Tomcat 6 JDBCStore session keep being reset
Hi all, We are having problem debugging our implementation of JDBCStore session persistence. We followed guide from this post http://www.intelligrape.com/blog/2010/07/21/tomcat-6-session-persistence-through-jdbcstore/ and it works in our local machine and our test servers. When we move it on our production server, our sessions got resetted randomly. We have been trying to find out what went wrong without success. All our setup are using - Tomcat 6.0.39 using APR connector on port 8443 (SSL) and 8080 - Oracle Java 1.7.0_60-b19 - MySQL connector 5.1.21 - Application server timeout is set to 30min - Application is running using Spring Framework and Spring Security - Test and Production servers running on Linode with private ip to communicate between servers - We have Zabbix monitoring all our production and test server by pinging the app every minute (not sure how this can relate to the issue) Content of our conf/context.xml for the app servers is similar like below, while our standalone solr servers do not have the persistent manager set up. Production Environment - 1 db server (64bit) - 1 app server (32bit) connected to db server - 2 app servers (64bit) connected to db server - 2 solr servers (64bit) connected to db server Test Environment (all 64bit) - 1 app+solr+db server (combined) - 1 app+solr server connected to db server Is there some advice on how to debug our issues? or is there some obvious configuration issue that we have? Thanks for all the advice beforehand. Johanes
Re: server.xml socketBuffer setting
On 6/17/2014 11:34 AM, David kerber wrote: Running TC 7.0.54 as a service with JRE 7u60, on Windows Server 2008 R2. What should I use as a guideline for setting the socketBuffer setting in server.xml? Should it just be big enough to handle a single response with a little headroom? Or does it handle more than one response at a time? My app receives tons (up to several hundred per second) of small (<200 bytes) requests, and returns an even smaller response, typically around 50 bytes, and no more than 100. So can I use a small socketBuffer setting without hurting my performance, or will a larger setting gain me something? Right now my socketBuffer setting is 16384. The reason I ask is that today for the first time I received an error in a separate command line java app that runs on this same machine: "java.net.SocketException: No buffer space available (maximum connections reached?): connect". And I'm trying to determine if tuning my buffer size, or the number of sockets is the better first step toward solving it. Thanks for any suggestions! Nobody has any information on sizing the socketBuffer value? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 8.0.5 Windows 7 service removal is incomplete
Thanks Jeffrey. I managed to locate the Tomcat8 Windows Service using MSCONFIG. I also discovered that the Tomcat installer installed to the default location c:\Program Files (x86) in addition to the folder that I specified as my preferred location. (As a java veteran I still never use folder names with spaces in them ) Once I recognised that the Tomcat Start Up entry on MSCONFIG's Startup tab appeared as "Commons Daemon Service Manager" I was able to deselect it and that stopped the error messages. -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Wednesday, June 18, 2014 11:50 AM To: 'Tomcat Users List'; 'ge...@gerrymatte.ca' Subject: RE: Tomcat 8.0.5 Windows 7 service removal is incomplete > -Original Message- > From: Gerry Matte [mailto:ge...@gerrymatte.ca] > Sent: Wednesday, June 18, 2014 11:53 AM > To: users@tomcat.apache.org > Subject: Tomcat 8.0.5 Windows 7 service removal is incomplete > > On May 21, I installed the windows service version of tomcat 8.0.5 in > order to test an application which required it. > I installed the version that creates a windows service named Tomcat8 > > I subsequently discovered the application was tested with tomcat7 so I > removed the service using "[CATALINA_HOME]\bin\service.bat remove" > The following day, when I started my PC I encountered a startup error > popup saying "The specified service does not exist. Unable to open an > installed service named Tomcat8" > > I reinstalled the service using "[CATALINA_HOME]\bin\service.bat > install" > and then uninstalled it using the command "[CATALINA_HOME]\bin\tomcat8 > //DS//Tomcat8" as documented on the tomcat website at > http://tomcat.apache.org/tomcat-8.0-doc/windows-service-howto.html > ("Removing Services") > > When I restart my PC, I still encounter the error popup message. > > I used MSCONFIG to look for a phantom startup request for Tomcat8 but > it did not seem to be present on the list of start-ups. > > Can anyone suggest what else I can do to expunge the Tomcat8 service ? > Thanks > Gerry Matte > Gerry - I'm not 100% sure about this, but it sounds like the error message you get when the service manager starts up (Tomcat8w, sits in the system tray). You don't mention how you did the original install, but the binary installer installs this service manager, along with Start Menu entries, etc. If you used the binary installer, use add/remove programs to remove everything it did for you. Otherwise, it's a trip down the registry tree looking for RUN/RUNONCE entries. Jeff p.s. I'm a big believer in using the binary installer. It does almost everything I need these days. Kudos to the developer who maintains this. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 8.0.5 Windows 7 service removal is incomplete
> -Original Message- > From: Gerry Matte [mailto:ge...@gerrymatte.ca] > Sent: Wednesday, June 18, 2014 11:53 AM > To: users@tomcat.apache.org > Subject: Tomcat 8.0.5 Windows 7 service removal is incomplete > > On May 21, I installed the windows service version of tomcat 8.0.5 in > order to test an application which required it. > I installed the version that creates a windows service named Tomcat8 > > I subsequently discovered the application was tested with tomcat7 so I > removed the service using "[CATALINA_HOME]\bin\service.bat remove" > The following day, when I started my PC I encountered a startup error > popup saying "The specified service does not exist. Unable to open an > installed service named Tomcat8" > > I reinstalled the service using "[CATALINA_HOME]\bin\service.bat > install" > and then uninstalled it using the command "[CATALINA_HOME]\bin\tomcat8 > //DS//Tomcat8" as documented on the tomcat website at > http://tomcat.apache.org/tomcat-8.0-doc/windows-service-howto.html > ("Removing Services") > > When I restart my PC, I still encounter the error popup message. > > I used MSCONFIG to look for a phantom startup request for Tomcat8 but > it did not seem to be present on the list of start-ups. > > Can anyone suggest what else I can do to expunge the Tomcat8 service ? > Thanks > Gerry Matte > Gerry - I'm not 100% sure about this, but it sounds like the error message you get when the service manager starts up (Tomcat8w, sits in the system tray). You don't mention how you did the original install, but the binary installer installs this service manager, along with Start Menu entries, etc. If you used the binary installer, use add/remove programs to remove everything it did for you. Otherwise, it's a trip down the registry tree looking for RUN/RUNONCE entries. Jeff p.s. I'm a big believer in using the binary installer. It does almost everything I need these days. Kudos to the developer who maintains this. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 8.0.5 Windows 7 service removal is incomplete
On May 21, I installed the windows service version of tomcat 8.0.5 in order to test an application which required it. I installed the version that creates a windows service named Tomcat8 I subsequently discovered the application was tested with tomcat7 so I removed the service using "[CATALINA_HOME]\bin\service.bat remove" The following day, when I started my PC I encountered a startup error popup saying "The specified service does not exist. Unable to open an installed service named Tomcat8" I reinstalled the service using "[CATALINA_HOME]\bin\service.bat install" and then uninstalled it using the command "[CATALINA_HOME]\bin\tomcat8 //DS//Tomcat8" as documented on the tomcat website at http://tomcat.apache.org/tomcat-8.0-doc/windows-service-howto.html ("Removing Services") When I restart my PC, I still encounter the error popup message. I used MSCONFIG to look for a phantom startup request for Tomcat8 but it did not seem to be present on the list of start-ups. Can anyone suggest what else I can do to expunge the Tomcat8 service ? Thanks Gerry Matte - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How To Redirect a URL
Thank you On Wed, Jun 18, 2014 at 12:40 PM, Mark Eggers wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 6/18/2014 9:20 AM, Lou Henry wrote: > > I am fairly new to configuring apache web servers. Currently, I > > have a vanity url set up in an Apache Load Balancer and that goes > > to a WebLogic Cluster running a portal website. I would like to > > redirect this url to an antivirus server first. The antivirus > > server will do its thing and if it's clean, it will direct it to > > the portal that's running the WebLogic Cluster. > > > > What's the best way to redirect the url that is running on the > > apache load balancer to the antivirus server? > > > > Thank you for any information that can be provided. > > > > Regards, > > > > This is the Apache Tomcat mailing list. > > I think the mailing list you're interested in is the Apache HTTPD > mailing list. > > That said, take a look at Redirect directives that are provided with > mod_alias. > > . . . just my two cents > /mde/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTocEMAAoJEEFGbsYNeTwtMSEH/20uEFalT3abwgH3BA+p1ZxL > u1dpvuPNii1TpobD+nXr9Ca6+dDofyjKR6wyesPPQse7gH/2I2z0KNzc9fvjUhNr > 2HSbcPuIryvsjeGSnfLFa/GAetqxAab75WJ/E4J+BR9E0WNGlw3RpksTAYh+IELe > KnMvicMZTDQAtHh5STouhAybBiQgBfMyCbpWjRaXnueq4o1NgqRsoS5RwmCgkRQx > BXTo2CyOQ3ZI10X5YtdkDv89TYiB8LEmjPKeqKamYUYnWVhaFKxTNzxYbrimoW8S > OMSfG0OrxxuhFTchy9KxRzwgYi58sCUSs3R8rEXq2kFpDMF5cgHoDzjwjX2m2Fc= > =jfa/ > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: How To Redirect a URL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/18/2014 9:20 AM, Lou Henry wrote: > I am fairly new to configuring apache web servers. Currently, I > have a vanity url set up in an Apache Load Balancer and that goes > to a WebLogic Cluster running a portal website. I would like to > redirect this url to an antivirus server first. The antivirus > server will do its thing and if it's clean, it will direct it to > the portal that's running the WebLogic Cluster. > > What's the best way to redirect the url that is running on the > apache load balancer to the antivirus server? > > Thank you for any information that can be provided. > > Regards, > This is the Apache Tomcat mailing list. I think the mailing list you're interested in is the Apache HTTPD mailing list. That said, take a look at Redirect directives that are provided with mod_alias. . . . just my two cents /mde/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTocEMAAoJEEFGbsYNeTwtMSEH/20uEFalT3abwgH3BA+p1ZxL u1dpvuPNii1TpobD+nXr9Ca6+dDofyjKR6wyesPPQse7gH/2I2z0KNzc9fvjUhNr 2HSbcPuIryvsjeGSnfLFa/GAetqxAab75WJ/E4J+BR9E0WNGlw3RpksTAYh+IELe KnMvicMZTDQAtHh5STouhAybBiQgBfMyCbpWjRaXnueq4o1NgqRsoS5RwmCgkRQx BXTo2CyOQ3ZI10X5YtdkDv89TYiB8LEmjPKeqKamYUYnWVhaFKxTNzxYbrimoW8S OMSfG0OrxxuhFTchy9KxRzwgYi58sCUSs3R8rEXq2kFpDMF5cgHoDzjwjX2m2Fc= =jfa/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How To Redirect a URL
I am fairly new to configuring apache web servers. Currently, I have a vanity url set up in an Apache Load Balancer and that goes to a WebLogic Cluster running a portal website. I would like to redirect this url to an antivirus server first. The antivirus server will do its thing and if it's clean, it will direct it to the portal that's running the WebLogic Cluster. What's the best way to redirect the url that is running on the apache load balancer to the antivirus server? Thank you for any information that can be provided. Regards,
Fwd: Regarding JSESSIONIDSSO Cookie maintained by tomcat
please get me out of the mailist.Thank you. -- Forwarded message -- From: Konstantin Preißer Date: 2014-06-19 0:05 GMT+08:00 Subject: RE: Regarding JSESSIONIDSSO Cookie maintained by tomcat To: Tomcat Users List Hi, > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Wednesday, June 18, 2014 4:23 PM > To: Tomcat Users List > Subject: Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Konstantin, > > On 6/18/14, 5:34 AM, Konstantin Kolinko wrote: > > 2014-06-18 11:57 GMT+04:00 Konstantin Kolinko > > : > >>> > >>> HTTP/1.1 302 Found Set-Cookie: > >>> JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, > >>> 01-Jan-1970 00:00:10 GMT Pragma: No-cache Cache-Control: > >>> no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC Set-Cookie: > >>> JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; > >>> Secure; HttpOnly Location: https://X.Y.A.B/admin/login.jsp > >>> Content-Length: 0 Date: Tue, 17 Jun 2014 16:21:17 GMT Server: > >>> XYZ > >>> > >> > >> With that value of "Expires" the cookie is actually being > >> cleared, not set. > >> > > > > The 'Secure' flag says that the browser should never send the > > cookie to the server over a non-secure connection. > > > > When the cookie is being cleared, the "Secure" flag is irrelevant, > > as the cookie will not be sent back by the browser. > > +1 > > > The "HttpOnly" flag says that the cookie should not be accessible > > from Javascript code running in the browser. If the cookie is being > > deleted, is there a way to access it from Javascript? I think that > > there is no such way. > > +1 > > I think this is a spurious error being flagged by the security > scanner. Adding "HttpOnly" and "Secure" flags to the "expire" > Set-Cookie header is just a waste of bytes because they have no effect > whatsoever on what the client does with the cookie (it always deleted > it, unless the system clock is set horribly wrong). I haven't followed all of this discussion, but as for deleting a Cookie, I think the problem is that there isn't an explicit "Delete-Cookie" header; but instead the server has to send the cookie name with a "Expires" flag that is in the past. In this case, I think if the original cookie contained a "Secure" and "HttpOnly" flag, then the Set-Cookie header which deletes the cookie by setting an "Expire" date in the past also should set the "Secure" and "HttpOnly" flags. Although it is unlikely that the client will send back a Cookie which expires in 1970, it would be possible if the client's system date is set wrong, so IMHO this is not an exact "delete this cookie" instruction and therefore the "Expire" Set-Cookie header should include the same HttpOnly and Secure flags that were included in the original Set-Cookie header. Also, when deleting a cookie, I think it might be better to send a Set-Cookie header with an empty value, so that the value is overwritten by the browser if for some reason the cookie is not yet expired. E.g., instead of Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, 01-Jan-1970 00:00:10 GMT the server could send: Set-Cookie: JSESSIONIDSSO=; Expires=Thu, 01-Jan-1970 00:00:10 GMT (RFC6265 Section 3.1 shows an example where a cookie is deleted this way) Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Best regards --- School of Software, Sun Yat-sen University, 132 East Waihuan Road, Guangzhou Higher Education Mega Center, Guangzhou 510006, P.R.China
RE: Regarding JSESSIONIDSSO Cookie maintained by tomcat
Hi, > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Wednesday, June 18, 2014 4:23 PM > To: Tomcat Users List > Subject: Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Konstantin, > > On 6/18/14, 5:34 AM, Konstantin Kolinko wrote: > > 2014-06-18 11:57 GMT+04:00 Konstantin Kolinko > > : > >>> > >>> HTTP/1.1 302 Found Set-Cookie: > >>> JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, > >>> 01-Jan-1970 00:00:10 GMT Pragma: No-cache Cache-Control: > >>> no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC Set-Cookie: > >>> JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; > >>> Secure; HttpOnly Location: https://X.Y.A.B/admin/login.jsp > >>> Content-Length: 0 Date: Tue, 17 Jun 2014 16:21:17 GMT Server: > >>> XYZ > >>> > >> > >> With that value of "Expires" the cookie is actually being > >> cleared, not set. > >> > > > > The 'Secure' flag says that the browser should never send the > > cookie to the server over a non-secure connection. > > > > When the cookie is being cleared, the "Secure" flag is irrelevant, > > as the cookie will not be sent back by the browser. > > +1 > > > The "HttpOnly" flag says that the cookie should not be accessible > > from Javascript code running in the browser. If the cookie is being > > deleted, is there a way to access it from Javascript? I think that > > there is no such way. > > +1 > > I think this is a spurious error being flagged by the security > scanner. Adding "HttpOnly" and "Secure" flags to the "expire" > Set-Cookie header is just a waste of bytes because they have no effect > whatsoever on what the client does with the cookie (it always deleted > it, unless the system clock is set horribly wrong). I haven't followed all of this discussion, but as for deleting a Cookie, I think the problem is that there isn't an explicit "Delete-Cookie" header; but instead the server has to send the cookie name with a "Expires" flag that is in the past. In this case, I think if the original cookie contained a "Secure" and "HttpOnly" flag, then the Set-Cookie header which deletes the cookie by setting an "Expire" date in the past also should set the "Secure" and "HttpOnly" flags. Although it is unlikely that the client will send back a Cookie which expires in 1970, it would be possible if the client's system date is set wrong, so IMHO this is not an exact "delete this cookie" instruction and therefore the "Expire" Set-Cookie header should include the same HttpOnly and Secure flags that were included in the original Set-Cookie header. Also, when deleting a cookie, I think it might be better to send a Set-Cookie header with an empty value, so that the value is overwritten by the browser if for some reason the cookie is not yet expired. E.g., instead of Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, 01-Jan-1970 00:00:10 GMT the server could send: Set-Cookie: JSESSIONIDSSO=; Expires=Thu, 01-Jan-1970 00:00:10 GMT (RFC6265 Section 3.1 shows an example where a cookie is deleted this way) Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 6/18/14, 5:34 AM, Konstantin Kolinko wrote: > 2014-06-18 11:57 GMT+04:00 Konstantin Kolinko > : >>> >>> HTTP/1.1 302 Found Set-Cookie: >>> JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, >>> 01-Jan-1970 00:00:10 GMT Pragma: No-cache Cache-Control: >>> no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC Set-Cookie: >>> JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; >>> Secure; HttpOnly Location: https://X.Y.A.B/admin/login.jsp >>> Content-Length: 0 Date: Tue, 17 Jun 2014 16:21:17 GMT Server: >>> XYZ >>> >> >> With that value of "Expires" the cookie is actually being >> cleared, not set. >> > > The 'Secure' flag says that the browser should never send the > cookie to the server over a non-secure connection. > > When the cookie is being cleared, the "Secure" flag is irrelevant, > as the cookie will not be sent back by the browser. +1 > The "HttpOnly" flag says that the cookie should not be accessible > from Javascript code running in the browser. If the cookie is being > deleted, is there a way to access it from Javascript? I think that > there is no such way. +1 I think this is a spurious error being flagged by the security scanner. Adding "HttpOnly" and "Secure" flags to the "expire" Set-Cookie header is just a waste of bytes because they have no effect whatsoever on what the client does with the cookie (it always deleted it, unless the system clock is set horribly wrong). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJToaDcAAoJEBzwKT+lPKRYY98P/jGnvGM3nFZBN3pttDIqiV6K vKsxu1aUctQFECY0Sj4ZD4jG2C7Ydx2qx4MdEKUEzcVaP1kMdgWJIX75KvF0Dn+I /YbgMszpGzSRJ3pGZlVZi28I64hCxnw7K/Lt2+K6YXc4btOhdf4C4Et3xv6ykrXh C3MD97yRLeldeSVh78mCg4sYP5z6Ps1+Wwg6b11NN7f2qw5+KROfBLJY0575+cas po7+I7kn261XL+3JCjO1qdCOEO+32/9yjMZDf6qD1dJkmAgxtY/uVPapyrLp8pQJ M4ujXtiIjT+oTAEjtfMoWx37zNrXmM0WBj/5KIv9sZNE/hAxJ2HwpoH3qOC6M9NB WvzpS0lvS76vqgkleO7cW5sGuqpe0Q5tOqN8SlvJ9pEnKfPJFbnW7NT94zF5TUnh cZb2TZaB+rzqmHG178XMqv8fMQpuWlSc4bHtv+jNa79GTkSvS4ggLuw11/a8Ybic ggt4ztVwqafek8uxI9Al4wB8t78nHE4pFNwQBlWe7xTXF9KhfqKYUFyncd2UEiW6 t8bb1I7/ZHdEGHi6hCPpwA5/HM4s6egZgyXbP4dVIxWjXbIfMOcExUV/El48IZ3S Zj+ztxMQ6abJ/5YfjquDjDUoImSW+GnB0F52U9iJI5BUIKheHiBL/DTCB1Ihs/3M ahfaNFJlZ+ZALbSq+x5a =A2Gk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Any recommendations on heap settings for Tomcat on an AS/400?
I recommend that, whatever settings you use, don't just set and forget them. Monitor your memory usage and tune it to match the characteristics of your load. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat
2014-06-18 11:57 GMT+04:00 Konstantin Kolinko : >> >> HTTP/1.1 302 Found >> Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, >> 01-Jan-1970 00:00:10 GMT >> Pragma: No-cache >> Cache-Control: no-cache >> Expires: Thu, 01 Jan 1970 00:00:00 UTC >> Set-Cookie: JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; >> Secure; HttpOnly >> Location: https://X.Y.A.B/admin/login.jsp >> Content-Length: 0 >> Date: Tue, 17 Jun 2014 16:21:17 GMT >> Server: XYZ >> > > With that value of "Expires" the cookie is actually being cleared, not set. > The 'Secure' flag says that the browser should never send the cookie to the server over a non-secure connection. When the cookie is being cleared, the "Secure" flag is irrelevant, as the cookie will not be sent back by the browser. The "HttpOnly" flag says that the cookie should not be accessible from Javascript code running in the browser. If the cookie is being deleted, is there a way to access it from Javascript? I think that there is no such way. So is there any issue here with those flags? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to protect a Tomcat server/Webapp from (D)DOS attacks
Hello Chris, Thank you for your answer. > Apache ships with mod_evasive that allows you do this. I have used this in the past with some success. The other alternative I am aware of is to use mod_security. It looks interesting. > I am not aware of anything that will run directly in front of tomcat however - does anyone else have any suggestions? I think that was some talk of a port of mod_security that was implemented in java (well java calling the mod_security c library via jni). That might be mature enough for you to try. Anyone? Thanks again and best regards, -- Léa Massiot On 2014-06-17 7:45 PM, chris derham wrote: Léa, >Below is what I would like to ask you: >How do you usually protect your "Tomcat" servers and Webapps from (D)DOS >((Distributed) Denial-of-service) attacks? If you allow the DOS traffic to make it all the way up to the application layer before you detect it, then the DOS will still have an effect. The best way of stopping such traffic is to detect it at a lower level, and then block at a firewall. Typically this can be done by counting number of calls coming from a IP address and automatically blocking if they exceed a threshold. Apache ships with mod_evasive that allows you do this. I have used this in the past with some success. The other alternative I am aware of is to use mod_security. I am not aware of anything that will run directly in front of tomcat however - does anyone else have any suggestions? I think that was some talk of a port of mod_security that was implemented in java (well java calling the mod_security c library via jni). That might be mature enough for you to try. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat
2014-06-18 12:13 GMT+04:00 Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at Cisco) : > Thanks Konstantin for your quick reply. > Actually Security Scanners are thinking that "secure" and "httpOnly" flag is > not set and raising as issue. I would like to set these values by overriding > "setHeader" or "addHeader" in the ResponseWrapper, but not working. You cannot intercept setting it. You have to look into changing the header that has already been set. (A filter can do that in Tomcat 7 with Servlet 3.0 APIs. A Valve can do that on any version of Tomcat). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Exclude scanning of class folders for Servlet 3.0 annotations.
2014-06-14 17:30 GMT+04:00 Vimil Saju : > Hi, > > I am using tomcat 7.0.52 and jdk 1.7.0_45. We have a web application which > has its classpath configured in its own context xml file using > virtualClasspath attribute of Loader tag. The webapp uses version 3.0 of > web.xml, The classpath contains multiple class folders in addition to jar > file references. i.e virtualClasspath is set to something as follows > > virtualClasspath="C:\Projects\ProjectA\classes;C:\Projects\ProjectB\classes;C:\Projects\ProjectC\classes;C:\Projects\Libraries\jarfile1.jar;C:\Projects\Libraries\jarfile2.jar" > > C:\Projects\ProjectA\classes has classes with Servlet 3.0 annotations and I > want tomcat to look for annotated classes in this class folder. To do this I > have set the attribute scanAllDirectories=true under the JarScanner tag as > follows > > > > > > Since I don't want tomcat to scan other jar files and class folders of > ProjectB and ProjectC, I have configured > the property tomcat.util.scan.DefaultJarScanner.jarsToSkip in > catalina.properties to something as follows > > tomcat.util.scan.DefaultJarScanner.jarsToSkip=jarfile1.jar,jarfile2.jar,**/ProjectB/classes,**/ProjectC/classes > > > I was able to make tomcat skip scanning of jar files using the above > configuration but it still scans class folders of both ProjectB and ProjectC. > > So I looked at the source code of StandardJarScanner and found that it uses > the name of the last directory in the folder path as the jar name. i.e the > jarName computed for both ProjectB/classes and ProjectC/classes is 'classes'. > Thus there is no way for it to distinguish ProjectB/classes and > ProjectC/classes from ProjectA/classes. > > I think StandardJarScanner should use the full folder path as the jar name > instead of just the last directory in the folder path. > > > This is the code I was looking at in StandardJarScanner.java > > /* > * Extract the JAR name, if present, from a URL > */ > private String More ...getJarName(URL url) { > > String name = null; > > String path = url.getPath(); > int end = path.indexOf(Constants.JAR_EXT); > if (end != -1) { > int start = path.lastIndexOf('/', end); > name = path.substring(start + 1, end + 4); > } else if (isScanAllDirectories()){ > int start = path.lastIndexOf('/'); > name = path.substring(start + 1); > } > > return name; > } > > > I think instead of computing the last name of the directory path for class > folders it should set the jarname to the full folder path > > private String getJarName(URL url) { String name = null; String path = > url.getPath(); int end = path.indexOf(".jar"); if (end != -1) { int start = > path.lastIndexOf('/', end); name = path.substring(start + 1, end + 4); } else > if (isScanAllDirectories()) { name = path; } return name; } > > I would like to know if there are any issues with my suggestion. I would > also like to know if there is any workaround for my problem. > 1. VirtualWebappLoader is deprecated and removed from Tomcat 8. In Tomcat 8 you'll configure your resources by mapping those directories into WEB-INF/classes. As it is all the same directory (WEB-INF/classes), I see no sense in filtering by directory name. JarScanner operates on URLs, not on file system paths. 2. I think that I'd like to see filtering by Java package name. I think it makes sense to implement that. 3. You may configure your own JarScanner or JarScanFilter (in Tomcat 8) implementation in your META-INF/context.xml file. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Regarding JSESSIONIDSSO Cookie maintained by tomcat
Thanks Konstantin for your quick reply. Actually Security Scanners are thinking that "secure" and "httpOnly" flag is not set and raising as issue. I would like to set these values by overriding "setHeader" or "addHeader" in the ResponseWrapper, but not working. Do you have any idea how we can add these flags to even for cleared cookies? I also understand there is no direct way of dealing the JSESSIONID and JSESSIONSSO cookies. IMO if tomcat is clearing the Cookie, tomcat can send with empty or NULL value instead of JSESSIONIDSSO cookie exact value. One can argue still this is vulnerable through MitM as the JSESSIONIDSSO cookie value is present. What do you think? -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Wednesday, June 18, 2014 1:27 PM To: Tomcat Users List Subject: Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat 2014-06-18 10:45 GMT+04:00 Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at Cisco) : > Hi Tomcat Users, > > We are using Tomcat 6.0.37 version. I have few questions regarding > JSESSIONIDSSO cookie generated by tomcat. > As you know, in general each cookie needs to set "httpOnly" and "Secure" > flags. I understand both JSESSIONID and JSESSIONIDSSO cookies are maintained > by Tomcat for session management. The problem is sometimes "JSESSIONIDSSO" > cookie is not set to "Secure" and "HttpOnly" flags. For example from the > following two responses one time JSESSIONIDSSO is set and other one not. I > would like to know in some scenarios whether this is expected. Your input is > much appreciated. > I could not find any documentation related to this in tomcat.apache.org web > site. > Please help me. > > In different application, I could not find this cookie at all which is using > Tomcat 7.x. Is there any fixes between Tomcat 6.0.37 and Tomcat 7.x related > to JSESSIONIDSSO. > Is there any behavior change? > > HTTP/1.1 200 OK > Pragma: No-cache > Cache-Control: no-store > Expires: Wed, 31 Dec 1969 23:59:59 GMT > Set-Cookie: JSESSIONID=E6AA4F8CD91D557123B23F1FBCDAC137; Path=/admin; > Secure; HttpOnly > Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Path=/; > Secure; HttpOnly > Content-Type: text/html;charset=utf-8 > Date: Tue, 17 Jun 2014 16:18:27 GMT > Server: XYZ > Content-Length: 71916 > > > HTTP/1.1 302 Found > Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; > Expires=Thu, 01-Jan-1970 00:00:10 GMT > Pragma: No-cache > Cache-Control: no-cache > Expires: Thu, 01 Jan 1970 00:00:00 UTC > Set-Cookie: JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; > Secure; HttpOnly > Location: https://X.Y.A.B/admin/login.jsp > Content-Length: 0 > Date: Tue, 17 Jun 2014 16:21:17 GMT > Server: XYZ > With that value of "Expires" the cookie is actually being cleared, not set. The code for clearing the cookie is in o.a.catalina.authenticator.SingleSignOn.invoke(...) [[[ cookie.setMaxAge(0); response.addCookie(cookie); ]]] The code for setting the cookie is in o.a.catalina.authenticator.AuthenticatorBase.register(...) Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat
2014-06-18 10:45 GMT+04:00 Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at Cisco) : > Hi Tomcat Users, > > We are using Tomcat 6.0.37 version. I have few questions regarding > JSESSIONIDSSO cookie generated by tomcat. > As you know, in general each cookie needs to set "httpOnly" and "Secure" > flags. I understand both JSESSIONID and JSESSIONIDSSO cookies are maintained > by Tomcat for session management. The problem is sometimes "JSESSIONIDSSO" > cookie is not set to "Secure" and "HttpOnly" flags. For example from the > following two responses one time JSESSIONIDSSO is set and other one not. I > would like to know in some scenarios whether this is expected. Your input is > much appreciated. > I could not find any documentation related to this in tomcat.apache.org web > site. > Please help me. > > In different application, I could not find this cookie at all which is using > Tomcat 7.x. Is there any fixes between Tomcat 6.0.37 and Tomcat 7.x related > to JSESSIONIDSSO. > Is there any behavior change? > > HTTP/1.1 200 OK > Pragma: No-cache > Cache-Control: no-store > Expires: Wed, 31 Dec 1969 23:59:59 GMT > Set-Cookie: JSESSIONID=E6AA4F8CD91D557123B23F1FBCDAC137; Path=/admin; Secure; > HttpOnly > Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Path=/; Secure; > HttpOnly > Content-Type: text/html;charset=utf-8 > Date: Tue, 17 Jun 2014 16:18:27 GMT > Server: XYZ > Content-Length: 71916 > > > HTTP/1.1 302 Found > Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, > 01-Jan-1970 00:00:10 GMT > Pragma: No-cache > Cache-Control: no-cache > Expires: Thu, 01 Jan 1970 00:00:00 UTC > Set-Cookie: JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; Secure; > HttpOnly > Location: https://X.Y.A.B/admin/login.jsp > Content-Length: 0 > Date: Tue, 17 Jun 2014 16:21:17 GMT > Server: XYZ > With that value of "Expires" the cookie is actually being cleared, not set. The code for clearing the cookie is in o.a.catalina.authenticator.SingleSignOn.invoke(...) [[[ cookie.setMaxAge(0); response.addCookie(cookie); ]]] The code for setting the cookie is in o.a.catalina.authenticator.AuthenticatorBase.register(...) Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org