiles%\Apache Software Foundation\Tomcat 8.0". A problem that I see here is that this directory is intended to be the place for binaries of programs that every user which has an account on this Windows installation should be able to use. However, by default, Tomcat places not only binaries, but also data (conf, logs, webapps, work, temp) in this directory (I think it's possible to run Tomcat with a different data directory by setting a different CATALINA_BASE env, but the Installer doesn't seem to do this). This means e.g. if you have some passwords in your Tomcat config, every other user on the server will be able to read them (or, webapp binaries which you place in the webapps directory, etc.). Of course, a user which installs a program on the server should know how to secure the data, but I think a Installer should make sure that by default, everything is secure. So, in this case maybe it could display an option to automatically adjust file permissions, and if it is selected, adjust the directory ACLs of the "Tomcat 8" directory to only allow full access for "NT AUTHORITY\SYSTEM" and "BUILTIN\Administrators", but don't allow read access for ordinary users. (For Example, if you install Microsoft SQL Server 2012, it will place binaries and data files into C:\Program Files\Microsoft SQL Server, but the setup adjusts the permissions for the DATA directory so that ordinary users can't access it.) 2) By default, the installer sets the Tomcat Service to run under the LocalSystem account which as administrative privileges. Normally, Tomcat shouldn't run as root/Administrator user for security reasons. I think an alternative would be to run as NetworkService which is a user that exists by default and doesn't have administrative privileges (i.e. it has only normal user rights) [1]. AFAIK, this user can only be used for run services, but it cannot be used with things like the "runas" command so every other user will not be able to access data with NetworkUser privileges. (This is also done e.g. by VisualSVN Server - it runs as NetworkService.) Note that in this case, if 1) is applied, the installer would need to additionally give full access to the NetworkService for the "Tomcat 8" directory. 3) When running the installer, it asks for the Server Shutdown port which has a value of "8005" by default. However, when running Tomcat as a service, the shutdown port is not needed as the daemon service wrapper implements the logic to shutdown Tomcat. Shouldn't the shutdown port in this case automatically set to "-1" to disable it, for security reasons? Otherwise other users would be able to shutdown Tomcat by connecting to the shutdown port. What do you think? [1] http://msdn.microsoft.com/en-us/library/windows/desktop/ms684272%28v=vs.85%29.aspx Thanks & Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: linking (limiting???)
Ray Holme wrote: Hmm . . . . Lots of speculation here. How are the files referenced in your application? It seems that if the physical files are available, then the application works fine. If the physical files are not available, then the database has problems (firebird under xinetd, perhaps?) and you get 404 errors. Does the application scan a directory and populate the database on startup? Does the database need to know where the files are? Does the database need read access to the files? I have spent the night thinking about this. As I said before, these files have NOTHING to do with the database (located elsewhere and outside of the webapp, of course). They are accessed by either HTTPD or Apache/Tomcat (WHICH?). And therein may be the rub. Perhaps if the file is accessed by Apache/Tomcat (port 8080), they would be fine. Perhaps if HTTPD (port 80) tries to get them using /var/www/html/myApplication (a symbolic link to /opt/apache/webapps/MyApplication) it fails. If this makes sense (and it might), then it depends on how the file is going to be picked up - is there any write-up to figure out how this httpd VS apache/tomcat link works (I have no idea what modjk.so does except pass things back and forth between the two :: totally needed in Linux but not on a deployed application in MS-XP using port 8080 - perhaps exclusively without using port 80). If this does NOT make sense, then making the application run as tomcat (not root) does not make sense for improving this particular situation (agreed that I should do this and will immediately, but root -> tomcat should not change the link behavior - in any of the three scenarios (link, alias, virtual directory)). Once I get the tomcat user to run everrything, I will try again and post the results. I believe that you may be confused by this "Tomcat user" aspect of things, and you should maybe look at the issue from the other end. The application (presumably) generates HTML pages, which are sent to a browser. In these pages, there are links to the "files" (images or whatever). What do those links look like in the HTML received by the browser ? (use : "view page source" or "copy link location"). And (to compare), what does a link look like, which points to some "executable" part of the application (a real java webapp servlet/jsp page) ? Next, tell us how the browser accesses the application. Which hostname/port is it using ? And which server-side software answers to such links ? (does this link directly to Tomcat, or to Apache httpd which then forwards some (or all) requests to Tomcat ?) Even if this is not really a Tomcat issue, people on this list may be able/willing to help you, but you have to provide precise and comprehensive information first, so that they do not have the impression of wasting their time following dead-ends. Note that in any case, it is almost always a bad idea to allow an Apache httpd front-end to access any part of a Tomcat webapps directory directly (or via filesystem links). That is because then, it can completely bypass the Tomcat builtin access security mechanisms. (It is also not portable if some day you decide to run Apache httpd and Tomcat on separate hosts). But it is certainly possible - and perhaps much easier in your case - to have Apache httpd only forward *some* links to Tomcat, and serve other documents (like your files or images) directly from within the Apache httpd DocumentRoot file structure. Which would remove the need to have these files hosted under the Tomcat webapps dir, which seems to be your ultimate goal if I have followed this correctly. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: linking (limiting???)
>Hmm . . . . Lots of speculation here. How are the files referenced in your application? It seems that if the physical files are available, then the application works fine. If the physical files are not available, then the database has problems (firebird under xinetd, perhaps?) and you get 404 errors. Does the application scan a directory and populate the database on startup? Does the database need to know where the files are? Does the database need read access to the files? I have spent the night thinking about this. As I said before, these files have NOTHING to do with the database (located elsewhere and outside of the webapp, of course). They are accessed by either HTTPD or Apache/Tomcat (WHICH?). And therein may be the rub. Perhaps if the file is accessed by Apache/Tomcat (port 8080), they would be fine. Perhaps if HTTPD (port 80) tries to get them using /var/www/html/myApplication (a symbolic link to /opt/apache/webapps/MyApplication) it fails. If this makes sense (and it might), then it depends on how the file is going to be picked up - is there any write-up to figure out how this httpd VS apache/tomcat link works (I have no idea what modjk.so does except pass things back and forth between the two :: totally needed in Linux but not on a deployed application in MS-XP using port 8080 - perhaps exclusively without using port 80). If this does NOT make sense, then making the application run as tomcat (not root) does not make sense for improving this particular situation (agreed that I should do this and will immediately, but root -> tomcat should not change the link behavior - in any of the three scenarios (link, alias, virtual directory)). Once I get the tomcat user to run everrything, I will try again and post the results. On , Ray Holme wrote: I think I found out how to reply inline usine yahoo. I hope. Trying anyway - NO, it will not let embed replies. BS.. I will copy paste. Inline - per my usual: Yes Doc. On 12/17/2013 10:23 AM, Ray Holme wrote: > First: Thanks for clarifying my understanding of XML tags AND FIXING my typo. > and apologies for top-posting - I had hoped I was making it easier by > restating the crux of the problem and shortening everyone's read. > > AND for the record, yahoo is NO longer including the prior message which is > what > I intended originally. I am not sure when they changed things, but I am NOT a yahoo > fan anymore. I tried to get your message included above. I'm using yahoo for my mailing lists, all others end up in gmail. However I'm using Thunderbird and IMAP, so I can control how my mail works a bit better. I use yahoo for gmail but straight front end. > > BUT SO far, I have totally failed with linking - below is the detail. > Quick recap - for those with shorter memories than even mine. :=<] > > "appName" has a top level directory .../webapps/appName/appName_tour" > which contains a bunch of very large files - "a demo tour" > the goal is to separate this from the WAR file > (later in another app, I want photos separated for same reason > BUT in the case HERE, the files are read only, nothing written to dir). > > a) try 1 - using links (moved the directory to /opt/appName_tour) and did a > symbolic link > under the application directory (MS systems cannot do this) > > --- .../webapps/appName/META-INF/context.xml contains 3 lines > > > > > When I try to run the linked demo I get this in the popup window generated: > > HTTP Status 404 - /appName/appName_tour/appNamev3.html > type Status report > message /appName/appName_tour/appNamev3.html > description The requested resource is not available. > Apache Tomcat/7.0.35 So, a few questions are in order here: 1. Where did you get the Tomcat from? STRAIGHT FROM THE APACHE TOMCAT DOWNLOAD SITE. I USED THE apache-tomcat-7.0.35.tar.gz and installed myself in /opt/ If it's from a distribution repackage, components get scattered all over. However this should not impact linking. 2. Are you running with SELinux enabled? YES If SELinux is enforcing and you've installed Tomcat from a distribution package, you may be running into SELinux issues. What does sealert say? sealert is complaining about mandb and abrtd - nothing else (those were there a long time ago) 3. General permissions Does the user running Tomcat have proper permissions for /opt/appName_tour? You'll need read/execute access for all intervening directories, and read access for the files. OH YES. It was 755 and all files in it are 644. I am a newbie to some features of tomcat, but some might say a very old hand at Unix and then much later Linux admin. 4. What user is Tomcat running as? Right now it is root, but I plan to change that soon - you wrote about systemd and I plan to go thay way. There is a user and a group tomcat, but I am not using it yet. I was hoping to finish this link thing before moving on to do that right. If you're b
RE: Redirection of mycompany.com to www.mycompany.com
Hi, I have found what was happening, it was one of my colleagues who has put a filter and didin't remember doing that. Thank you. > Date: Tue, 17 Dec 2013 00:30:04 +0400 > Subject: Re: Redirection of mycompany.com to www.mycompany.com > From: knst.koli...@gmail.com > To: users@tomcat.apache.org > > 2013/12/16 James H. H. Lampert : > > On 12/16/13 9:37 AM, pierre posset wrote: > > My problem is that when in a browser I am writing mycompany.com I am > redirected with to www.mycompany.com. > > > > > > I could be way off-base here (it wouldn't be the first time!), but: > > > > It could also be that your browser thinks it's smarter than you are. I've > > seen browsers apparently redirect themselves (without any redirect having > > been set up) to variations on a URL, and/or to whatever is set as their > > default search engine, but so far as I know, that usually only happens if > > the browser can't resolve the URL as entered, or if the user didn't > > explicitly type the protocol prefix on the URL. > > By the way, the setting name in Mozilla Firefox is > "browser.fixup.alternate.enabled" > I usually explicitly change this and "keyword.enabled" settings to the > value of "false". > > http://www.mozilla.org/docs/end-user/domain-guessing.html > http://kb.mozillazine.org/Keyword.enabled > > > > Does it happen with other browsers? Does it happen if you try it from > > someplace with a completely different web connection? Have you tried > > explicitly typing the http:// or the https:// at the beginning of the URL? > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >