Re: Tomcat 7 Session Persistence disable not working as expected
2014-03-10 10:58 GMT+04:00 Akash Jain akash.delh...@gmail.com: Christopher, I have changed in server.xml. Below is the server.xml part - Context path= docBase=ROOT sessionCookieName=mycookie sessionCookieDomain=myapp.mydomain.com sessionCookiePath=/ useHttpOnly=true reloadable=false WatchedResourceWEB-INF/web.xml/WatchedResource Manager pathname= / !-- Disables session persistence -- /Context As indicated above, I write JSESSIONID in mycookie cookie. Even after restart, the JSESSIONID is not getting invalidated. Before and after restart of apache, I can keep browsing the site with the same JSESSIONID in cookie. This behaviour is expected for sessionCookiePath=/. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CorsFilter denying some same-origin requests.
Having re-read the specs I can see that trying to match origins by resolving to IP addresses is not a good idea. However, that still leaves us with a problem because Chrome sends an Origin header for some same-origin requests. The CorsFilter denies these requests if the origin is not in cors.allowed.origins. We have too many possible origins to be able to specify them all in the deployment descriptor (and we don't want to allow all origins). One solution would be to treat requests as non-CORS when the Origin and Host headers match (having pre-appended the request scheme to the Host header). Do you think that this is something that Apache would consider incorporating into the CORS filter? This would be preferable to maintaining our own copy of the filter indefinitely. Thanks Richard On Mon, Mar 10, 2014 at 3:55 PM, Mark Thomas ma...@apache.org wrote: On 10/03/2014 14:30, Richard Hart wrote: (Tomcat 7.0.50, Linux) Having recently enabled CORS support for our Tomcat-based web app using the provided CorsFilter, we have discovered a problem where some same-origin (i.e. non-CORS) requests from certain browsers (e.g. Chrome) are denied. This is due to the browser setting the Origin header even though the request is non-CORS. it turns out that this is in fact legal according to RFC 6454. Given the popularity of Tomcat and Chrome I was surprised to find little mention of this problem online. Has anyone else encountered this problem? Our planned solution is to fork CorsFilter and and modify it to allow requests for which the Origin and Host headers both resolve to the same IP address. However, if somebody has already implemented a solution for this problem could you please let us know. If the Origin and Host headers don't match (even if they do resolve to the same IP address) isn't that a cross-origin request? In which case isn't the filter doing what it is meant to? Why isn't setting the cors.allowed.origins init parameter sufficient? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat and Spring Framework
On Mon, Mar 10, 2014 at 09:32:05PM -0400, Rossen Stoyanchev wrote: On Mon, Mar 10, 2014 at 3:58 PM, Mark H. Wood mw...@iupui.edu wrote: It's probably worth asking what full-fledged enterprise applications means. I'm not aware of any specification with that title. Indeed there is no such specification. The point is that Java enterprise development is not always defined nor does it have to be defined by specs. The spec development process is tricky at best. You have to do it not too early (ahead of experience) and not too late either. Open source is actually in a much better position to evolve continuously by capturing developer feedback and providing results quickly. So certainly don't discount just because it's not a spec. I wasn't discounting Spring; I use it and like it. I was discounting empty phrases like full-fledged enterprise application which could mean anything, or nothing. When someone offers me support for full-fledged enterprise applications I do not know what facilities and APIs I can rely on; when someone offers me JEE 6 or Spring 3.2 or something else with a definition, I do. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
request.getRemoteAddr() sometimes returning IP address from the previous request
Hi all, we are still facing this issue here https://issues.apache.org/bugzilla/show_bug.cgi as Mark Thomas points out https://issues.apache.org/bugzilla/show_bug.cgi?id=51872#c16 the bug is fixed. Trying to find out what we are doing wrong I have the following questions: 1) as soon as a response is commited we should no longer access the corresponding request? 2) a response is commited (at latest) as soon as a byte is written into the response's writer? 3) which members of the request are volatile? Are these specified in the ServletRequest API? Thx Clemens - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: request.getRemoteAddr() sometimes returning IP address from the previous request
2014-03-11 18:16 GMT+04:00 Clemens Wyss DEV clemens...@mysign.ch: Hi all, we are still facing this issue here https://issues.apache.org/bugzilla/show_bug.cgi as Mark Thomas points out https://issues.apache.org/bugzilla/show_bug.cgi?id=51872#c16 the bug is fixed. Tomcat version = ? Trying to find out what we are doing wrong I have the following questions: 1) as soon as a response is commited we should no longer access the corresponding request? There is no such requirement. A requirement is that you should not access it once request processing has been returned to Tomcat. Once request processing finishes, the request object is recycled by Tomcat and may be reused for a subsequent request. (The reuse can be disabled via a system property, see RECYCLE_FACADES. I usually do so, for better security). 2) a response is commited (at latest) as soon as a byte is written into the response's writer? No. It happens when you explicitly flush it, or a buffer overflows. It happens immediately of you have configured buffer size of 0. 3) which members of the request are volatile? Are these specified in the ServletRequest API? Not specified. (I am talking about classic Servlet API. No async processing.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: request.getRemoteAddr() sometimes returning IP address from the previous request
On 11/03/2014 14:16, Clemens Wyss DEV wrote: Hi all, we are still facing this issue here https://issues.apache.org/bugzilla/show_bug.cgi as Mark Thomas points out https://issues.apache.org/bugzilla/show_bug.cgi?id=51872#c16 the bug is fixed. Trying to find out what we are doing wrong I have the following questions: 1) as soon as a response is commited we should no longer access the corresponding request? There are no such restrictions. 2) a response is commited (at latest) as soon as a byte is written into the response's writer? A response is committed when the first byte is sent to the client. 3) which members of the request are volatile? Are these specified in the ServletRequest API? Define what you mean by volatile. The typical causes of this type of issue is retaining a reference to a request and/or response (in a filter, in a session or similar) and then trying to use the request or response object when processing a different request/response pair. It would help if you told us which Tomcat version you were using. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[Tomcat 6] Maximum webapps in one instance
Hi, I use Tomcat in a RestFull application with cxf and spring. It works fine. Actually, this application is deploy in a single web app. My client ask if I can slip all the services (nearly 100) : he want a webapp for each service. So how many webapps can Tomcat support ? Regards, Philippe
AW: request.getRemoteAddr() sometimes returning IP address from the previous request
First of all: thanks for the quick replies! I appreciate very much. It would help if you told us which Tomcat version you were using. Tomcat 7.0.52, i.e. latest greatest (The reuse can be disabled via a system property, see RECYCLE_FACADES. I usually do so, for better security) Would I need to compile my own tomcat? Define what you mean by volatile. the members of the request object that are recycled. To be honest, I have not yet looked into the tomcat sources. To render we use velocity. The output is directly rendered into the response-writer. So the first byte written/rendered by velocity sets the response to commited (right?). AND yes we have templates which we access the request#getRemoteAddress (somewhere close the end). So could it be that these accesses set the remoteAddress tot he caller oft he previous request? Thx Clemens -Ursprüngliche Nachricht- Von: Mark Thomas [mailto:ma...@apache.org] Gesendet: Dienstag, 11. März 2014 15:34 An: Tomcat Users List Betreff: Re: request.getRemoteAddr() sometimes returning IP address from the previous request On 11/03/2014 14:16, Clemens Wyss DEV wrote: Hi all, we are still facing this issue here https://issues.apache.org/bugzilla/show_bug.cgi as Mark Thomas points out https://issues.apache.org/bugzilla/show_bug.cgi?id=51872#c16 the bug is fixed. Trying to find out what we are doing wrong I have the following questions: 1) as soon as a response is commited we should no longer access the corresponding request? There are no such restrictions. 2) a response is commited (at latest) as soon as a byte is written into the response's writer? A response is committed when the first byte is sent to the client. 3) which members of the request are volatile? Are these specified in the ServletRequest API? Define what you mean by volatile. The typical causes of this type of issue is retaining a reference to a request and/or response (in a filter, in a session or similar) and then trying to use the request or response object when processing a different request/response pair. It would help if you told us which Tomcat version you were using. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Files created by a Tomcat webapp and owner, owner group, permissions for this file
-- Files created by a Tomcat webapp and owner, owner group, permissions for this file -- Hello and thank you for reading my post. I am running a Tomcat v6.0 webapp on a Debian 7.2 Wheezy OS. In particular, this webapp creates some files on the filesystem. The files created have: - tomcat6 as the owner user, - tomcat6 as the owner group, - 644 as the permissions granted to the owner, the owner group and others respectively. Is it possible to change this behavior? What I like to do is: - set the owner user to user1, - set the owner group to group1, - set the permissions to 660 for every new file created. Best regards. -- Léa Massiot - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat 6] Maximum webapps in one instance
philippe rouxel wrote: Hi, I use Tomcat in a RestFull application with cxf and spring. It works fine. Actually, this application is deploy in a single web app. My client ask if I can slip all the services (nearly 100) : he want a webapp for each service. So how many webapps can Tomcat support ? Supposing you mean split, not slip.. I do not think that there is any specific limit to the number of webapps, excepting total memory etc. One thing to watch however is that this may change the behaviour of your code : one webapp is totally independent of another, so you cannot necessarily access the same things from pieces of your code, if you split it up in separate webapps. You may also end up with a lot of duplication : for example if you have right now one part which parses parameters, you will have to do that in each webapp separately. You will also have one WEB-INF/web.xml per webapp, etc.. Maybe the end result will make your application more modular and flexible, but it seems like a lot of tedious work. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: request.getRemoteAddr() sometimes returning IP address from the previous request
On 11/03/2014 15:23, Clemens Wyss DEV wrote: First of all: thanks for the quick replies! I appreciate very much. It would help if you told us which Tomcat version you were using. Tomcat 7.0.52, i.e. latest greatest OK. That rules out all the known issues that might cause this. (The reuse can be disabled via a system property, see RECYCLE_FACADES. I usually do so, for better security) Would I need to compile my own tomcat? No, just set the system property as per the docs. Define what you mean by volatile. the members of the request object that are recycled. To be honest, I have not yet looked into the tomcat sources. Pretty much everything. To render we use velocity. The output is directly rendered into the response-writer. So the first byte written/rendered by velocity sets the response to commited (right?). AND yes we have templates which we access the request#getRemoteAddress (somewhere close the end). So could it be that these accesses set the remoteAddress to the caller of the previous request? Unlikely unless those templates are somehow caching the request or the result of getRemoteAddress(). Mark Thx Clemens -Ursprüngliche Nachricht- Von: Mark Thomas [mailto:ma...@apache.org] Gesendet: Dienstag, 11. März 2014 15:34 An: Tomcat Users List Betreff: Re: request.getRemoteAddr() sometimes returning IP address from the previous request On 11/03/2014 14:16, Clemens Wyss DEV wrote: Hi all, we are still facing this issue here https://issues.apache.org/bugzilla/show_bug.cgi as Mark Thomas points out https://issues.apache.org/bugzilla/show_bug.cgi?id=51872#c16 the bug is fixed. Trying to find out what we are doing wrong I have the following questions: 1) as soon as a response is commited we should no longer access the corresponding request? There are no such restrictions. 2) a response is commited (at latest) as soon as a byte is written into the response's writer? A response is committed when the first byte is sent to the client. 3) which members of the request are volatile? Are these specified in the ServletRequest API? Define what you mean by volatile. The typical causes of this type of issue is retaining a reference to a request and/or response (in a filter, in a session or similar) and then trying to use the request or response object when processing a different request/response pair. It would help if you told us which Tomcat version you were using. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Session Persistence disable not working as expected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 3/11/14, 8:46 AM, Konstantin Kolinko wrote: 2014-03-10 10:58 GMT+04:00 Akash Jain akash.delh...@gmail.com: Christopher, I have changed in server.xml. Below is the server.xml part - Context path= docBase=ROOT sessionCookieName=mycookie sessionCookieDomain=myapp.mydomain.com sessionCookiePath=/ useHttpOnly=true reloadable=false WatchedResourceWEB-INF/web.xml/WatchedResource Manager pathname= / !-- Disables session persistence -- /Context As indicated above, I write JSESSIONID in mycookie cookie. Even after restart, the JSESSIONID is not getting invalidated. Before and after restart of apache, I can keep browsing the site with the same JSESSIONID in cookie. This behaviour is expected for sessionCookiePath=/. Also: 1. The client is responsible for expiring cookies, not the server 2. A client request for a session does not imply that the session is still valid on the server - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTH0NCAAoJEBzwKT+lPKRY+voP/2PxEkMZiPrMFqmlcHSoSNeg IY8+Jb+8gyuJozMqQCxibjOWTxsErwZC/X0yPrWNUtGhWi+PkpRHCghQjO2vRlgm y7fatI0yeT1ZE8FuRVWbtDcCywjgA4hhqM0yJJ7Uh6WWLnN6q7wdFbcA35QjC8N/ 4zFk+Pca6JejFGL9kQGj4IsK/zihAIJeaM2mjusI6E4jc0/1nIEKa3/f63UjStgM hfIWZoBdhLUs7z0HVJP9rrr7CoHcemnl+OC1/0hNermNMJKO3jf1WUSa1X1N7Iqh KQMQj2fXgxgckc3Ljm6UdLgZBCcVnbV7fp3y5T78M5WhPgTlGb83NGRHGGW86w5J l62dmC6kzjtzQZlEXM1wpTPSvabXBFc9e4HqUAag9TXOzY7TtuIPFkO4G9IWgV2G vIpdL55ZHpKP33Ouyb4nv5JDlwI3BKiv5CDk3u0qIYd/NR4YGIhGVjh1LCAlwa6y GPcM1odPYo20GuSb9aa1ZsqSXJccttuUrhNLOqKs1KPzpfipcWGoqH1WQKLLaCgl Qk6M0BaxUWArlnnkdBi7Opw+cZYxkfpePcJE4Xxc1HmgeWFNVLYNB7t3rCwMM5JT g1ORO/mEeXBTfv81DzN3Iert4THDwJI5qCbRwLDmW/Iaba3SbPEfFxYO2mp5PLE9 JQ2CIE2KLJCzeyxA2L12 =UwiK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Files created by a Tomcat webapp and owner, owner group, permissions for this file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Léa, On 3/11/14, 12:31 PM, Lmhelp1 wrote: -- Files created by a Tomcat webapp and owner, owner group, permissions for this file -- Hello and thank you for reading my post. I am running a Tomcat v6.0 webapp on a Debian 7.2 Wheezy OS. In particular, this webapp creates some files on the filesystem. The files created have: - tomcat6 as the owner user, - tomcat6 as the owner group, - 644 as the permissions granted to the owner, the owner group and others respectively. Is it possible to change this behavior? What I like to do is: - set the owner user to user1, - set the owner group to group1, - set the permissions to 660 for every new file created. You can set the file permissions (bits) by setting the umask of the process. When creating files, the process uid and gid are used as defaults for ownership. If you want to use user1 and group1, then you should run Tomcat under those uid and gid settings. I'm unaware of any setting which will allow a process to run under one uid but files created by that process are owned by another user. You might be able to get away with a cron process that re-assigns ownership of the files periodically. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTH0RgAAoJEBzwKT+lPKRYehAQAIYB0YNPWaB0vqjjlDS42adl KCmU6dj3CnGfw4I+4b4yLymAdixrv1Y0tuLGvXwWIznUZChhGaL2tVYTacuzO2yt mwipWy5OIBKchFCxjlL0SsSEfx3OFQ7sbDQuxwHW9wpq1MkqnNXWtv0VhKi7Q9cf A6JAyJIs4lOHO79KDtYRU+ckB3lT0CynlQGR0xKevdF6CaLE8EHYsAV8YMJhM07p kPdH1W3UXS6ta3QGybDbVe2ED5WuuWoCJoitavJgocNaOjBkoNzOv8Fyrfn0pvFQ m6A0Rm+W5apt2kseb1o63COlka8/jV7Bx8BxEiQEzZ29apGb5tc7tflI6c3n6e/H Hgy4YrZpUrWkH6Aa4NCwyiqzFgcsob1uFBTACnR5+imXiEYX9acqJtJSmc2qdcbF Ye7OFxyncsH3wvcXwXabJjqakBqFZ85BMizZ4XKRptnOvXOh5rr4K03LdDyqXExn ufrLvCGWIb1lofhCbqbCK0OQp68minoiEmyi98n9S+9vwfvonG5cUdPNmBpLu2r4 DTEnPnI6w75nvxv7ATdTKFq7AgR0ftJvwqunazFaODLPgadP57q4FEqI38yglrIK KKBd4xF8HmeV1D+Viqo2OD9NKZX24llFQwVT7v4vXMf+/1SJgnw1uqZJhSCDnVsM STJCNdoHG2z32H/hgb7z =gIgR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Files created by a Tomcat webapp and owner, owner group, permissions for this file
Lmhelp1 wrote: -- Files created by a Tomcat webapp and owner, owner group, permissions for this file -- Hello and thank you for reading my post. I am running a Tomcat v6.0 webapp on a Debian 7.2 Wheezy OS. In particular, this webapp creates some files on the filesystem. The files created have: - tomcat6 as the owner user, - tomcat6 as the owner group, - 644 as the permissions granted to the owner, the owner group and others respectively. Is it possible to change this behavior? What I like to do is: - set the owner user to user1, - set the owner group to group1, - set the permissions to 660 for every new file created. It sounds like you have installed Tomcat 6, using the standard Ubuntu/Debian tomcat package (apt-get etc..). That package is the one that specifies the user/group under which this Tomcat is running (in reality it is the java JVM which is running, and the JVM runs Tomcat and webapp code). Since the JVM is started under the user/group tomcat6, when the webapp creates a file, it uses that user/group, and the umask of that user, to set the file ownership and permissions. To change this, you would have to change the user-id/group under which Tomcat is started (in /etc/init.d/tomcat6). However, the Debian Tomcat package creates a lot of files in different places in the filesystem, each with user/group tomcat6, and corresponding permissions. So it is going to be a lot of work to change all that and still have your Tomcat running properly. It would probably be better, and less work in the end, to remove this packaged tomcat, and install a real tomcat, from the Tomcat website. Then you can specify a user-id under which to run, without getting in trouble with all the pre-installed files all over the place. There may be other options (such as using ACLs on the directory where the files are created), but they are quite difficult to recommend without having access to your server. The other thing is : do you have the code of that webapp and could you change it ? And why do the files have to be owned by user1/group1 ? Is it because some other process must be able to read/write them ? Can you not give to this other process the permissions to read/write the files of tomcat6/tomcat6 ? That may be easier to achieve. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Files created by a Tomcat webapp and owner, owner group, permissions for this file
Thank you for your answers. It sounds like you have installed Tomcat 6, using the standard Ubuntu/Debian tomcat package (apt-get etc..). Yes indeed. That package is the one that specifies the user/group under which this Tomcat is running (in reality it is the java JVM which is running, and the JVM runs Tomcat and webapp code). Since the JVM is started under the user/group tomcat6, when the webapp creates a file, it uses that user/group, and the umask of that user, to set the file ownership and permissions. Yes, it looks like this is it. To change this, you would have to change the user-id/group under which Tomcat is started (in /etc/init.d/tomcat6). However, the Debian Tomcat package creates a lot of files in different places in the filesystem, each with user/group tomcat6, and corresponding permissions. So it is going to be a lot of work to change all that and still have your Tomcat running properly. All right, I won't do this then. It would probably be better, and less work in the end, to remove this packaged tomcat, and install a real tomcat, from the Tomcat website. Then you can specify a user-id under which to run, without getting in trouble with all the pre-installed files all over the place. Thank you, I understand. But I'm not going to do this either. There may be other options (such as using ACLs on the directory where the files are created), but they are quite difficult to recommend without having access to your server. I do have full access to the server... I'm interested in this solution but I couldn't find a way to force the file owner, owner group and permissions for a given directory using setfacl. I know this forum is not about ACLs but can you assist me on doing this? The other thing is : do you have the code of that webapp and could you change it ? Yes, I can. And why do the files have to be owned by user1/group1 ? Is it because some other process must be able to read/write them ? The other process is me :) The webapp stores files in a directory. I, as a human, check these files. And when I'm ready, I put them manually in another directory (in the WebContent directory of the webapp to be more precise). I just do not want to put the files directly online. Can you not give to this other process the permissions to read/write the files of tomcat6/tomcat6 ? That may be easier to achieve. Yes, well, if I log in as tomcat6, it will work. Best regards, -- Léa On 2014-03-11 6:16 PM, André Warnier wrote: Lmhelp1 wrote: -- Files created by a Tomcat webapp and owner, owner group, permissions for this file -- Hello and thank you for reading my post. I am running a Tomcat v6.0 webapp on a Debian 7.2 Wheezy OS. In particular, this webapp creates some files on the filesystem. The files created have: - tomcat6 as the owner user, - tomcat6 as the owner group, - 644 as the permissions granted to the owner, the owner group and others respectively. Is it possible to change this behavior? What I like to do is: - set the owner user to user1, - set the owner group to group1, - set the permissions to 660 for every new file created. It sounds like you have installed Tomcat 6, using the standard Ubuntu/Debian tomcat package (apt-get etc..). That package is the one that specifies the user/group under which this Tomcat is running (in reality it is the java JVM which is running, and the JVM runs Tomcat and webapp code). Since the JVM is started under the user/group tomcat6, when the webapp creates a file, it uses that user/group, and the umask of that user, to set the file ownership and permissions. To change this, you would have to change the user-id/group under which Tomcat is started (in /etc/init.d/tomcat6). However, the Debian Tomcat package creates a lot of files in different places in the filesystem, each with user/group tomcat6, and corresponding permissions. So it is going to be a lot of work to change all that and still have your Tomcat running properly. It would probably be better, and less work in the end, to remove this packaged tomcat, and install a real tomcat, from the Tomcat website. Then you can specify a user-id under which to run, without getting in trouble with all the pre-installed files all over the place. There may be other options (such as using ACLs on the directory where the files are created), but they are quite difficult to recommend without having access to your server. The other thing is : do you have the code of that webapp and could you change it ? And why do the files have to be owned by user1/group1 ? Is it because some other process must be able to read/write them ? Can you not give to this other process the permissions to read/write the files of tomcat6/tomcat6 ? That may be easier to achieve. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat 6] Maximum webapps in one instance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Phillipe, On 3/11/14, 11:03 AM, philippe rouxel wrote: I use Tomcat in a RestFull application with cxf and spring. It works fine. Actually, this application is deploy in a single web app. My client ask if I can slip all the services (nearly 100) : he want a webapp for each service. So how many webapps can Tomcat support ? There is a practical limit of 2^31 contexts that Tomcat can support, since Tomcat keeps all contexts in an array which has a 2^31 entry limit. I'm not sure if that counts parallel versions of the same context. Basically, you are limited to whatever you can fit in memory. Tomcat itself can run in about 12MiB of heap. Your web application will likely require much more than that, so hosting a large number of them will require an appropriately-sized heap. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTH1kTAAoJEBzwKT+lPKRYWGsP/3OGznHQzkK5XhLdYV5rHUYZ RMYh2wqSnbQajNJ86rYqel5zvK3bZVYZCqVNSefygYgS0WQuGo6wOCv+QfyIwfd+ PvyeVumidJ761hnEroeA/elJvRApvonlF7rLfvpRBN3hc1NcusS5gV23XF5OkHuA nJ5eRijw04dGRgwO7tPsWQ2rO0S/x7lZSaN/reP5qCT9AR71FDXaXS8yT48CMBqQ q/7Pq+1RCxC+7zNNE6MR+8SGMV9y3LDun/4e4VNU5nhI8Js9xgLSfvHsXG07sOUo DvqHoMymEQEg6kwcGsAE5dioF6DaTIh0pT6oeksWqhZVGPVN0AFm5yNTNARSv7iw w1ChrfPCKJYSi7qn9zspqRdYGBla9zkVB1hNeAfjAhJbhTJzUmNuZRa0la1Fgzsd rBarc6KGqCAJv74K1U8xeqa0PP1bQvQ45bcV0hJZkvZMSthveTytqsI8umv9q8pZ o1M6/dwVMsLfemVXMDIiHq38/yY4LukkyxqyMCN0hRaWFLRs3b+XFTT9sqVB3xql D5OJRnNXXeHCpArzzmxHA/oqTeD0uq+7bw/mYAULXFduENVRcFxoNH3v+ro2zAcf yXdlwbb6nrnFCoPPKyUTe72buOKjnk+THKsl9pVA4DprTQtnKRMvlKnCXg1amQM7 8cAkyAuQoulcrZHw2MLu =lZhS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Files created by a Tomcat webapp and owner, owner group, permissions for this file
Lmhelp1 wrote: ... The other thing is : do you have the code of that webapp and could you change it ? Yes, I can. And why do the files have to be owned by user1/group1 ? Is it because some other process must be able to read/write them ? The other process is me :) The webapp stores files in a directory. I, as a human, check these files. And when I'm ready, I put them manually in another directory (in the WebContent directory of the webapp to be more precise). I just do not want to put the files directly online. Can you not give to this other process the permissions to read/write the files of tomcat6/tomcat6 ? That may be easier to achieve. Yes, well, if I log in as tomcat6, it will work. Maybe easier : supposing that your user-id is lmhelp1. Do adduser lmhelp1 tomcat6 (that will add your user-id to the group tomcat6). Then logout, and login again. Then you would already have the permissions to read/write any file that has the appropriate permissions to allow this for the group tomcat6. That may be enough for what you need to do. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: request.getRemoteAddr() sometimes returning IP address from the previous request
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Clemens, On 3/11/14, 11:23 AM, Clemens Wyss DEV wrote: First of all: thanks for the quick replies! I appreciate very much. It would help if you told us which Tomcat version you were using. Tomcat 7.0.52, i.e. latest greatest (The reuse can be disabled via a system property, see RECYCLE_FACADES. I usually do so, for better security) Would I need to compile my own tomcat? Define what you mean by volatile. the members of the request object that are recycled. To be honest, I have not yet looked into the tomcat sources. To render we use velocity. The output is directly rendered into the response-writer. So the first byte written/rendered by velocity sets the response to commited (right?). Not unless you have disabled all buffering. Are you using any of the Velocity Tools stuff, like VelocityViewServlet or VelocityLayoutServlet? AND yes we have templates which we access the request#getRemoteAddress (somewhere close the end). It should not matter. As long as you aren't storing the result of request.remoteAddress anywhere, Velocity won't cache it anywhere. So could it be that these accesses set the remoteAddress tot he caller oft he previous request? This shouldn't happen. But if you play games with storing request objects in various places, you could have a problem. This is why I asked about using VelocityViewServlet. Did you roll your own Velocity servlet? If so, you may have made a mistake building your VelocityContext which ends up using the wrong request object. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTH1okAAoJEBzwKT+lPKRYXWYP+wcp8HQHyD7Wpcmq71JB4KPO S8ivvxpku2NeRcY5v4s5CSfJ6zBbxaL8SYnSL+3nakECxIIUl0GrMZ6dGgVHS7/l cYXhMNtXe7v5mEMJpo/koMA8lajkLtD3wTTKnaJCNkEbH00pEf6mySHxLIAocJ8G IAMVTJXxJPHsuZEJr219o+OJ8j5xLbX1GQq1B27eo1eszIO09YgVrUfAzMwaCesy 3kysGiuWS52/2jvHWAm/nKwdSf+PqWX+6P6fCo7ofVdsPO0PMh+20D8eYRQIRfW2 uJGypEofH9APlWebjZrnEV8+tjUXkcK0J6CuFuvhzAwaxg3TUrOC/BjysxKulMH6 SR9E2cJZjXNB6L3gOXXX7KrFsZVElFI+jJ2HwW8yZBWCmRXnchZBwCuRJZFYOidw N7Pmu8QtdwTIU+7iL5nM9zsUJvddVlIvzgTA7lLHVFk6QteiY4ZwqZAHMOGcpEVQ LkKpUK4SB1QyIZjDtU1HpPFtD4bJKptPEKddTZZ9hJYs6nnWBouCs9XB5Y2zEYUs zK2A+jjIMfqoxJBDfQllHmw4w7uDn6/cH3tp/3uRgEDDlFf326GwgufWw4l2WBN2 NAYJERfKPiYUuz2UC3MKnabuHi2J2vySyHA7jcjLnjMqs/x/+cEihBZ6QCO9LbPM aYpgGu3bs8+BYbfgNErI =k6ip -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Passing additional parameters using j_security_check (Form based authentication)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/8/14, 2:06 AM, Neeraj Sinha wrote: Chris, On 7 March 2014 21:43, Christopher Schultz ch...@christopherschultz.netwrote: Neeraj, On 3/6/14, 4:34 AM, Neeraj Sinha wrote: I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his registered email id clicking on which takes him to unlocking page(let's say *unlock.jsp*) which has 3 fields namely*username*, *password* and *unlock_code* and a submit button. After submission, once unlocked successfully the user should land to home page of the application. How are you checking the username and password? If you are letting Tomcat check that, you could make unlock.jsp protected so that the URL points to https:///unlock.jsp?code=[unlock_code]. After authentication, Tomcat will redirect the user to the original URL -- which will include the unlock code. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTH18KAAoJEBzwKT+lPKRYXLQP/AzuccE3pEzq5yF4zCWnAZLf VFdzsBJSbIt+C0CJyAffQ7UCRzVEZDJuAFVF12AhRcfdOUbn3N85QLUHPJoWHo0y +EbwSc951iRgzeMexp6EgB9DfdltelxCt9gXmAdvpZ91jPAldyVPA6spAdlkUixh +hcz9JqVMcILhN0tU35NilqbxYMRRQiserGHXffyRoH5KkWyeACLDrYICLgW8ylg 2yIPtAkKv+Qr3CRintvGnBHVxf5WCQ76e4vo8dd81PC0Ds/KfNJ5qeSFPnIVND6V KmA46lfpxezT0BOFV3OSRzsTDRJ2T7ZeyjPcbSknm+2SqLIhS0L0zLLF9S/4FFr2 qxIXeZV+AnVqPZBHCNhgCMGoK71recUULRqPcrWPpowgwom/rGyuzyuHD1epADa4 2Uumcw6DcbK6bhkDTFC+5wzeIFdddVKMP546FL3QeY6OlfnUyR8RE7WjqxXgVDOO Opti4wN7CHhEo9CzS4+IAOkJsghqXiiemuZvUgKcAuS5O5DiBiEtuc6uiDpT4H3S CaVEvhLX5VrJhD2ZkM2vZQS3v45BTSEmhr5EswE3n9/vknrRV1Vyh+nuyx/RoiIc M5id1+Gm/bS/3wVfcVrEyIavgwdj9gK9Lwl0DhexlWq4HCUVqRCsaNBcRR9qY/Tc jEU85sGWpjuH1N8vhhLJ =HOx2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: The Service Component
-Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: Monday, March 10, 2014 4:21 PM To: Tomcat Users List Subject: Re: The Service Component On Mon, Mar 10, 2014 at 7:26 AM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: Friday, March 07, 2014 9:44 AM To: users@tomcat.apache.org Subject: The Service Component Who uses more than one Service in their server.xml and why? I get that you can have multiple Connectors if you have multiple Service components but why use multiple connectors? Are there any docs on the use cases for these features? Hi Leo, I may be the only person on this list who does this consistently. I use it as an alternative method of virtual hosting, i.e. each host gets its own Service and related sub-structure. You are lucky you have control over that. I have no luck asking our data center to add another host entry to our web server. I always ask them, isn't it easier than asking you for another vm? :) And it wastes a hellofalot fewer resources. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 8.0
Does anyone have an idea when the first stable version of tomcat 8 will be released? Thanks. Visit us on the Web at mesirowfinancial.com This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Confidential, proprietary or time-sensitive communications should not be transmitted via the Internet, as there can be no assurance of actual or timely delivery, receipt and/or confidentiality. This is not an offer, or solicitation of any offer to buy or sell any security, investment or other product. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat 6 refuses mod_jk connections after server runs for a couple of days
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, March 07, 2014 8:18 AM To: Tomcat Users List Subject: Re: tomcat 6 refuses mod_jk connections after server runs for a couple of days -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/6/14, 7:39 AM, Daniel Mikusa wrote: On Mar 5, 2014, at 4:51 PM, Isaac Gonzalez igonza...@autoreturn.com wrote: -Original Message- From: Daniel Mikusa [mailto:dmik...@gopivotal.com] Sent: Tuesday, March 04, 2014 12:42 PM To: Tomcat Users List Subject: Re: tomcat 6 refuses mod_jk connections after server runs for a couple of days On Mar 4, 2014, at 1:55 PM, Isaac Gonzalez igonza...@autoreturn.com wrote: Dan, From: Daniel Mikusa [dmik...@gopivotal.com] Sent: Tuesday, March 04, 2014 6:20 AM To: Tomcat Users List Subject: Re: tomcat 6 refuses mod_jk connections after server runs for a couple of days On Mar 4, 2014, at 6:32 AM, Rainer Jung rainer.j...@kippdata.de wrote: On 27.02.2014 23:06, Isaac Gonzalez wrote: Hi Christopher(and Konstantin), attached is a couple of thread dumps of when we experienced the issue again today. I also noticed we get this message right before the problem occurs: Feb 27, 2014 12:47:15 PM org.apache.tomcat.util.threads.ThreadPool$ControlRunnable run SEVERE: Caught exception (java.lang.OutOfMemoryError: unable to create new native thread) executing org.apache.jk.common.ChannelSocket$SocketAcceptor@177ddea, terminating thread Is it a 32Bit system? You have 2GB of heap plus Perm plus native memory needed by the process plus thread stacks. Not unlikely, that you ran out of memory address space for a 32 bit process. The only fixes would then be: - switch to a 64 bit system - reduce heap if the app can work with less - improve performance or eliminate bottlenecks so that the app works with less threads - limit you connector thread pool size. That will still mean that if requests begin to queue because of performance problems, the web server can't create additional connections, but you won't get in an irregular situation as you experience now. In that case you would need to configure a low idle timeout for the connections on the JK and TC side. It may also be possible to lower the thread stack size with the -Xss option. Ok so we are 64 bit Linux with 1024k in the 64-bit VMwould lowering it to 64k be a bit too low? What sort of repercussions would we run into? Very helpful information by the way. It depends on your apps, so you'll need to test and see. If you go too low, you'll get StackOverflow exceptions. If you see those, just gradually increase until they go away. Dan -Isaac http://www.oracle.com/technetwork/java/hotspotfaq-138619.html#thread s_ oom Might buy you some room for a few additional threads. Dan Regards, Rainer --- -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Ok so the problem just happened again just now. Dan, Can you elaborate on how to configure limiting the connector thread pool size. I am also going to lower the thread stack size as you recommended. It seems like this problem creeps up when we have a hiccup in connectivity at our data center. Perhaps I also need to lower the idle timeout some more between tomcat and mod_jk. They are also between a firewall by the way, so I can configure a timeout between the two there as well. We aren't experiencing too many idle disconnects there. See maxConnections / maxThreads on the Connector tag. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Standard_Impl ementation or Executor if you’re using an executor. http://tomcat.apache.org/tomcat-7.0-doc/config/executor.html ... and you definitely *should* be using a manually-configured Executor. - -chris Chris, why should I be using a connector since we are only having users use the single 8009 AJP connection on each tomcat instance? I am the only one that uses the 8080 connector for troubleshooting and monitoring purposes. Is it mainly to help recycle unused threads? -Isaac
